安全研究员John Heasman发布了一篇论文,详细介绍了如何利用图形卡和网络卡上的扩展内存来隐藏恶意代码,使其能够躲避检测并在操作系统完全重装后依然存活。Heasman还提出了针对这种攻击的潜在防御措施。
Security researcher John Heasman released a paper this week describing a way to hide malicious code on graphics and network cards in such a way as to avoid detection and survive a full re-installation of the operating system.
The paper (PDF), published on Wednesday, builds on the work presented by Heasman earlier this year, describing ways to use the Advanced Configuration and Power Interface (ACPI) functions available on almost all motherboards to store and run a rootkit that could survive a reboot. The current paper outlines ways to use the expansion memory available on Peripheral Component Interconnect (PCI) cards, such as graphics cards and network cards.
Heasman, a researcher at Next-Generation Security Software, does not believe that such techniques will become commonplace.
"(Because) enough people do not regularly apply security patches to Windows and do not run anti-virus software, there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise," he wrote in the paper. "If a user detects the malware and removes it, there are plenty more unsuspecting targets on the Internet."
Heasman also described a potential defense against the rootkit technique in the paper. By auditing the expansion memory and system memory, an administrator could look for suspiciously obfuscated code, the presence of 32-bit code, and odd class codes, among other telling signs of compromise. Moreover, computers that use the Trusted Computing Module to protect the boot process will be immune to this type of rootkit compromise, he wrote.
扫一扫
1250
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
