Sherri Sparks, president of Clear Hat Consulting, and Shawn Embleton, the firm's CTO, gave a talk about how they've developed a network interface card (NIC)-chipset-based rootkit they call "Deeper Door" that an attacker might use to hide and monitor traffic stealthily.

Deeper Door is operating-system independent, unlike the rootkit called Deep Door developed by Rutkowska, Sparks said. There are advantages and disadvantages to each from an attacker's point of view, but the Deeper Door Intel 8255x chipset rootkit resides "completely in the chipset, the motherboard chipset and on the LAN controller," he said.

Deeper Door rootkit

Sparks and Embleton demonstrated how Deeper Door can be loaded up, and said their research has shown it can't be detected by software-based firewalls and intrusion-detection systems including Snort IDS, ZoneAlarm and the Windows XP firewall. They gave a demo showing how ZoneAlarm didn't detect the rootkit sending unauthorized outbound traffic.

Hardware-based firewalls should be able to detect Deeper Door, Embleton said. He added, however, that it's very resilient: Simply disabling the NIC won't stop it because it's designed to check to see if the card has been disabled and reenable it.

In another rootkit session at Black Hat yesterday, Ariel Futoransky, researcher at Core Security Technologies, detailed how the security firm has been able to develop a Cisco IOS rootkit it calls "DIK" ("da IOS rootkit").

DIK is a lightweight rootkit that can compromise a Cisco IOS router by infecting the image and leaving malicious code to run and perform stealthy tricks on traffic, he pointed out, with a short demo of it.

There's no known instance of a Cisco IOS rootkit in the wild, but the research shows that it is possible -- despite hooks in IOS that make writing rootkits for other types of operating systems far easier, Futoransky said.

"Can we protect ourselves [from DIR]?" Futoransky asked. "I donâ¬"t have easy answers for this one." Using cryptographic tools would make it harder to hide traces of a rootkit attack, he said. Cisco spokesperson Kevin Petschow said Cisco is working closely with Core Security Technologies on the IOS-rootkit research, and is glad to work with other researchers, too, that identity new types of attacks on Cisco gear.

In yet another session, Apple's Mac OS X got the rootkit treatment, as security researcher and software engineer Jesse D'Aguanno of Praetorian Global showed that it, too, is subject to rootkits. While it's not necessarily easy to develop rootkits for the Mac OS X, it can be done, he said, providing evidence and a demonstration of one he developed.