Rootkits on PCI cards

By | November 20, 2006

John Heasman, a security researcher at Next-Generation Security Software, has released a paper describing a way to hide malicious code on graphics and network cards in such a way as to avoid detection and survive a full re-installation of the operating system.

The paper describes ways to use the Advanced Configuration and Power Interface (ACPI) functions available on almost all motherboards to store and run a rootkit that could survive a reboot. The current paper outlines ways to use the expansion memory available on Peripheral Component Interconnect (PCI) cards, such as graphics cards and network cards.

The paper also presents a potential defense against the rootkit technique. By auditing the expansion memory and system memory, a system administrator could look for suspiciously obfuscated code, the presence of 32-bit code, and odd class codes, among other telling signs of compromise.

Leave a Reply