Next Generation Malware Attacks PCs Via Firmware in Hardware Devices

At the recent CanSecWest international security conference in Vancouver, French researchers compromised a Linux PC by exploiting a feature in the machine’s network card.  The same technique could be used to take control of any PC including Windows PCs that use Broadcom NetXtreme cards with the remote factory diagnostic mechanism enabled. These cards are in widespread circulation and have been used in a number of Hewlett Packard PCs. Thankfully, by default the remote factory diagnostic mechanism (ASFor Alert Standard Format 2.0) is normally turned off.

Exact details of the attack were not revealed at the conference but in another presentation security researcher Arrigo Triulzi demonstrated a similar attack on Broadcom cards.  He used the remote factory diagnostic mechanism to install custom firmware on the network card. This firmware was used in conjunction with other hardware to create a tunnel into the PC in such a manner that packets sent via the tunnel were not visible to the system firewall. Using the network card’s access to memory the attacker could then run whatever code he wanted.

A patch for certain Broadcom network cards has been issued by HP:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c...

This new attack technique is particularly scary as it takes place at a very low level and is not visible to security software running on the PC. The user would thus be totally unaware the machine was compromised.  Also alarming is the possibility we may see a wave of new malware attacks that exploit flaws in firmware installed in hardware rather than software.

This new exploit is yet further proof that no PC can ever considered to be 100% secure. That may sound frightening but it’s the harsh truth.  It’s also true of almost all security situations not just computer security.  For example you can never provide 100% security against your house being robbed.

This harsh fact should not deter you from using a computer nor attempting to defend it as best you can.  It is however a wake up call to those who have a blind belief in the complete effectiveness of their security software.

It's also a wake up call to be mindful about your computer practices. You wouldn’t ever leave valuable jewellery on your kitchen table just because you have a burglar alarm – you’d put it in a safe or store it at a bank.  In the same way make sure you encrypt highly valuable information on your PC or store it offline.  It’s not perfect but it’s a lot better than leaving your valuable information hanging around.

For further details on this new exploit see here:

http://www.arnnet.com.au/article/341190/jedi_packet_trick_punches_holes_...

Thanks to regular contributor Lex Davidson for alerting me to this.

Gizmo

 
 

Share this
3.8
Average: 3.8 (15 votes)
Your rating: None

Comments

by Anonymous on 11. April 2010 - 18:26  (47442)

-bad code built in PDF "clean" files.
-now this.... rootkit & firmware attacks...
-Mobile phone unauthorized surveillance.
-what is next?? it seems like the former Soviet Union (no offense)

I've got a friend who uses two PCs; one only for Internet and matters related to Internet; the other one has Win2000 OS, in that computer he works and has saved all his data. He's paranoid about being watched so at the end he's right about it.

I think the matter is justice Vs law, these are very different. There is not justice when a big companies (like Sonny) use this kind of software to get more money; Same happened when the Hollywood gang made all DVD fabricants to set playing restrictions according the world area; and there is a high probability that powerful economic conglomerates use this sort of techniques to get, spy and manage its employees and customers.

When they do it, the law supports them, thanks to their lobby and political contributions, so they get away. And what about us??? A crime is a crime, and violation of privacy is a crime, it is the worst enemy of freedom and democracy which are the cornerstone of western society.

Therefore, do not let them watch you, manipulate you and drive you as if we were lambs; fight them! How? don't buy their products/goods/services and make campaign in your blog or wherever you want against them. We must make and set the law with our votes.

Remember: you, we, everyday people decide! never them.

upps!!! I got a little bit passionate but is the true guys, sorry.

by Anonymous on 6. April 2010 - 17:55  (47097)

Is there any way of scanning hardware for infection or stopping it from infecting the rest of the hardware/software? Is there any way of removing infections from the infected hardware? Is there any security software concerning this issue? Or at least a monitor or scanner that can alert users when a hardware component has been infected?

by Anonymous on 31. March 2010 - 23:26  (46637)

When I first read this article I thought - no big deal, the remote access feature will be turned off on almost all these cards.

Then I realized we are going to see a whole spate of new trojans whose sole job is to turn on the feature and so open a backdoor into the machine for subsequent attack.

Sheesh that is scary.

by Anonymous on 31. March 2010 - 22:53  (46633)

Lets just start using pen and paper again......

by Anonymous on 31. March 2010 - 14:13  (46590)

Does all of the content and warnings in this item apply also to Macs & the MacOS?

by Anonymous on 31. March 2010 - 1:30  (46552)

Have to agree with Gizmo here.
The "measured in weeks" comment is accurate for relatively minor flaws of a previously known type, not for something totally new like this. After the Sony criminals were kind enough to expose us all to the wonderful new world of rootkits, it was considerably longer than weeks before the first major malicious rootkits became common. And this is a bigger "new thing" than rootkits were.
Brigrove

by Anonymous on 30. March 2010 - 18:40  (46521)

We're also getting back to the ease of use/security trade off seen with using flash memory for system BIOS. To make it easy to update hardware BIOS (in flash memory on the motherboard) with Windoze up and running, no controls were added in the hardware (such as a physical switch) for the user to explicitly approve the update.

