[Dailydave] Whitepaper: Implementing and Detecting a PCI Rootkit
Dave Aitel
dave at immunityinc.com
Fri Nov 17 23:01:34 Local tim 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yeps. Lots of cool stuff you can do by reflashing random PCI devices,
bios's, etc. But our customers so far are asking for something
physical they can install on a machine that integrates with CANVAS,
which is why we went down that route instead.
- -dave
Peter Winter-Smith wrote:
> Hey Dave(s) (and list)!
>
> I think one of the points that John was considering in his paper
> was the possibility that a remote attack of some nature could
> actively install one of these which would then persist through
> re-installs of the operatings system, rather than solely the
> physical access vector (under the 'Re-flashing a PCI Expansion ROM'
> section)!
>
> Very cool!
>
> -Peter
>
> ----- Original Message ----- From: "Dave Korn"
> <dave.korn at artimi.com> To: "'Dave Aitel'" <dave at immunityinc.com>;
> <dailydave at lists.immunitysec.com> Sent: Thursday, November 16, 2006
> 7:10 PM Subject: Re: [Dailydave] Whitepaper: Implementing and
> Detecting a PCI Rootkit
>
>
>> On 16 November 2006 18:25, Dave Aitel wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> That's really cool. One thing Immunity has been investigating
>>> is selling a literal hardware PCI card that you can install
>>> into someone's machine which then infects their system and
>>> injects a callback shellcode.
>>
>> Does this really have a lot of advantages over just plugging a U3
>> drive into a less-frequently used usb port round the back of the
>> machine somewhere?
>>
>>> That way if you break into someone's office, you can throw
>>> these PCI cards into a few desktops and then leave, and you'll
>>> get MOSDEF shells at home every day! Nothing to analyze on disk
>>> either. :>
>>
>> Wow, no forensics... except of course for your fingerprints and
>> DNA all over the *physical* evidence you left at the scene of
>> crime. Not really sure you're better off that way, I'd rather
>> leave digits behind than anything else.
>>
>>
>> cheers, DaveK -- Can't think of a witty .sigline today....
>>
>> _______________________________________________ Dailydave mailing
>> list Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFFXj9MB8JNm+PA+iURAi1hAJwIyvZdkKMRrW37IiDv7W89zyeQdwCgi+Gy
LtyzAvz9noRRXzv9pidblxA=
=Bxfp
-----END PGP SIGNATURE-----
More information about the Dailydave
mailing list