PCI cards the next haven for rootkits?

Security researcher John Heasman released a paper this week describing a way to hide malicious code on graphics and network cards in such a way as to avoid detection and survive a full re-installation of the operating system.

The paper (PDF), published on Wednesday, builds on the work presented by Heasman earlier this year, describing ways to use the Advanced Configuration and Power Interface (ACPI) functions available on almost all motherboards to store and run a rootkit that could survive a reboot. The current paper outlines ways to use the expansion memory available on Peripheral Component Interconnect (PCI) cards, such as graphics cards and network cards.

Heasman, a researcher at Next-Generation Security Software, does not believe that such techniques will become commonplace.

"(Because) enough people do not regularly apply security patches to Windows and do not run anti-virus software, there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise," he wrote in the paper. "If a user detects the malware and removes it, there are plenty more unsuspecting targets on the Internet."

Heasman also described a potential defense against the rootkit technique in the paper. By auditing the expansion memory and system memory, an administrator could look for suspiciously obfuscated code, the presence of 32-bit code, and odd class codes, among other telling signs of compromise. Moreover, computers that use the Trusted Computing Module to protect the boot process will be immune to this type of rootkit compromise, he wrote.