Security researchers have created a new rootkit program that is capable of hiding itself inside a computer’s microprocessor, an area of a system that is said to be “unreachable” by antivirus programs.
Researchers Shawn Embleton and Sherri Sparks of Clear Hat Consulting, a security company in Florida, called it a System Management Mode (SMM) rootkit. It may just bring stealth technology beyond the OS and into the physical structure of the computer, making it more impervious to detection than most rootkits already are — and more frightening if found in the hands of the bad guys.
The creation of SMM can be seen as an offshoot of Joanna Rutkowska’s concept of the Blue Pill, a nifty rootkit that was first introduced by Rutkowska in her blog back in June 2006.
Like SMM, the Blue Pill is not dependent on a system’s OS. Sparks said in an interview with PC World that “rootkits are going more and more toward the hardware. The deeper into the system you go, the more power you have and the harder it is to detect you.”
Unlike the Blue Pill that uses the latest virtualization technology, SMM uses an old feature: that which allows hardware vendors to fix found bugs using software alone. This is said to be found in Intel’s 386 processors. Because of this, experts speculate that SMM could be more difficult to detect than the Blue Pill. The biggest notable downside to using SMM, as of this writing, is that programmers are compelled to code and create a complex driver to get the rootkit program to work.
Sparks and Embleton will be presenting A New Breed of Rootkit: The System Management Mode (SMM) Rootkit at the Black Hat conference this August in Las Vegas.
And we did blog about hackable microprocessors in this entry.