Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Friday June 09 2017, @05:27PM   Printer-friendly
from the swallow-the-red-pill dept.

Malware uses Intel AMT feature to steal data, avoid firewalls

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.

and . . .

Intel AMT SOL exposes hidden networking interface

This is because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.

Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.

I always believed the Intel Management Engine was a bad idea and a huge target for sophisticated hackers. Your hardware. Pre-compromised from the factory. A processor baked into your microprocessor with full access to the hardware. It runs a secret binary blob -- and the primary microprocessor won't run without it.

This probably isn't the last time that this will be exploited. Probably not even be the first, given the difficulty to detect it. The wonderful thing is that your OS isn't aware of the compromise and is unable to interfere with it.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday June 09 2017, @06:27PM (5 children)

    by Anonymous Coward on Friday June 09 2017, @06:27PM (#523191)

    "SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware"

    Sounds like a misconfigured firewall.
    You don't just blindly forward Ethernet packets if the encapsulation protocol isn't what's expected.

  • (Score: 2) by kaszz on Friday June 09 2017, @06:29PM

    by kaszz (4211) on Friday June 09 2017, @06:29PM (#523195) Journal

    IP packets containing TCP tend to get through. If Ethernet MACs are locked down and specific TCP ports are blocked. It would be harder however.

  • (Score: 2) by DannyB on Friday June 09 2017, @06:30PM

    by DannyB (5839) Subscriber Badge on Friday June 09 2017, @06:30PM (#523196) Journal

    You don't just blindly forward Ethernet packets if the encapsulation protocol isn't what's expected.

    Ahhhhh!!! Maybe that's what I'm doing wrong!

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 5, Informative) by bob_super on Friday June 09 2017, @07:14PM (2 children)

    by bob_super (1357) on Friday June 09 2017, @07:14PM (#523218)

    Gotta RTFA sometimes (or read the Ars version). A firewall running on the same processor will simply not see those packets, as they get diverted to SOL.

    Missing from TFS is the fact that this is all disabled by default. You need another malware, or a questionable configuration to enable it first, before you're vulnerable.

    • (Score: 0) by Anonymous Coward on Friday June 09 2017, @08:57PM (1 child)

      by Anonymous Coward on Friday June 09 2017, @08:57PM (#523259)

      Need another malware....
      Does this imply Windows?
      Is Linux safe, or is this Intel "feature" is its own thing and your OS choice does not even matter?
      Does AMD have some equivalent of this malevolent bakeware?
      What recourse do we have against Intel ... a worldwide class action lawsuit?

      • (Score: 2) by MrGuy on Friday June 09 2017, @09:32PM

        by MrGuy (1007) on Friday June 09 2017, @09:32PM (#523278)

        Does this imply Windows?

        Nope.

        Is Linux safe, or is this Intel "feature" is its own thing and your OS choice does not even matter

        The latter. This runs upstream of/in parallel with your installed OS.

        Does AMD have some equivalent of this malevolent bakeware?

        Yep. [amd.com] It's called TrustZone.

        What recourse do we have against Intel ... a worldwide class action lawsuit?

        Good luck with that.