Implementing and Detecting a PCI Rootkit

In February 2006, the author presented a means of persisting a rootkit in the system BIOS via the Advanced Configuration and Power Interface (ACPI). It was demonstrated that the ACPI tables within the BIOS could be modified to contain malicious ACPI Machine Language (AML) instructions that interacted with system memory and the I/O space, allowing the rootkit bootstrap code to overwrite kernel code and data structures as a means of deployment[1]. Furthermore, the high level instructions processed by the AML interpreter (typically contained within the ACPI driver) meant that it was possible to interrogate the operating system and hardware in order to accurately determine the platform and specific version of the OS. This potentially allows a multi-platform future-proof rootkit to be created. Whilst using ACPI as a means of persisting a rootkit in the system BIOS has numerous advantages for the rootkit writer over "traditional" means of persistence (that include storing the rootkit on disk and loading it as a device driver), there are several technologies that are designed to mitigate this threat. Both Intel SecureFlash and Phoenix TrustedCore motherboards prevent the system BIOS from being overwritten with unsigned updates. Furthermore, it is relatively easy to detect an ACPI rootkit by disabling ACPI in the CMOS setup program, or by booting from read-only media that does not load an ACPI device driver and auditing the ACPI tables located in system memory (in essence, this is the same cross-view detection method that is typically used to locate a rootkit on disk).of expansion ROM attacks (which is in part the problem that this field has set out to solve), however the practicalities of implementing such attacks has not been discussed in detail. Furthermore, there is little knowledge of how to detect and prevent such attacks on systems that do not contain a Trusted Platform Module (TPM). Whilst the discussion mainly focuses on the Microsoft Windows platform, it should be noted that the techniques are equally likely to apply to other operating systems. The following sections provide a concise overview of PCI, expansion ROM and BIOS boot technologies; for more detailed information the reader is advised to consult the relevant specification. The Peripheral Component Interconnect (PCI) specification, developed by Intel c.1990, describes a computer bus for attaching peripherals or other buses to the motherboard. PCI devices have become ubiquitous over the last fifteen years and a typical system is likely to contain several, …