Implementing and Detecting An ACPI BIOS Rootkit presented at BlackHatDC 2006

by John Heasman,


Summary : As rootkit detection tools become more sophisticated, the rootkit writer must strive to leave less of a footprint and inhabit areas that detection tools do not currently interrogate. One such area, the BIOS, has many associated difficulties in development and deployment but offers numerous benefits over traditional rootkitsnamely it leaves no trace on disk and can survive reinstallations in order to infect new operating systems.
This talk discusses how a generic rootkit may be developed for an ACPI-compliant BIOS. With the aid of several demonstrations, it covers implementing BIOS rootkits for both Windows and Linux. The latter part of the talk considers the defense perspective, investigating the steps required to detect and remove such a rootkit. As software-based rootkit detection and protection tools continue to evolve, this talk broaches the important topic of hardware protection and how current protection and detection models designed to combat a BIOS virus may be insufficient to defend against a BIOS rootkit. Finally we discuss the impact of initiatives such as the Trusted Computing Platform Alliance (TCPA) on rootkit deployment.