A couple of new software attacks have been published recently by security researchers. They are different from past attacks in that they are resistant to normal detection and removal techniques. As far as I am aware they aren’t in use in the wild yet but are scary enough that I decided to discuss them here.
The first is the most scary. It utilizes a flaw in Intel processors. This flaw is present across a wide spectrum of recent processor models. Intel processors have an execution mode that is above all other modes (System Management Mode (SMM), dubbed Ring -2). This is even higher then the hypervisor mode (Ring -1). The researchers found a flaw that let them execute arbitrary code in this ring. What’s scary about it, is that it’s undetectable to code in lower rings (which is all code, including hypervisors like Xen, VMWare, etc., the operating system, virus detectors, etc.), and it has complete and full hardware access to everything. This means malware that exploits this flaw could take over the system from within a VM. You can read about it here.
The second is one that came out today. Researchers in Argentina found a way to embed code in the BIOS that keeps a system infected even if the hard drive is wiped and rebuilt. You can read more here.
The second article makes a good point. Given the push toward virtualization in an attempt to contain and restrict attacks, you can expect to see more and more attacks aimed at hardware flaws.