Chapter 8. Hardware Manipulation

Throughout your life, advance daily, becoming more skillful than yesterday, more skillful than today. This is never-ending.

HAGAKURE

A scenario:

The intruder slips along the wall toward a janitor cart resting at the end of the hall. His eyes are on a set of keys. A quick look around the corner; good, the janitor is down the hall cleaning a doctor's office. The intruder gently lifts the key chain and dashes back into the dark hallway. Around a corner, stopping at a door, he tries the lock. This doesn't take long. Once the door is open, he sneaks back to the cart and replaces the keys.

The office is dark except for a computer terminal in the back. After moving the monitor and keyboard to the floor, he sits in the crook of the desk. This is a good spot; his actions are not visible to anyone in the hall.

The login screen is locked, but it doesn't matter. The intruder removes a CD-ROM from his jacket, inserts it into the machine, and hard-reboots the workstation. The machine promptly reboots and displays: Press any key to boot from CD. . . ." The intruder taps the spacebar. The rootkit that's on the CD infects the BIOS of this workstation, and also modifies the Ethernet card. It's nothing fancy this time, just a password sniffer. But it will stay here for a long time, even if the "oh-so-intelligent" IT staff re-installs Windows. The intruder smiles: This workstation is "owned."

About 30 minutes later, everything is back where it was and the computer is freshly rebooted into Windows. The victim will not notice that the machine has been rebooted. This workstation is a plain-vanilla "Wintel" box, like millions of others in the world. The motherboard is a standard Intel motherboard and the Ethernet card is a 3Com card with on-board processor. What makes this workstation important is that it sits on the same switched network as a pair of Sun E10K servers down the hall servers that manage hundreds of gigabytes of protein research. The data is worth millions of dollars.

To capture passwords in the real world, this scenario would likely require in-memory kernel modifications in addition to hardware specifics. If only the network card were modified, passwords and/or password hashes might be sniffed. This type of rootkit is there for the long term; if the IT staff were to install a newer version of Windows, or even a service pack, the rootkit should keep working. However, if any sort of kernel-level modifications were made in addition to the firmware modifications, an OS or service-pack installation could break everything.

Using the BIOS and direct firmware modification is risky business and is very specific to the target platform. However, the flip side is that with careful planning, such a rootkit would be very difficult to detect. Modifications to the firmware in a "smart" Ethernet card are a very advanced concept, requiring very detailed information about the card. This kind of information might be obtained via reverse engineering, documentation, or insider information. Such modifications don't necessarily need to be made in place, at the user's work location. They can also be made on intercepted computer shipments.

Dealing with a system at such a low level might seem unnecessary. In many cases, this is true. When dealing with a personal computer, you will have access to a lot of software software that is already on board and running. Much of this software can itself deal with low-level hardware, so you don't have to. It makes sense to use what is already there.

But not all computers are "personal computers" as we know them, abounding with numerous software programs. Many computers are tiny embedded systems that perform small and specific tasks. These systems are everywhere around us and for the most part, we don't notice them.

An embedded system might consist of only a few microchips and a control program. The machine might have a small micro-brain to take care of important elements such as stepper motors, voltage regulation, electric-motor speed, armature movements, little blinking lights, and interfaces to cabling, fiber optics, and mil-spec serial cables. It stands to reason that somewhere, someplace, there will be a software control program to drive this mousetrap. Typically, the software rests somewhere within a memory chip, and is used by a central processor. The key word is processor: If a device has a "little CPU" to keep it going at night, then we can run software on the device. Because it's controlled by software, a "little rootkit" can be placed on that device. And then, modifications can be made to the firmware to add rootkit functions.

In this chapter, we'll take a look at hardware manipulation specifically, the instructions you need to read from and write to hardware. We'll also cover some of the factors you need to watch out for in order to remain undetected. If you need to access hardware in your rootkit, this chapter's for you.