Linked by codifies on Thu 8th Jun 2017 22:15 UTC
Privacy, Security, Encryption

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.

Order by: Score:
Comment by FlyingJester
by FlyingJester on Thu 8th Jun 2017 22:40 UTC
FlyingJester
Member since:
2016-05-11

Of course, putting the building blocks of a rootkit into the CPU was a good idea.

Reply Score: 8

RE: Comment by FlyingJester
by Alfman on Fri 9th Jun 2017 00:05 UTC in reply to "Comment by FlyingJester"
Alfman Member since:
2011-01-28

FlyingJester,

Of course, putting the building blocks of a rootkit into the CPU was a good idea.


AMT can serve a useful purpose for legitimate owners, however the obvious problem is that it's proprietary and every AMT enabled computer on the planet had this vulnerability for a decade - a prime example why monocultures are bad. I'd be running an open source alternative if intel wasn't forcing their proprietary version on us.

Reply Score: 2

RE[2]: Comment by FlyingJester
by Alfman on Fri 9th Jun 2017 03:46 UTC in reply to "RE: Comment by FlyingJester"
Alfman Member since:
2011-01-28

Because of the timing, I assumed that this malware was related to the recent zero-day vulnerabilities found in intel AMT, however this malware turns out to be unrelated. Here's the AMT vulnerability:

https://thenextweb.com/insider/2017/05/02/intel-sold-remotely-exploi...

http://www.osnews.com/comments/29798

It's a very serious vulnerability on AMT-enabled systems, so go update! It's separate from bios and OS updates, so don't assume it's auto-updated.

Reply Score: 2

RE[2]: Comment by FlyingJester
by Carewolf on Fri 9th Jun 2017 14:30 UTC in reply to "RE: Comment by FlyingJester"
Carewolf Member since:
2005-09-08

FlyingJester,

"Of course, putting the building blocks of a rootkit into the CPU was a good idea.


AMT can serve a useful purpose for legitimate owners, however the obvious problem is that it's proprietary and every AMT enabled computer on the planet had this vulnerability for a decade - a prime example why monocultures are bad. I'd be running an open source alternative if intel wasn't forcing their proprietary version on us.
"
rootkits an be used for legitimate purposes too, that doesn't make them any less of a rootkit

Reply Score: 2

RE[3]: Comment by FlyingJester
by Alfman on Fri 9th Jun 2017 15:37 UTC in reply to "RE[2]: Comment by FlyingJester"
Alfman Member since:
2011-01-28

Carewolf,

rootkits an be used for legitimate purposes too, that doesn't make them any less of a rootkit



Drumhellar is right: SOL is nothing more than a network serial port and it was exploited but NOT compromised. The "rootkit" in this case lies with the malware running on windows.

This malware used SOL, and so some people might be tempted to blame SOL, however in principal SOL is just an interface. IMHO it doesn't make any more sense to blame SOL than it would to blame wifi or bluetooth if malware was using these interfaces to create covert channels.
Logically, the malware is the rootkit, not the interfaces like bluetooth, wifi and SOL.


Theoretically firmware could contain a root kit, but it isn't a root kit in and of itself unless you are alleging that intel has designed it with a backdoor. Otherwise it's just like any other firmware/bios.

Reply Score: 2

RE: Comment by FlyingJester
by Megol on Fri 9th Jun 2017 16:21 UTC in reply to "Comment by FlyingJester"
Megol Member since:
2011-04-11

Of course, putting the building blocks of a rootkit into the CPU was a good idea.


Nobody ever did.

Reply Score: 2

How apropos
by JLF65 on Fri 9th Jun 2017 01:15 UTC
JLF65
Member since:
2005-07-06

Just ask Dirty Harry - SOL means Sh-t Outta Luck.

Reply Score: 2

Much ado about nothing
by Drumhellar on Fri 9th Jun 2017 07:46 UTC
Drumhellar
Member since:
2005-07-12

The article barely mentions that this requires an already compromised Windows system to be useful - it isn't an avenue for attack, and it isn't a vulnerability. I.e. users with Administrator access are allowed to do things that require Administrator access. Sure, the Windows firewall can't stop it, but if a user has the ability to enable SoL, they have the ability to disable the firewall anyways.

Or, to put it another way:

"Oh yes, I thought of something," panted Ford.
Arthur looked up expectantly.
"But unfortunately," continued Ford, "it rather involved being on the other side of this airtight hatchway." He kicked the hatch they'd just been through.

Reply Score: 3

We told you so!
by rener on Fri 9th Jun 2017 08:35 UTC
rener
Member since:
2006-02-27

Security researchers warned for years, ... but why would the big companies ever listen, ...

Reply Score: 1