Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Friday June 09 2017, @05:27PM   Printer-friendly
from the swallow-the-red-pill dept.

Malware uses Intel AMT feature to steal data, avoid firewalls

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.

and . . .

Intel AMT SOL exposes hidden networking interface

This is because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.

Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.

I always believed the Intel Management Engine was a bad idea and a huge target for sophisticated hackers. Your hardware. Pre-compromised from the factory. A processor baked into your microprocessor with full access to the hardware. It runs a secret binary blob -- and the primary microprocessor won't run without it.

This probably isn't the last time that this will be exploited. Probably not even be the first, given the difficulty to detect it. The wonderful thing is that your OS isn't aware of the compromise and is unable to interfere with it.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Anonymous Coward on Friday June 09 2017, @07:16PM (8 children)

    by Anonymous Coward on Friday June 09 2017, @07:16PM (#523223)

    OK, so on a standalone box you can supposedly disable AMT completely in UEFI bios settings. Anyone know if that actually kills the bugger?

    Starting Score:    0  points
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 2) by kaszz on Friday June 09 2017, @08:33PM (2 children)

    by kaszz (4211) on Friday June 09 2017, @08:33PM (#523248) Journal

    Supposedly yes.
    Another alternative is to zero out the relevant binary modules present in the BIOS memory using the correct checksums. Otherwise it will reset every 30 minutes, if the AMT doesn't get the correct code loaded to mitigate the watchdog alarm.

    • (Score: 0) by Anonymous Coward on Friday June 09 2017, @10:01PM (1 child)

      by Anonymous Coward on Friday June 09 2017, @10:01PM (#523299)

      Hmmm...been running for 6+ hours with no resets or shutdowns, bios still shows "disabled". Still would like to confirm whether or not bios is lying or the config widget actually works before I go mucking about in bios files. But good info, thanks.

      • (Score: 2) by kaszz on Saturday June 10 2017, @07:19AM

        by kaszz (4211) on Saturday June 10 2017, @07:19AM (#523426) Journal

        The 30 minute reset only occurs if you force the issue by zeroing the sections that contains the essential code for the AMT sub-processor. Because that will prevent it to work at all.

  • (Score: 2) by etherscythe on Friday June 09 2017, @09:13PM (3 children)

    by etherscythe (937) on Friday June 09 2017, @09:13PM (#523264) Journal

    You find a gun. Safety's on. Do you still pull the trigger to find out if it's loaded?

    --
    "Fake News: anything reported outside of my own personally chosen echo chamber"
    • (Score: 0) by Anonymous Coward on Friday June 09 2017, @09:56PM

      by Anonymous Coward on Friday June 09 2017, @09:56PM (#523293)

      If it's pointed safely down-range or at a smarmy little faggot, yes.

    • (Score: 2) by fliptop on Friday June 09 2017, @10:07PM

      by fliptop (1666) on Friday June 09 2017, @10:07PM (#523301) Journal

      You find a gun. Safety's on. Do you still pull the trigger to find out if it's loaded?

      No silly, you do that to see if the safety works.

      --
      Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.
    • (Score: 0) by Anonymous Coward on Saturday June 10 2017, @07:05AM

      by Anonymous Coward on Saturday June 10 2017, @07:05AM (#523424)

      Because like guns computers are simple time proven mechanical contraptions anybody can build at home...

  • (Score: 0) by Anonymous Coward on Saturday June 10 2017, @04:33PM

    by Anonymous Coward on Saturday June 10 2017, @04:33PM (#523509)

    There's an ethernet chip on the motherboard, and the UEFI BIOS has a driver for it. So: use the BIOS to disable the online ethernet port, and buy a separate ethernet card that doesn't use the same chip. So how would AMT talk to the separate card? Where's the hole in this plan?