A new class of malware operates by bypassing the Network Driver Interface Specification (NDIS). The NDIS is an application programming interface (API) for network interface cards (NICs). It used in Microsoft Windows, and to varying extents is also supported in Linux and other operating systems. By writing directly to the NIC, the new class of malware can send and receive data on a host computer without detection.
More specifically, at Blackhat/Defcon 2008, Sherri Sparks and Shawn Embleton made a presentation titled “Deeper Door, exploiting the NIC chipset.” This talk disclosed a type of root kit that bypasses NDIS by interacting directly with the NIC. By going below NDIS, to which Windows network interface drivers are written, the attack circumvents current software firewalls and intrusion detection systems. This is so because these security applications monitor packets at the NDIS level. The “Deeper Door” presentation described targeting the Intel 8255x chipset, which has open documentation, and with which many Intel cards are compatible. The described attack can both send and receive data without the NDIS layer being aware of the exploit. It would be desirable to address this security vulnerability, both for the Intel 8255x chipset and for other NIC hardware.