March 23, 2009

Rootkit Exploits Intel processors

Print More

In an earlier blog about antivirus programs, I briefly mentioned a malicious program called a rootkit. Make no mistake, rootkits are not something to be taken lightly. If your machine is infected with a rootkit, a hacker can access your computer remotely without your knowledge. And before all the Mac users shout in triumph about how Windows is vulnerable to every kind of exploits on the net, I would just like to make it clear that Macs has been equally susceptible to rootkits for a long time.

So with two major operating systems vulnerable to rootkits, it may send some chills down your spine to know that the latest line of Intel chips have provided a nice gateway for stealthy rootkits to be installed on your computer.

In a nutshell, the new line of Intel processors has a security exploit during caching that allows dedicated hackers to gain access to the System Management Mode (SMM). The way Intel has been designing its processors is that the SMM is set-aside as an inaccessible space for applications and the user. What does that mean to you? Well, generally it doesn’t mean anything to the normal user, as most applications, using the ring model, never even come close to accessing the SMM. In fact, the SMM is mainly used to keep the very basic functions of your system running without having to rely on your applications and programs. However, once a rootkit takes up residence in the SMM, it is able to allow a hacker to do pretty much anything he wants with your machine. Bear in mind that back in 2008, this didn’t have opportunity to spread, but now with the Intel chip exploits, SMM rootkits are a very likely possibility.

So what can you do about it? Well, in this case, there really isn’t anything you can do to remove the rootkit once it takes hold. Remember, SMM operates outside of the bounds of applications, so even the strongest antivirus programs would not pick it up. But on the bright side, there is a bit of a trade off:

This kind of rootkit is extremely specific to the machine that it attacks, so the chances of mass distribution are still low, giving users a slight sigh of relief.