Rootkit Exploit for Intel Processors Dating to 1997 Discovered

Jeff Williams
Aug 9, 2015
26Shares
Share Tweet Submit

The Black Hat conference is a very fun event, with many different talented individuals coming together to show you just how insecure your digital life is. One very interesting tidbit that’s especially worrisome has been show, dealing with Intel processors.

Related Intel’s 8th Generation Core i7-8000 Series Processors To Feature Performance Greater Than 15% Over 7th Gen CPUs – Launching in 2H of 2017

Processor-based rootkit can grant access to lowest level firmware, for Intel (and maybe AMD) processors dating back to 1997.

Rootkits can be very cruel mistresses in that they allow undeniable access to to low level API’s and functions, usually without the users knowledge, and quite maliciously. They’re able to mask themselves your, or the systems, knowledge quite well. Remember the rootkit being installed by certain Sony memory cards?

Intel’s processors, except the very newest Skylake, and perhaps even AMD’s processors dating back to 1997 are affected.

In this particular case. there is an issue with the System Management Mode, which are instructions that handle system errors and can grant access to other parts of the system as well. A problem with the way that SMRAM is handled, utilizing a 0-day exploit that’s supposedly built into the processor itself. Potentially all x86 processors are affected.

A successful injection of a rootkit could enable control of lower level commands, letting it execute any type of arbitrary commands it wants, bypassing the OS almost completely. Fortunately, in order to actually inject the rootkit, full system privileges are needed. But once it’s in, it’ll be nearly impossible to detect with the usual scanners. So, then, it might not be probably to have it be a singular attack in and of itself, but as part of a multi-pronged malware mishap, it could spell considerable trouble.

Related Intel Readies Kaby Lake-X Core i7-7740K and Core i5-7640K To Tackle Ryzen Chips – 112W TDP And Higher Clock Speeds

The solution to this is a simple IT trick that probably isn’t used much elsewhere. For daily use, use an account that doesn’t have administrator access so that such things can’t be executed in the first place. But that’s not necessarily viable at home. We just want to play games and surf the Internet, right?

Oh, but this isn’t the only one.

This certainly isn’t the only System Management Mode exploit that has affected Intel CPU’s either. Back in 2008 it was revealed that another caching problem could be exploited to also install a rootkit inside the SMM. This however is a new method, though the approach is much the same, mapping the SMRAM to potentially poison it.

Because of where this exploit is, it will be very difficult to actually patch and fix the issue, so it’ll likely remain for some time. But it’s curious that it has remained an inherent part of processors dating back so far.

So folks, no need to necessarily worry, but just be careful browsing the Internet and realize that this is a proof of concept and that nothing has been spotted in the wild thus far. Safe browsing!

Share Tweet Submit