Polish researcher Joanna Rutkowska also plans to call attention to the frailties in existing virtualization products, including the Citrix Systems Xen hypervisor. Later Thursday, Rutkowska and her colleagues will disclose how to subvert Xen with rootkits.
Wednesday, Sherri Sparks, president of Clear Hat Consulting, and Shawn Embleton, the firm's CTO, gave a talk about how they've developed a network interface card (NIC)-chipset-based rootkit they call "Deeper Door" that an attacker might use to hide and monitor traffic stealthily.
Deeper Door is operating-system independent, unlike the rootkit called Deep Door developed by Rutkowska, Sparks said. There are advantages and disadvantages to each from an attacker's point of view, but the Deeper Door Intel 8255x chipset rootkit resides "completely in the chipset, the motherboard chipset and on the LAN controller," he said.
Sparks and Embleton demonstrated how Deeper Door can be loaded up, and said their research has shown it can't be detected by software-based firewalls and intrusion-detection systems including Snort IDS, ZoneAlarm and the Windows XP firewall. They gave a demo showing how ZoneAlarm didn't detect the rootkit sending unauthorized outbound traffic.
Hardware-based firewalls should be able to detect Deeper Door, Embleton said. He added, however, that it's very resilient: Simply disabling the NIC won't stop it because it's designed to check to see if the card has been disabled and reenable it.
In another rootkit session at Black Hat Wednesday, Ariel Futoransky, researcher at Core Security Technologies, detailed how the security firm has been able to develop a Cisco IOS rootkit it calls "DIK" ("da IOS rootkit").
DIK is a lightweight rootkit that can compromise a Cisco IOS router by infecting the image and leaving malicious code to run and perform stealthy tricks on traffic, he pointed out, with a short demo of it.
There's no known instance of a Cisco IOS rootkit in the wild, but the research shows that it is possible -- despite hooks in IOS that make writing rootkits for other types of operating systems far easier, Futoransky said.
"Can we protect ourselves [from DIR]?" Futoransky asked. "I don't have easy answers for this one." Using cryptographic tools would make it harder to hide traces of a rootkit attack, he said.
Cisco spokesperson Kevin Petschow said Cisco is working closely with Core Security Technologies on the IOS-rootkit research, and is glad to work with other researchers, too, that identity new types of attacks on Cisco gear.
In yet another session, Apple's Mac OS X got the rootkit treatment, as security researcher and software engineer Jesse D'Aguanno of Praetorian Global showed that it, too, is subject to rootkits. While it's not necessarily easy to develop rootkits for the Mac OS X, it can be done, he said, providing evidence and a demonstration of one he developed.