Security expert Csaba Barta developed a rootkit that is capable of carrying out a cached data attack. When an attacker alters data that resides in physical memory, it is known as a cached data attack. An example of a cache data attack is finding the data value for the password hashes of a user account and clearing or resetting the password.
What makes this attack so insidious is that the attack can be performed while a user is logged in without the attack/attacker being detected, not even in running processes listing.
According to Volatility and RegRipper User Manual by Mark Morgan, "...it is possible for an attacker with the ability to modify kernel memory to alter the cached registry data in memory, and thus alter the behavior of the operating system, without the changes being visible in the on-disk storage. For example, an attacker could find the key in memory that holds the password hashes for the Administrator user, and replace them with pre-computed hashes for a known password. The attacker would then be able to log in as Administrator using the password of his choice."
Other features of the rootkit are keyboard logging and stealing user priviledges.
Barta shared his findings at the recent Hackers Halted conferences and fortunately plans on providing Antivirus companies with the rootkit for their databases. Barta will also release the rootkit's binaries to the EC-Council which will include the rootkit in CEHv7 training material.
No comments:
Post a Comment