Microsoft’s security team has come across a malware family that uses Intel’s Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.
Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer’s networking stack, so local firewalls or security products won’t be able to detect or block the malware while it’s exfiltrating data from infected hosts.
Of course, putting the building blocks of a rootkit into the CPU was a good idea.
FlyingJester,
AMT can serve a useful purpose for legitimate owners, however the obvious problem is that it’s proprietary and every AMT enabled computer on the planet had this vulnerability for a decade – a prime example why monocultures are bad. I’d be running an open source alternative if intel wasn’t forcing their proprietary version on us.
Because of the timing, I assumed that this malware was related to the recent zero-day vulnerabilities found in intel AMT, however this malware turns out to be unrelated. Here’s the AMT vulnerability:
https://thenextweb.com/insider/2017/05/02/intel-sold-remotely-exploi…
http://www.osnews.com/comments/29798
It’s a very serious vulnerability on AMT-enabled systems, so go update! It’s separate from bios and OS updates, so don’t assume it’s auto-updated.
rootkits an be used for legitimate purposes too, that doesn’t make them any less of a rootkit
Carewolf,
Drumhellar is right: SOL is nothing more than a network serial port and it was exploited but NOT compromised. The “rootkit” in this case lies with the malware running on windows.
This malware used SOL, and so some people might be tempted to blame SOL, however in principal SOL is just an interface. IMHO it doesn’t make any more sense to blame SOL than it would to blame wifi or bluetooth if malware was using these interfaces to create covert channels.
Logically, the malware is the rootkit, not the interfaces like bluetooth, wifi and SOL.
Theoretically firmware could contain a root kit, but it isn’t a root kit in and of itself unless you are alleging that intel has designed it with a backdoor. Otherwise it’s just like any other firmware/bios.
Nobody ever did.
Just ask Dirty Harry – SOL means Sh-t Outta Luck.
The article barely mentions that this requires an already compromised Windows system to be useful – it isn’t an avenue for attack, and it isn’t a vulnerability. I.e. users with Administrator access are allowed to do things that require Administrator access. Sure, the Windows firewall can’t stop it, but if a user has the ability to enable SoL, they have the ability to disable the firewall anyways.
Or, to put it another way:
“Oh yes, I thought of something,” panted Ford.
Arthur looked up expectantly.
“But unfortunately,” continued Ford, “it rather involved being on the other side of this airtight hatchway.” He kicked the hatch they’d just been through.
Security researchers warned for years, … but why would the big companies ever listen, …