Firmware rootkits are the latest threat

Firmware rootkits are the latest threat

Summary: At Black Hat this week, John Heasman demonstrated a rootkit that flashes itself to the firmware in a system. Reimaging the disk did nothing to remove it. This is just the latest in a long line of threats.

TOPICS: Software

Many months ago, I got a call from the guy hosting one of my servers telling me that I'd been hacked. This is not what you want to hear first thing in the morning. My server was now home to the business end of a phishing attack on some bank. He'd been notified by the bank that the server had to come down. "No problem--yank the power," I said. I didn't even want to log onto it.

I have always felt safe in the knowledge that if one of my servers got rootkitted, I could reimage it and be back in business without having to worry about whether or not I got everything cleaned up. A demo at Black Hat this week proved that assumption wrong.

John Heasman from Next Generation Security Software demonstrated a rootkit that hides itself in firmware. Completely erase the hard drive, reinstall the OS, and the rootkit is right back where it was before your exercise in futility.

Firmware rootkits aren't an imminent threat, but Heasman's demonstration shows that we can't ignore the firmware in systems anymore. You probably don't even know all the firmware device on your network. Many PCI cards, and even your system clock, have flashable memory. If you do know which parts of your systems are flashable, do you have a procedure for managing firmware? Probably not.

No malware is currently known to exploit firmware, but it may be simply a matter of time. Gaining some understanding of the firmware on your network and its status is a good first step. One more threat to manage...

Topic: Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • rootkits

    I had 2 incidents about a month ago on client's machine, both running XP Pro x64 where a suspected root kit was trying to install itself on the machine but being x64 it failed, leaving behind some script. Talking to a leading security person at University of California he agreed that it probably was a failed root kit and it appeared to want to flash the BIOS on reboot. Ah! what next.
  • How would..

    commercial hardware firewall solutions stand up to this kind of attack?
  • Antivirus

    How fast will the major antivirus companies respond? Or will we have to purchase yet another program to bog down our servers/workstations?
  • more reasons to get Linux

    stay away from the windoze crapware, and no firmware malware will plague you.
    Linux Geek
    • Re:more reasons to get Linux

      Now I know why I don't read these posts.

      How naive you are oh Linux Geek.
      Some guy_z
    • De De Dee

      I like Linux and hate Windows(Microsoft)...but god you're stupid.
  • RE: Firmware rootkits are the latest threat

    i have something like this that is been plaguing me for over 4 months now, it has infected 4 machines and i have tried low level formats on linux and windows and it keeps returning!!!