Placing a backdoor rootkit on a network card? Oh yes!
November 23, 2010
Various Internet security researchers have demonstrated today how relatively easy it is to place a backdoor rootkit on a network interface card (NIC). The rootkit can then contaminate the whole network under certain circumstances.
Guillaume Delugre, a so-called 'reverse engineer' at French security firm Sogeti, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards.
He used publicly available documentation and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where the firmware code is stored, as well as the bootstrap process of the device. The trick isn't new, but it's the first time it was tried and tested methodically.
While utilizing the knowledge gained from this process, Delugre was then able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card instead than on a computer attached to the network.
The technique opens up the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors.
Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card.
"The NIC natively needs to perform DMA (direct memory access), so that network frames can be exchanged between the driver and the device," Delugre said.
"From a firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network interface card and then get access to the underlying operating system thanks to the DMA."
Delugre gave a presentation of his research at the hack.lu conference in October. A write-up of his research, along with slides on his presentation and a demo are available upon request.
Source: Sogeti Internet Security SA.
You can link to the Internet Security web site as much as you like.