Rootkit Exploit for Intel Processors Dating to 1997 Discovered

Posted Aug 9, 2015
Share Tweet Submit

The Black Hat conference is a very fun event, with many different talented individuals coming together to show you just how insecure your digital life is. One very interesting tidbit that’s especially worrisome has been show, dealing with Intel processors.

Processor-based rootkit can grant access to lowest level firmware, for Intel (and maybe AMD) processors dating back to 1997.

Rootkits can be very cruel mistresses in that they allow undeniable access to to low level API’s and functions, usually without the users knowledge, and quite maliciously. They’re able to mask themselves your, or the systems, knowledge quite well. Remember the rootkit being installed by certain Sony memory cards?

Intel’s processors, except the very newest Skylake, and perhaps even AMD’s processors dating back to 1997 are affected.

In this particular case. there is an issue with the System Management Mode, which are instructions that handle system errors and can grant access to other parts of the system as well. A problem with the way that SMRAM is handled, utilizing a 0-day exploit that’s supposedly built into the processor itself. Potentially all x86 processors are affected.

A successful injection of a rootkit could enable control of lower level commands, letting it execute any type of arbitrary commands it wants, bypassing the OS almost completely. Fortunately, in order to actually inject the rootkit, full system privileges are needed. But once it’s in, it’ll be nearly impossible to detect with the usual scanners. So, then, it might not be probably to have it be a singular attack in and of itself, but as part of a multi-pronged malware mishap, it could spell considerable trouble.

Intel 200-Series (Z270/H270) Chipset Platform Detailed - Kaby Lake and Skylake Processors To Work On Both 200 and 100 Series Boards

The solution to this is a simple IT trick that probably isn’t used much elsewhere. For daily use, use an account that doesn’t have administrator access so that such things can’t be executed in the first place. But that’s not necessarily viable at home. We just want to play games and surf the Internet, right?

Oh, but this isn’t the only one.

This certainly isn’t the only System Management Mode exploit that has affected Intel CPU’s either. Back in 2008 it was revealed that anotherĀ caching problem could be exploited to also install a rootkit inside the SMM. This however is a new method, though the approach is much the same, mapping the SMRAM to potentially poison it.

Because of where this exploit is, it will be very difficult to actually patch and fix the issue, so it’ll likely remain for some time. But it’s curious that it has remained an inherent part of processors dating back so far.

So folks, no need to necessarily worry, but just be careful browsing the Internet and realize that this is a proof of concept and that nothing has been spotted in the wild thus far. Safe browsing!

Share Tweet Submit