Firmware rootkits are the latest threat

Summary:At Black Hat this week, John Heasman demonstrated a rootkit that flashes itself to the firmware in a system. Reimaging the disk did nothing to remove it. This is just the latest in a long line of threats.

Many months ago, I got a call from the guy hosting one of my servers telling me that I'd been hacked. This is not what you want to hear first thing in the morning. My server was now home to the business end of a phishing attack on some bank. He'd been notified by the bank that the server had to come down. "No problem--yank the power," I said. I didn't even want to log onto it.

I have always felt safe in the knowledge that if one of my servers got rootkitted, I could reimage it and be back in business without having to worry about whether or not I got everything cleaned up. A demo at Black Hat this week proved that assumption wrong.

John Heasman from Next Generation Security Software demonstrated a rootkit that hides itself in firmware. Completely erase the hard drive, reinstall the OS, and the rootkit is right back where it was before your exercise in futility.

Firmware rootkits aren't an imminent threat, but Heasman's demonstration shows that we can't ignore the firmware in systems anymore. You probably don't even know all the firmware device on your network. Many PCI cards, and even your system clock, have flashable memory. If you do know which parts of your systems are flashable, do you have a procedure for managing firmware? Probably not.

No malware is currently known to exploit firmware, but it may be simply a matter of time. Gaining some understanding of the firmware on your network and its status is a good first step. One more threat to manage...

Topics: Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.