VaKo Posted June 12, 2007 Share Posted June 12, 2007 Free Rootkit with Every New Intel Machine Peter Gutmann Sat, 09 Jun 2007 07:25:46 -0700 (Forwarded with permission from a NZ security mailing list, some portions anonymised) -- Snip -- [...] a register article saying Intel released its new platform Centrino Pro which includes Intel Active Management 2.5. An article with some more info is here: http://www.newsfactor.com/news/Intel-Debut...id=0210025GSEV9 It got me interested, so I started taking a look around. Intel has some good info here: http://softwarecommunity.intel.com/articles/eng/1032.htm And for all of you in the Web 2.0 generation with short attention spans for reading the doc, here is video that explains it all, I found myself getting more and more concerned the further it went: http://softwarecommunity.intel.com/videos/....aspx?fn=3D1066 Essentially, all new Intel machines (and a number of current Intel servers) come with free hardware rootkit functionality, which is operational and accessible when the machine is powered off, and in the case of laptops, even when they are unplugged and powered off. There is the mention of code signing, TLS and PKI magic to allay your security concerns however... There are a few new things with this that go beyond generic remote IP KVM: - NIC based TCP/IP filters configurable remotely - Handy magic bypass for TCP/IP filters [1] - Remote BIOS updates over the network - Remote IDE redirection, as in boot off CDROM over the network - Persistent storage even if you change hard disks - It doesn't appear to have a method for disabling it (well, I can't find anything about it, seems crazy if there isn't) - Built-in, on chip. I can understand a decent size company wanting IP-KVM. But I don't want my personal laptop with IP-KVM. - Authentication can be done on Kerberos. We're talking AD. - Built in web interface on every machine (port 16994) - handy well documented SDK for building whatever you need to interact with this - ... This is clearly an awesome management tool. Being able to update your antivirus while your machine is disconnected from the network is helpful. Being able to id all your assets even though they are powered off is great. My concerns are around doomsday scenarios like the below: Worm is released that gets a domain admin account, worm sets up floppy booting across the network, floppy is boot-and-nuke [2]. Worm reboots every server in the company and securely wipes them with single pass. Worm then updates bios on every machine to broken state, enables TCP/IP filters to prevent the NIC from being used to talk to the OS ever again, then disables the AMT. Note, this is OS agnostic, will take out your OSX, Windows and Linux boxen. The hardware would probably be rendered useless, barring opening up the box and flipping some jumpers or replacing something. A smart user noticing the reboot and noticing the disk was being wiped (assuming you didn't change dban to say "now making your computer faster by optimizing the cache flux capacitor") would have to unplug power and network to stop it, which is harder if you're a laptop user with wireless. </end is nigh rant> While parts of this are possible now, its just not nearly as powerful or ubiquitous. [1] TCP-over-Serial-over-LAN http://softwarecommunity.intel.com/articles/eng/1222.htm [2] http://dban.sourceforge.net/ -- Snip -- Quote Link to comment Share on other sites More sharing options...
deleted Posted June 12, 2007 Share Posted June 12, 2007 Scary!! :-o :-o The Worm might work like the Terminator 3 Problem. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted June 12, 2007 Share Posted June 12, 2007 well I guess 'unplugged computers are the only safe computers' is no longer true. Quote Link to comment Share on other sites More sharing options...
cooper Posted June 13, 2007 Share Posted June 13, 2007 Not sure if only I had to do this, but the correct video didn't pop up when I clicked that link. I had to click on the "Managability tab below the video, and from there select the "Active Management Technology Allows for Remote Management of Mobile Systems" video. But yeah, no way I'm letting that reside on my systems. Quote Link to comment Share on other sites More sharing options...
elmer Posted June 16, 2007 Share Posted June 16, 2007 Well this freaks me out. Quote Link to comment Share on other sites More sharing options...
unasoto Posted June 19, 2007 Share Posted June 19, 2007 simple fix? block port 16994 on your router? - Built in web interface on every machine (port 16994) Quote Link to comment Share on other sites More sharing options...
cooper Posted June 19, 2007 Share Posted June 19, 2007 I'd call that a shoddy workaround at best. An actual solution would be a jumper on the MoBo that allows you to turn this (bull)shit off in the hardware. Quote Link to comment Share on other sites More sharing options...
trustme Posted June 26, 2007 Share Posted June 26, 2007 It sounds like you're referring to an implementation of DMTFs DASH standard. The DASH framework is designed to assist admins with managing desktops and mobile pcs. Supported by Microsoft, Novell, Symantec, IBM, Nvidia, AMD and the usually big names, including Intel, the new standard has two management layers. The MAP (Manageability Access Protocol) and CIM (Common Information Model). CIMOM will provide authorization and authentication for the model. It will allow management of computers as well as data gathering while the pcs are turned off. -- Lifted from Network Computing Magazine. Found the online article here http://www.networkcomputing.com/channels/n...cleID=199900927 Quote Link to comment Share on other sites More sharing options...
str33ts0ld13r Posted December 18, 2008 Share Posted December 18, 2008 and i though phoenix technologies was bad for putting failsafe in its bios. http://www.phoenix.com/en/Products/Browse+...afe/default.htm Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted December 18, 2008 Share Posted December 18, 2008 and i though phoenix technologies was bad for putting failsafe in its bios. http://www.phoenix.com/en/Products/Browse+...afe/default.htm umm... old ass post dude... Quote Link to comment Share on other sites More sharing options...
wetelectric Posted December 18, 2008 Share Posted December 18, 2008 Those INTEL engineers spend so much time on features that people like myself just turn off after reading 'accessible when powered off'. ps, woah Coopers back. Quote Link to comment Share on other sites More sharing options...
stingwray Posted December 18, 2008 Share Posted December 18, 2008 I'm sorry, but doesn't anyone else have a problem with the fact that the described attack vector is dependent on a boot'n'nuke floppy being in the probably non-existent floppy drive? Or am I missing something? Its quite interesting and all, but it looses a little credibility when the doomsday scenario includes floppy disks. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted December 18, 2008 Share Posted December 18, 2008 It could be a virtually mounted floppy Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.