SMM Rootkits: Less of a threat than that link you got IM'd
Posted by: Marco Giuliani
This research involved the abilities to exploit a bug discovered on Intel-based systems to get arbitrary code executed in System Management Mode, the most privileged mode provided by Intel CPU.
As already outlined by Joanna Rutkowska and Rafal Wojtczuk in their joint paper, this is not the first attack developed to play with SMM. For many years we've been seeing several attempts to move attacks outside the operating system, deeper than Ring 0. We've seen hypervisor proof-of-concepts rootktis at Ring -1 and now malware at SMM mode (what could be defined as Ring -2).
While I won't technically comment the research - this could be the topic for another blog post - I would instead focus on some remarks.
Bluepill project is around since a while, so are other proof of concepts like SubVirt, and there are proof of concepts like PCI card firmware infections. Research is a human intrinsic factor and it allows everyone to make always step aheads.
However, everything needs to be put into perspective.
Reading on some message boards, there are many people who are scared about the media articles talking about the danger of SMM rootkits. People were asking if they should trash their CPUs because many of them are prone to these attacks.
It's true, there's the remote possibility that using an attack like SMM a rootkit infection could occur. But this is unlikely. Why?
This is pretty simple. Malware are now mainly used to steal informations, especially information like credit card numbers and bank information, to steal money and identites. They've discovered that they do not need to be so covert in their infection methods as to infect the system using techniques like SMM, which are highly hardware dependent and complex to write.
Then, there are attackers who instead want to shift users's pc into a zombie to create a botnet and then sell it to the better bidder or use it for extorsions threats or to send spam. Even here, there are plenty of kernel mode rootkits that are still able to bypass most of antirootkit softwares included in the antivirus security suites. Yes, there are standalone antirootkit tools out there that are still able to detect them, but they are too complicated and difficult to be used by the average user.
Current attacks are developed to be fast, effective, and change continuously to get undetected. Malware writers have understood that if they want to hit antivirus companies they have to hit with as fast as they can, knowing that most of current antivirus technologies will not succeed in keeping up and they will be most likely bypassed.
Here at Prevx we can see this trend continuously, isolating thousands of pieces of new malware every day.
From an internal research, we have clearly seen how easy is for most of in the wild rootkits to hide themselves from security suites. They don't need to overwrite SMRAM - as SMM rootkits do - or take advantage of virtualization technology to subvert the operating system. They are "simple, basic, kernel mode rootkits".
Yes, not as technically interesting as SMM rootkits, but they are the real enemy you've to fight against every day. And the Operating System is still the field of battle that allows lot of "fun" for malware writers.
SMM rootkits are definitely a possible threat now but they are far less of a threat than the current malware out there. To log keystrokes, you don't need to be in SMM mode at all - actually, you can log keystrokes with no exploits from usermode under a limited user account.
Should you be afraid of SMM rootkits and tear out your CPU? Not at all! Should you be sure to use multiple security products to enhance your security? Definitely.
