Jako, że często na niniejszej grupie goszczą wątki o inwigilacji i szpiegowaniu vs. anonimowości (w Internecie) więc po przypadkowym natrafieniu na materiał o niepokjącej treści poddaję Szanownym Grupowiczom pod rozwagę:

   http://www.youtube.com/watch?v=Ck8bIjAUJgE

i zapraszam do dyskusji!

cytat:

Published on Jan 7, 2014 Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware

In this work we present a stealthy malware that exploits dedicated hardware on the target system and remains persistant across boot cycles. The malware is capable of gathering valuable information such as passwords. Because the infected hardware can perform arbitrary main memory accesses, the malware can modify kernel data structures and escalate privileges of processes executed on the system.

The malware itself is a DMA malware implementation referred to as DAGGER. DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel. We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code.

Dedicated hardware such as network interface cards and video controllers can be exploited to conduct a direct memory access (DMA) attack. Direct access means main memory access without the involvement of the host CPU, which in turn means that existing host security software cannot detect or prevent the attack.

Our presentation covers a DMA malware that benefits from an isolated network channel to update the attack code and to exfiltrate captured data. To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME). Our attack environment is dedicated hardware based on a 32-bit RISC processor called ARCtangent-A4 (ARC4, x86-incompatible) implemented in the chipset of modern Intel platforms. Intel's ME executes special firmware such as Intel's Active Management Technology (iAMT). The ME/iAMT environment provides an administrator with an Out-of-Band (OOB) network channel to maintain the computer platform remotely. A prominent iAMT feature is the capability to remotely reinstall an operating system that got corrupted and does not boot anymore. iAMT is also available when the platform is in a standby or powered off state. This can be exploited to implement persistent DMA malware. It is needless to say that such a powerful environment must be well protected. Hence, Intel enforces strong isolation of the ME execution environment that makes it perfect to hide malware. The ME is not only implemented in business platforms, but also in consumer platforms.

Our work does not only show, that an arbitrary attacker is able to perform one of the most dangerous attacks against an iAMT featured platform, but also, that the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug.

In the first part of our presentation we exploit the DMA engine of Intel's ME to find valuable data in the host runtime memory. We have two memory targets. Our first target is the keyboard buffer. We demonstrate how to find the buffer on a Linux as well as on a Windows operating system. Our implementation is called DAGGER - DmA based keyloGGER. We implemented different search strategies for the operating system targets. On Windows we need to find the corresponding CR3 processor register value to get the page directory entries that are needed to map virtual memory addresses into physical ones. We also had to take address randomization into account. The search strategy for the Windows keyboard buffer is mainly based on finding and traversing the so called Object Manager Namespace Directory (OMND). On Linux we implemented a different search strategy. On Linux we have a different starting point for the search phase than on Windows. The implementation to map virtual memory addresses into physical ones is also different. On Linux we can go without page tables. Due to the availability of the Linux source code it was easier to derive a signature for our target structure used by the USB HID driver.

We can permanently monitor the keyboard buffer on both operating system targets. Hence, we can capture all user input (passwords, instant messenger sessions, etc.) done via the associated keyboard. Our second memory target concerns the privilege data of an arbitrary process. Again, we use the DMA engine of the ME to find the appropriate data structure. Then we overwrite the existing privileges with root privileges via DMA.

[...]

Speaker: Patrick Stewin
EventID: 5380
Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC]
Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany
Language: english
Begin: Sun, 12/29/2013 18:30:00 +01:00