There is a legend you may have heard of a lowly system administrator who notices a bunch of extra network traffic coming from one of his workstations. It appears that every packet sent from the workstation is copied and forwarded to an IP address in a country with no extradition treaty. The admin figures that some kind of rootkit is installed, so he completely reformats the hard drive and re-installs everything. Fires the thing up anew, and sure enough all packets are still being forwarded overseas! He can’t wrap his brain around that, so he tries completely removing the hard drive and starting with a new one. When he gets through the second re-install, all sent packets are STILL being sent overseas.
The admin in this story made the same mistake that many people do when thinking about their computer – he assumed that all user-modifiable executable code is only stored on the hard drive.
This story is at least 10 years old, and I’ve heard it in various different forms, but the technological culprit was certainly a BIOS-based rootkit. A BIOS-based rootkit can hide in one of two places: either embedded in the BIOS itself or in a PCI Option ROM. As part of BIOS start-up, it will load executable code from a special ROM chip on each PCI device and execute this code with Ring 0 privileges, meaning the code can control absolutely anything the computer can do. PCI Option ROMs are intended to let peripheral developers include some driver code that it wants to be run at BIOS execution time. This code needs Ring 0 access, because it might need to interact directly with the ICs on the PCI device itself. This is a feature, not a bug.
Delivering a BIOS-based rootkit is a bit more complicated than a traditional rootkit. There are two methods for this. The first involves gaining root privileges on the target machine by some means and flashing a new BIOS using SPI or tools provided by the motherboard manufacturer. If your rootkit goes on a PCI Option ROM, you can also flash those with root access. Many devices can also be reflashed over the network via PXE. Most PCI cards have read-only Option ROMs, so this will only work for high-end network cards, video cards, or any other kind of PCI device that touts upgradeable firmware.
The second method is more interesting, and involves physically accessing the hardware, installing the rootkit, and then selling or giving the modified hardware to the intended victim. A variation on this would be perhaps simply leaving a stack of shrink-wrapped network cards in the hallway outside a system administrators office with a Post-It saying “For IT”. An advantage of this method is that you can flash the Option ROMs using a proper EEPROM programmer, so you can alter PCI cards that could not be altered using a software tool. There can be several different Option ROM data segments on one physical chip, so you don’t necessarily have to stomp the existing driver code – you can just add another segment.
In the old BIOS standard, now referred to as Legacy BIOS, doing anything useful in a BIOS-based rootkit took an insane amount of time and skill. Since BIOS runs before the operating system comes up, a rootkit developer would have no access to system libraries, filesystem drivers, or a network stack. If the rootkit needed any of these features, the developer would have to write everything from scratch and interact with all of the involved chips at the lowest level (try to do TCP with only peeks and pokes using numbers gleaned from blueprints of chips, in short: HARD-FREAKING-CORE).
That was the past.
In 2009, AMD will start shipping EFI-compatable chipsets by default. Intel, the main proponent of EFI, has been using it in the Itanium series, but will be using it in just about everything by the end of 2009. Apple has already been using EFI in all of their Intel Macs since 2006.
This will spell the end of Legacy BIOS. Most will say good riddance.
EFI has a couple of shiny new advantages. The main reason that EFI was developed in the first place was to overcome several limitations of Legacy BIOS, including the use of 16-bit processor mode and having only one megabyte of addressable space.
As EFI has been developed over the years, it’s turned into something slightly different. Intel has open-sourced almost all of a firmware development kit called the EFI Developer Kit or EDK, available here.
The EDK includes a large amount of sample code as well as a large set of utility libraries, all written in straight C. The utility libraries include a variety of networking functions, including an optional full TCP/IP stack, as well as filesystem access libraries for FAT and NTFS.
Although the EDK doesn’t come with everything required to build a complete firmware, it does come with enough to build the two items of interest to an attacker: PCI Option ROMs and EFI Modules. EFI Modules are distinct modules of firmware code that can be easily combined with each other to produce a firmware. If you’ve ever installed the rEFIt boot menu for Intel Macs, you’ve flashed an EFI module into your BIOS.
All of these new features are designed to make life easier for firmware developers, and they do. They also make life easier for attackers who wish to use EFI for evil. Now, you can write a rootkit in C instead of assembler, and you can make use of pre-made network and file system libraries.
The only trick remaining is how to keep your rootkit running once BIOS execution has ended and the operating system is running. There are a few methods available. The easiest, and lamest, method is to simply write rootkit code out to the hard drive at every boot. Cooler than that is using Intel’s System Management Mode (SMM) or ACPI event handlers to stash code to log keystrokes and then send it out on the network. I have yet to see a working demo of this, and I’m told that a successful implementation requires specific knowledge of the Southbridge chip on a specifically targeted motherboard.
Update: From talking to people at 25c3, I’ve learned that setting up a keystroke logger for just PS2 keyboards is pretty easy. According to Peter Stuge of coreboot, to capture PS2 keystrokes you can use SMM to trap reads from io port 60, which is guaranteed to be the same on all platforms. When the SMM trap triggers, it can run code you set up from, say, an Option ROM earlier. There are examples of the use of SMM in the coreboot source!
There is also a common misconception that TPMs somehow prevent malicious PCI Option ROMs, but this isn’t so.
Apparently capturing USB keyboard keystrokes would be quite a bit more difficult. Once I get PS2 working maybe… 😉