Hackers Find A New Hiding Place for Rootkits

Dennis Faas's picture

Security researchers have reportedly developed a new type of malicious rootkit software capable of hiding itself in an obscure part of a computer's microprocessor, hidden from current antivirus products.

Dubbed a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer's memory that can be locked and rendered invisible to the operating system, but it can give attackers details of what's happening in a computer's memory.

The SMM rootkit, built by Shawn Embleton and Sherri Sparks, operators of security company Clear Hat Consulting, comes with keylogging and communications software, and could be used to steal sensitive information from a victim's computer. It will be demonstrated for the first time at the Black Hat Security conference in Las Vegas this August.

Sparks notes that rootkits are going more and more toward hardware, and the deeper into the system you go, the more power you have because it's harder to detect. Sparks wrote another rootkit three years ago called Shadow Walker.

Rootkits garnered a lot of attention in late 2005 when Sony BMG Music used rootkit techniques -- resulting in the recall of millions of CDs amid the ensuing scandal -- to hide its copy protection software.

The SMM rootkit uses a feature that dates back to Intel's 386 processors where it was added as a way to help hardware vendors fix bugs in their products using software. The technology is also used to help manage a computer's power management, such as taking it into sleep mode.

Not being a part of the operating system makes the SMM rootkit stealthy and harder to detect. It also means that hackers have to write the driver code expressly for the system they are attacking. Detection techniques will be discussed during the Black Hat conference in August.

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet