< Day Day Up > |
A scenario:
To capture passwords in the real world, this scenario would likely require in-memory kernel modifications in addition to hardware specifics. If only the network card were modified, passwords and/or password hashes might be sniffed. This type of rootkit is there for the long term; if the IT staff were to install a newer version of Windows, or even a service pack, the rootkit should keep working. However, if any sort of kernel-level modifications were made in addition to the firmware modifications, an OS or service-pack installation could break everything. Using the BIOS and direct firmware modification is risky business and is very specific to the target platform. However, the flip side is that with careful planning, such a rootkit would be very difficult to detect. Modifications to the firmware in a "smart" Ethernet card are a very advanced concept, requiring very detailed information about the card. This kind of information might be obtained via reverse engineering, documentation, or insider information. Such modifications don't necessarily need to be made in place, at the user's work location. They can also be made on intercepted computer shipments. Dealing with a system at such a low level might seem unnecessary. In many cases, this is true. When dealing with a personal computer, you will have access to a lot of software software that is already on board and running. Much of this software can itself deal with low-level hardware, so you don't have to. It makes sense to use what is already there. But not all computers are "personal computers" as we know them, abounding with numerous software programs. Many computers are tiny embedded systems that perform small and specific tasks. These systems are everywhere around us and for the most part, we don't notice them. An embedded system might consist of only a few microchips and a control program. The machine might have a small micro-brain to take care of important elements such as stepper motors, voltage regulation, electric-motor speed, armature movements, little blinking lights, and interfaces to cabling, fiber optics, and mil-spec serial cables. It stands to reason that somewhere, someplace, there will be a software control program to drive this mousetrap. Typically, the software rests somewhere within a memory chip, and is used by a central processor. The key word is processor: If a device has a "little CPU" to keep it going at night, then we can run software on the device. Because it's controlled by software, a "little rootkit" can be placed on that device. And then, modifications can be made to the firmware to add rootkit functions. In this chapter, we'll take a look at hardware manipulation specifically, the instructions you need to read from and write to hardware. We'll also cover some of the factors you need to watch out for in order to remain undetected. If you need to access hardware in your rootkit, this chapter's for you. |
< Day Day Up > |