Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 01/26/06 web stories

Better hacking through science: new and better ways to hide your rootkit

By William Jackson, GCN Staff

In the cat-and-mouse game of computer security, rootkits are a powerful way to hide malicious code on a compromised computer where it is difficult to detect and remove.

As detection tools become more sophisticated, one researcher thinks that the BIOS may be the new frontier for rootkits.

“There are no tools now to audit your BIOS for a rootkit,” said John Heasman, principal security consultant for NGS Software Ltd. of the U.K. Heasman, speaking at the Black Hat Federal Briefings in Arlington, Va., described a proof of concept technique for placing a rootkit at such a low level on the computer’s system that it would survive reboots, reinstallation of operating systems and even replacement of the hard drive.

“This is very much a work in process,” Heasman said. He has spent only a few weeks so far developing techniques and uses for the new threat, and he is not aware of examples of such a tool in the wild. But there is no reason it could not be done with a little effort, he said.

First, some definitions. A rootkit is code surreptitiously installed and running on a computer that typically burrows deep enough into the operating system kernel that it is not easily detected. It can be used to hide malicious activity by a third party. The BIOS is the Basic Input-Output System on a computer. This is code on the motherboard that runs when the computer is powered up, initializing chip sets, memory subsystems, drivers and diagnostic systems. It enables what the computer can do without software.

Rootkits gained national attention when it was revealed recently that Sony Corp. was using them on some of its music CDs to hide digital rights management tools on customers’ computers. Hackers have managed to exploit some of these computers by hiding malicious code in the Sony rootkit.

As rootkits become more widely used, tools are being developed to detect and remove them. So far these tools have focused on the operating system but have ignored the BIOS. And for good reason, said Heasman: Putting a rootkit there would be difficult, requiring the hacker to burn new code into the BIOS on the computer motherboard. The code would have to be tailored to the specific chip set, not just to a more generic operating system. And because BIOS functionality is limited, using it to exploit a computer is difficult.

More news on related topics: Communications / Networks, IT Security



GCN Popup