Black Hat 2008: NIC Based Rootkit

While Black Hat and Defcon have both concluded, we’re going to post a few more talks that we think deserve attention. [Sherri Sparks] and [Shawn Embleton] from Clear Hat presented Deeper Door, exploiting the NIC chipset. Windows machines use NDIS, the Network Driver Interface Specification, to communicate between the OS and the actual NIC. NDIS is an API that lets programmers talk to network hardware in a general fashion. Most firewalls and intrusion detection systems monitor packets at the NDIS level. The team took a novel approach to bypassing machine security by hooking directly to the network card, below the NDIS level.

The team targeted the Intel 8255x chipset because of its open documentation and availability of compatible cards like the Intel PRO/100B. They found that sending data was very easy: Write a UDP packet to a specific memory address, check to make sure the card is idle, and then tell it to send. The receive side was slightly more difficult, because you have to intercept all inbound traffic and filter out the replies you want from the legitimate packets. Even though they were writing low level chipset specific code, they said it was much easier to implement than writing an NDIS driver. While a certainly a clever way to implement a covert channel, it will only bypass an IDS or firewall on the same host and not one on the network.

[photo: Big Fat Rat]

11 thoughts on “Black Hat 2008: NIC Based Rootkit

  1. This is not a hack. It’s just direct hardware access. You’re simply skirting the system. I’d also consider this obvious.

    Tapping an Ethernet cable and injecting/sniffing data in transit, is also not hacking, its just like anything else.

  2. I just find it amusing that they said it was easier to code directly for the hardware than to use the API Microsoft probably spent hundreds of thousands of dollars to develop.

  3. “Not a hack”?

    This is one of the most important parts once your are post-root (meaning you have root by physical access or SSH etc.) Having a rootkit on a machine is insurance that you will not get noticed. It doesn’t matter how you get one on.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.