Shostack + Friends Blog Archive


Microsoft and Rootkits

rootkit.jpgEarlier this week, there was a story “Microsoft Says Recovery from Malware Becoming Impossible.” I’m not sure why this is news:

Offensive rootkits, which are used hide malware programs and maintain an
undetectable presence on an infected machine, have become the weapon of
choice for virus and spyware writers and, because they often use kernel
hooks to avoid detection, Danseglio said IT administrators may never
know if all traces of a rootkit have been successfully removed.


What’s not in those stories, and I don’t understand why, is the research being done by John Heasman on “Implementing and Detecting An ACPI BIOS Rootkit.” John presented the work at Blackhat Federal in January:

As rootkit detection tools become more sophisticated, the rootkit writer must strive to leave less of a footprint and inhabit areas that detection tools do not currently interrogate. One such area, the BIOS, has many associated difficulties in development and deployment but offers numerous benefits over ‘traditional’ rootkits—namely it leaves no trace on disk and can survive reinstallations in order to infect new operating systems.

One comment on "Microsoft and Rootkits"

  • Chris Walsh says:

    How about attacking via the processor microcode update “feature”? I don’t know enough about the arrchitectural details to comment on this, but in principle it would seem feasible.

Comments are closed.