Firmware rootkits are the latest threat

At Black Hat this week, John Heasman demonstrated a rootkit that flashes itself to the firmware in a system. Reimaging the disk did nothing to remove it. This is just the latest in a long line of threats.

Many months ago, I got a call from the guy hosting one of my servers telling me that I'd been hacked. This is not what you want to hear first thing in the morning. My server was now home to the business end of a phishing attack on some bank. He'd been notified by the bank that the server had to come down. "No problem--yank the power," I said. I didn't even want to log onto it.

I have always felt safe in the knowledge that if one of my servers got rootkitted, I could reimage it and be back in business without having to worry about whether or not I got everything cleaned up. A demo at Black Hat this week proved that assumption wrong.

John Heasman from Next Generation Security Software demonstrated a rootkit that hides itself in firmware. Completely erase the hard drive, reinstall the OS, and the rootkit is right back where it was before your exercise in futility.

Firmware rootkits aren't an imminent threat, but Heasman's demonstration shows that we can't ignore the firmware in systems anymore. You probably don't even know all the firmware device on your network. Many PCI cards, and even your system clock, have flashable memory. If you do know which parts of your systems are flashable, do you have a procedure for managing firmware? Probably not.

No malware is currently known to exploit firmware, but it may be simply a matter of time. Gaining some understanding of the firmware on your network and its status is a good first step. One more threat to manage...