[Quote:]

Joanna cleared it up for me that they are not releasing a SMM rootkit but rather a exploit. It will be up to some other folks to tie this in with a SMM rootkit like this one perhaps.

“Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel® CPU cache mechanisms. The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours.”

The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it’s not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors so if you’d like further education or history lesson here is a good article.

Now remember that what Joanna and Loic will be releasing is a brand new, never before disclosed Intel caching hack that allows them to gain access to SMM space and run their new exploit. If you then use this exploit to run a SMM rootkit that has the ability to call home to its creator to get new code or deposit its findings your really gonna have a powerful hack. No software you can run on your operating system would be able to detect this type of exploit once you are powned.