Jako, że często na niniejszej grupie goszczą wątki o inwigilacji
i szpiegowaniu vs. anonimowości (w Internecie) więc po przypadkowym
natrafieniu na materiał o niepokjącej treści poddaję
Szanownym Grupowiczom pod rozwagę:

http://www.youtube.com/watch?v=Ck8bIjAUJgE

i zapraszam do dyskusji!

cytat:

Published on Jan 7, 2014
Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware

In this work we present a stealthy malware that exploits dedicated hardware on the
target system and remains persistant across boot cycles. The malware is capable of
gathering valuable information such as passwords. Because the infected hardware can
perform arbitrary main memory accesses, the malware can modify kernel data structures
and escalate privileges of processes executed on the system.

The malware itself is a DMA malware implementation referred to as DAGGER. DAGGER
exploits Intel's Manageability Engine (ME), that executes firmware code such as
Intel's Active Management Technology (iAMT), as well as its OOB network channel. We
have recently improved DAGGER's capabilites to include support for 64-bit operating
systems and a stealthy update mechanism to download new attack code.

Dedicated hardware such as network interface cards and video controllers can be
exploited to conduct a direct memory access (DMA) attack. Direct access means main
memory access without the involvement of the host CPU, which in turn means that
existing host security software cannot detect or prevent the attack.

Our presentation covers a DMA malware that benefits from an isolated network channel
to update the attack code and to exfiltrate captured data. To be more precise, we
show how to conduct a DMA attack using Intel's Manageability Engine (ME). Our attack
environment is dedicated hardware based on a 32-bit RISC processor called
ARCtangent-A4 (ARC4, x86-incompatible) implemented in the chipset of modern Intel
platforms. Intel's ME executes special firmware such as Intel's Active Management
Technology (iAMT). The ME/iAMT environment provides an administrator with an
Out-of-Band (OOB) network channel to maintain the computer platform remotely. A
prominent iAMT feature is the capability to remotely reinstall an operating system
that got corrupted and does not boot anymore. iAMT is also available when the
platform is in a standby or powered off state. This can be exploited to implement
persistent DMA malware. It is needless to say that such a powerful environment must
be well protected. Hence, Intel enforces strong isolation of the ME execution
environment that makes it perfect to hide malware. The ME is not only implemented in
business platforms, but also in consumer platforms.

Our work does not only show, that an arbitrary attacker is able to perform one of the
most dangerous attacks against an iAMT featured platform, but also, that the ME
provides a perfect environment for undetectable sensitive data leakage on behalf of
the attacker. Our presentation consists of three parts. The first part addresses how
to find valuable data in the main memory of the host. The second part exploits the
ME's OOB network channel to exfiltrate captured data to an external platform and to
inject new attack code to target other interesting data structures available in the
host runtime memory. The last part deals with the implementation of a covert network
channel based on JitterBug.

In the first part of our presentation we exploit the DMA engine of Intel's ME to find
valuable data in the host runtime memory. We have two memory targets. Our first
target is the keyboard buffer. We demonstrate how to find the buffer on a Linux as
well as on a Windows operating system. Our implementation is called DAGGER - DmA
based keyloGGER. We implemented different search strategies for the operating system
targets. On Windows we need to find the corresponding CR3 processor register value to
get the page directory entries that are needed to map virtual memory addresses into
physical ones. We also had to take address randomization into account. The search
strategy for the Windows keyboard buffer is mainly based on finding and traversing
the so called Object Manager Namespace Directory (OMND). On Linux we implemented a
different search strategy. On Linux we have a different starting point for the search
phase than on Windows. The implementation to map virtual memory addresses into
physical ones is also different. On Linux we can go without page tables. Due to the
availability of the Linux source code it was easier to derive a signature for our
target structure used by the USB HID driver.

We can permanently monitor the keyboard buffer on both operating system targets.
Hence, we can capture all user input (passwords, instant messenger sessions, etc.)
done via the associated keyboard. Our second memory target concerns the privilege
data of an arbitrary process. Again, we use the DMA engine of the ME to find the
appropriate data structure. Then we overwrite the existing privileges with root
privileges via DMA.

[...]

Speaker: Patrick Stewin
EventID: 5380
Event: 30th Chaos Communication Congress [30c3] by the Chaos Computer Club [CCC]
Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355
Hamburg; Germany
Language: english
Begin: Sun, 12/29/2013 18:30:00 +01:00

do góry