A chipset level network backdoor

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A chipset level network backdoor: bypassing host-based firewall & IDS

Full text

Pdf (1.35 MB)

Source

ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security table of contents

Sydney, Australia

SESSION: Systems security table of contents

Pages 125-134

Year of Publication: 2009

ISBN:978-1-60558-394-5

Authors

Sherri Sparks	University of Central Florida, Orlando, FL
Shawn Embleton	University of Central Florida, Orlando, FL
Cliff C. Zou	University of Central Florida, Orlando, FL

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 32, Downloads (12 Months): 132, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1533057.1533076 What is a DOI?

ABSTRACT

Chipsets refer to a set of specialized chips on a computer's motherboard or an expansion card [12]. In this paper we present a proof of concept chipset level rootkit/network backdoor. It interacts directly with network interface card hardware based on a widely deployed Intel chipset 8255x, and we tested it successfully on two different Ethernet cards with this chipset. The network backdoor has the ability to both covertly send out packets and receive packets, without the need to disable security software installed in the compromised host in order to hide its presence. Because of its low-level position in a computer system, the backdoor is capable of bypassing virtually all commodity firewall and host-based intrusion detection software, including popular, widely deployed applications like Snort and Zone Alarm Security Suite. Such network backdoors, while complicated and hardware specific, are likely to become serious threats in high profile attacks like corporate espionage or cyber terrorist attacks.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3B: System Programming Guide, Part 2. May 2007.
	2	Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide, Part 1. May 2007.
	3	Intel Corporation. Intel 8255x 10/100 Mbps Ethernet Controller Family: Open Source Software Developer Manual, January 2006.
	4	Richard Bejtlich, Extrusion Detection: Security Monitoring for Internal Intrusions, Addison-Wesley Professional, 2005
	5	Joanna Rutkowska. "Rootkits vs. Stealth by Design Malware", Presented at Black Hat, Europe 2006.
	6	Alexander Tereshkin. "Rootkits: Attacking Personal Firewalls", Presented at Black Hat USA, 2006.
	7	Windows XP Firewall. http://www.microsoft.com/windowsxp/using/networking/sec urity/winfirewall.mspx
	8	Zone Alarm. http://www.zonealarm.com/store/content/home.jsp
	9	Snort. http://www.snort.org/
	10	AOL/NCSA Online Safety Study. Conducted by America Online and the National Cyber Security Alliance. Dec. 2005.
	11	Microsoft Corporation. Windows XP Firewall.
	12	Chipset. http://en.wikipedia.org/wiki/Chipset
	13	Gramm-Leach Bliley Act. http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
	14	Payment Card Industry Data Security Standard. https://www.pcisecuritystandards.org/
	15	Greg Hoglund , Jamie Butler, Rootkits: Subverting the Windows Kernel, Addison-Wesley Professional, 2005
	16	Weidong Cui , Randy H. Katz , Wai-tian Tan, BINDER: an extrusion-based break-in detector for personal computers, Proceedings of the annual conference on USENIX Annual Technical Conference, p.18-18, April 10-15, 2005, Anaheim, CA
	17	Salvador Mandujano. "Identifying Attack Code through an Ontology-Based Multiagent Tool: FROID." In Proceedings of the World Academy of Science, Engineering, and Technology, June 2005.
	18	F. Bellifemine, A. Poggi, and G. Rimassa. "JADE --- A FIPA-compliant agent framework." In Proceedings of Practical Applications of Intelligent Agents, 1999.
	19	Kevin Borders , Atul Prakash, Web tap: detecting covert web traffic, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA [doi>10.1145/1030083.1030100]
	20	Yin Zhang , Vern Paxson, Detecting backdoors, Proceedings of the 9th conference on USENIX Security Symposium, p.12-12, August 14-17, 2000, Denver, Colorado
	21	NDIS. http://en.wikipedia.org/wiki/Network_Driver_Interface_Specification
	22	Network Packet Generator. http://www.wikistc.org/wiki/Network_packet_generator
	23	Greg Hoglund. "A REAL NT Rootkit, patching the NT Kernel". In Phrack Vol. 9, Issue 55. 1999.
	24	J. Heasman. Implementing and Detecting an ACPI BIOS Rootkit. Presented at Black Hat Federal, 2006.
	25	x86 virtualization. http://en.wikipedia.org/wiki/X86_virtualization
	26	Intel® Virtualization Technology for Directed I/O. http://www.intel.com/technology/itj/2006/v10i3/2-io/7-conclusion.htm
	27	Extrusion detection. http://en.wikipedia.org/wiki/Extrusion_detection
	28	David Whyte , P. C. van Oorschot , Evangelos Kranakis, Exposure maps: removing reliance on attribution during scan detection, Proceedings of the 1st USENIX Workshop on Hot Topics in Security, p.9-9, July 31, 2006, Vancouver, B.C., Canada
	29	VMware VMsafe Security Technology. http://www.vmware.com/technology/security/vmsafe.html
	30	XenAccess Library. http://code.google.com/p/xenaccess/