Thus malware can silently update firmware. Where the firmware actually resides (motherboard flash memory, network card flash memory, intelligent peripheral like a printer or USB drive) doesn't matter. To make life easy for the user to run the updates, everything was made to operate without user intervention.

(Don't get me started on why the generic black box User Account Control warnings are disabled or automatically approved by so many users...)

The only defense available for currently deployed hardware requires that the hardware support the Trusted Computing Platform (TCP) AND requires massive system software updates to use TCP as a "known good" starting point from which to verify _everything_ including installed firmware and the basic OS (kernel, etc.). TCP also has strong ties to Digit Right Management (DMR) (causes a lot of consumer resentment) and increases hardware costs, so it is not installed (or disabled) on a lot of hardware.

So once again, it appears that security has lost the easy of use/secure system trade-off.

by Anonymous on 30. March 2010 - 16:12  (46512)

i had heard a few years ago on a computer security forum that there was malware that could "hide" in the ROM(?) or something that was powered by a small battery(BIOS?), such that even a complete reformat of the HDD and then re-install of OS from known safe source was still not a guarantee that you were free from malware...i didn't have enough knowledge in that area to find out if it were true but that's what they told me at the time...

by Anonymous on 30. March 2010 - 15:49  (46511)

The malware must have disabled the article’s spell checker: aslo and jewellery

by MidnightCowboy on 30. March 2010 - 20:26  (46529)

curected wot i cud find :)

Thanks for pointing them out, much appreciated. Sometimes these things do slip through.

by Anonymous on 30. March 2010 - 13:29  (46500)

This "new" attack is like saying "news flash, people who leave keys in the ignition can have car stolen". The "hardware remote diagnostic" mode is not turned on unless the user deliberately turns it on to allow HP or the IT department to remotely diagnose network connectivity issues. I suppose at least this alert is alerting PC users that there may be "keys" to their PC they didn't know about. However, if a user turned this mode on then they would know how to turn it off. Unless, I suppose, it is a mode set by the IT dept of a large corporation to make it easier to diagnose remote user problems.

by Anonymous on 30. March 2010 - 8:02  (46477)

How to turn off the remote factory diagnostic mechanism (ASFor Alert Standard Format 2.0)?

I have a HP Pavilion PC.

by ianjrichards (not verified) on 30. March 2010 - 9:42  (46489)

My understanding is that is turned off by default. However check with HP. If you get a response could you post it here - Thanks, Gizmo

by Anonymous on 30. March 2010 - 21:18  (46537)

Lol, As far as getting a response from these big friendly giants....We are only expected to be tremendously pleased with what they shovel on us.
Ask a question,......read the FAQs before sending off your question that dose not appear in FAQs,-----Surely there must be many people who have asked before me, or am I so computer dumb that, I'm just dumb. ...then feel the silence.

by Anonymous on 30. March 2010 - 7:16  (46475)

Giz wouldn't a behavioral malware detection program pick up this kind of nasty?

by ianjrichards (not verified) on 30. March 2010 - 9:40  (46488)

That's a good question. Without knowing the full details I can only speculate.

First the malicious code runs in the memory space allocated to hardware devices such as network or graphics cards. This is likely to be outside the reach of security software as they would not normally check that area.

Secondly communication with the outside world takes place via an invisible tunnel that is also likely to be invisiable to firewalls, HIPS and other security software.

However at some point the malware must need to get access to the PC hard drives in order to access data or files. At that stage it should be visible to security software. At that point a behavioral based malware detector may be able identify the malware by the activities it is engaged in.

However this is pure speculation. I'll see if I can get someone from a security software organization to comment.

Gizmo

by Anonymous on 30. March 2010 - 19:50  (46525)

Im not to good at computer programming but avast has a setting which allows scanners to scan memory, would this see said malware?

by Anonymous on 30. March 2010 - 3:37  (46472)

I agree Gizmo that this is a a scary development. What practical steps can I take to minimize the risks form these attacks on my hardware?

by ianjrichards (not verified) on 30. March 2010 - 4:11  (46473)

Apart from updating the firmware in devices known to have problems there is little you can do right now to prevent an attack.

Don't worry too much about this problem because in practice it is highly unlikely that your PC will be attacked in this manner - it's more of a future threat than a present one. Hopefully by then there will be computer security programs that will provide protection.

In the interim the best you can do is lock down your sensitive data.

Gizmo

by Anonymous on 30. March 2010 - 9:54  (46491)

I'm afraid I can't agree. These days the time between the discovery of a new flaw and its widespread use is measured in weeks.

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here