5月11日消息,安全研究机构日前开发出了一款新型恶意rootkit软件,该软件能够隐藏于电脑微处理器不太显眼的位置,可以逃过当前反病毒程序的扫描。

据国外媒体报道,这款新软件名为系统管理模式(SMM)rootkit,可运行于电脑内存受保护的一个区域,并且在操作系统中不可见,不过***者却能够借此“窥视”电脑内存中发生的全部过程。

SMM rootkit软件中包含键盘记录和通信软件,可以借此窃取受害者的敏感信息,该软件是由肖恩·埃伯拉顿(Shawn Embleton)开发的。埃伯拉顿经营着一家名为“Clear Hat Consulting”的公司。

预计上述概念验证软件将于今年8月在拉斯×××的黑帽子安全大会(Black Hat)上首次展出。rootkit是今天被广泛采用的一种恶意工具,它可以掩盖自身运行留下的踪迹,从而逃避安全软件的侦察。Rootkits从 2005年底开始大范围流行,当时索尼BMG音乐公司采用了Rootkits技术来隐藏版权保护软件,此事被揭发之后,索尼BMG公司被迫召回了数百万张 “问题”音乐光盘。

近年来,研究人员一直在寻找可在操作系统之外运行rootkits的方式,这样能够大大增加安全软件搜寻的难题。比如,两年前安全研究人员约纳·鲁克斯卡开发了一款名为“蓝色药丸”的rootkit软件,该软件采用了AMD芯片级的虚拟技术,能够将自身隐藏。鲁克斯卡本人承认,该技术最终完全可以开发出 “100%无法侦查的恶意软件”。

“Rootkits越来越向硬件深处***,”斯帕克斯表示,三年前他也编写了一款名为“Shadow Walker”的rootkit软件。“随着进入操作系统的深度增加,所具有的权限和影响力也越大,安全软件也越不容易发现。”

“蓝色药丸”采用的是最新的虚拟技术,该技术已被微处理器采用,而SMM rootkit采用的是一项出现时间较长、更为普及的技术。事实上SMM技术可追溯到英特尔386处理器,当时主要是被硬件厂商作为通过软件来修正产品 BUG的一种方式。该技术还被用于管理电脑的电源管理,比如适时调整为休眠状态。

安全咨询公司 NGS Software的研究主管约翰·希斯曼表示,大多情况下,运行于内存锁定区域的SMM rootkit软件较“蓝色药丸”更难于发现,“SMM rootkit拥有更多分支,可以逃避防病毒软件的搜索。”

多年来研究人员一直推测恶意软件可植入SMM后运行。2006年,研究人员洛伊克·杜夫洛特演示了SMM恶意件工作的整个过程。除调试程序外,斯帕克斯和埃伯拉顿还必须为其rootkit编写一套驱动代码。

由于与操作系统脱离,使得SMM rootkit更加隐蔽,不过这也意味着***必须要针对被***的操作系统编写明白的驱动代码。

“我认为rootkit不具有广泛的威胁性,因为它过于依赖硬件,”斯帕克斯表示,“只有在一次目标集中的***中你才能够发现这一应用”。但是否它就是100%无法发现呢?斯帕克斯认为不是。“我并不是说它不能被发现,只是说要发现它很困难。



在2008-05-12,ayaREI <[email]xuewufh@gmail.com[/email]> 写道: 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
arnew 写道:
| 这是原文
| =======================================================
| Security researchers have developed a new type of malicious rootkit
| software that hides itself in an obscure part of a computer's
| microprocessor, hidden from current antivirus products.
|
| Called a System Management Mode (SMM) rootkit, the software runs in a
| protected part of a computer's memory that can be locked and rendered
| invisible to the operating system, but which can give attackers a
| picture of what's happening in a computer's memory.
|
| The SMM rootkit comes with keylogging and communications software and
| could be used to steal sensitive information from a victim's computer.
| It was built by Shawn Embleton and Sherri Sparks, who run an Oviedo,
| Florida, security company called Clear Hat Consulting.
|
| The proof-of-concept software will be demonstrated publicly for the
| first time at the Black Hat security conference in Las Vegas this
| August.
|
| The rootkits used by cyber crooks today are sneaky programs designed
| to cover up their tracks while they run in order to avoid detection.
| Rootkits hit the mainstream in late 2005 when Sony BMG Music used
| rootkit techniques to hide its copy protection software. The music
| company was ultimately forced to recall millions of CDs amid the
| ensuing scandal.
|
| In recent years, however, researchers have been looking at ways to run
| rootkits outside of the operating system, where they are much harder
| to detect. For example, two years ago researcher Joanna Rutkowska
| introduced a rootkit called Blue Pill, which used AMD's chip-level
| virtualization technology to hide itself. She said the technology
| could eventually be used to create "100 percent undetectable malware."
|
| "Rootkits are going more and more toward the hardware," said Sparks,
| who wrote another rootkit three years ago called Shadow Walker. "The
| deeper into the system you go, the more power you have and the harder
| it is to detect you."
|
| Blue Pill took advantage of new virtualization technologies that are
| now being added to microprocessors, but the SMM rootkit uses a feature
| that has been around for much longer and can be found in many more
| machines. SMM dates back to Intel's 386 processors, where it was added
| as a way to help hardware vendors fix bugs in their products using
| software. The technology is also used to help manage the computer's
| power management, taking it into sleep mode, for example.
|
| In many ways, an SMM rootkit, running in a locked part of memory,
| would be more difficult to detect than Blue Pill, said John Heasman,
| director of research with NGS Software, a security consulting firm.
| "An SMM rootkit has major ramifications for things like [antivirus
| software products]," he said. "They will be blind to it."
|
| Researchers have suspected for several years that malicious software
| could be written to run in SMM. In 2006, researcher Loic Duflot
| demonstrated how SMM malware would work. "Duflot wrote a small SMM
| handler that compromised the security model of the OS," Embleton said.
| "We took the idea further by writing a more complex SMM handler that
| incorporated rootkit-like techniques."
|
| In addition to a debugger, Sparks and Embleton had to write driver
| code in hard-to-use assembly language to make their rootkit work.
| "Debugging it was the hardest thing," Sparks said.
|
| Being divorced from the operating system makes the SMM rootkit
| stealthy, but it also means that hackers have to write this driver
| code expressly for the system they are attacking.
|
| "I don't see it as a widespread threat, because it's very hardware-
| dependent," Sparks said. "You would see this in a targeted attack."
|
| But will it be 100 percent undetectable? Sparks says no. "I'm not
| saying it's undetectable, but I do think it would be difficult to
| detect." She and Embleton will talk more about detection techniques
| during their Black Hat session, she said.
|
| Brand new rootkits don't come along every day, Heasman said. "It will
| be one of the most interesting, if not the most interesting, at Black
| Hat this year," he said.
|
|
| |
|
反复看了几遍原文,或许我理解力低下,大致揣测如下:
其实文中所述的SMM rootkit只不过是BIOS rootkit的一种变形。实际操作起来感
觉可能会繁琐一些,但是不一定会如楼主所述存于硬盘当中。我的计算机组成结构
学的很次,不是很清楚SMM的结构问题,但是应该是保护现场的东西,需要特定条
件才可以触发。我想启动的时候仍是需要在bios后接管,先于系统。