Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Placing a backdoor rootkit on a network card? Oh yes!

Add to     Digg this story Digg this

November 23, 2010

Various Internet security researchers have demonstrated today how relatively easy it is to place a backdoor rootkit on a network interface card (NIC). The rootkit can then contaminate the whole network under certain circumstances.

Guillaume Delugre, a so-called 'reverse engineer' at French security firm Sogeti, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards.

He used publicly available documentation and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where the firmware code is stored, as well as the bootstrap process of the device. The trick isn't new, but it's the first time it was tried and tested methodically.

While utilizing the knowledge gained from this process, Delugre was then able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card instead than on a computer attached to the network.

The technique opens up the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors.

Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card.

"The NIC natively needs to perform DMA (direct memory access), so that network frames can be exchanged between the driver and the device," Delugre said.

"From a firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network interface card and then get access to the underlying operating system thanks to the DMA."

Delugre gave a presentation of his research at the conference in October. A write-up of his research, along with slides on his presentation and a demo are available upon request.

Add to     Digg this story Digg this

Source: Sogeti Internet Security SA.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Do it right this time. Click here and we will take good care of you!

Get your Linux or Windows dedicated server today.