Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BIOS, Video card EEPROM"

http://research.microsoft.com/rootkit/

States the following...
"Note: there will be some false positives. Also, this does not detect stealth software that
hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "

We have discussed the possibility of infecting a BIOS over and over and the consensus has
been that is not possible. Based upon my studying both viruses and hardware I can't see how
it is possible. Yet the above Microsoft web site on a RootKit Detector indicates
"...stealth software that hides in BIOS, Video card EEPROM".

From what I believe to be true, this is faux information and pure FUD.

If anyone has specific information (backed by authoratative URLs such as from the IEEE or
some other organization) I welcome the replies. Both PRO and CON for the above statement.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

On Mon, 19 Sep 2005 23:58:01 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>http://research.microsoft.com/rootkit/
>
>States the following...
>"Note: there will be some false positives. Also, this does not detect stealth software that
>hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "
>
>We have discussed the possibility of infecting a BIOS over and over and the consensus has
>been that is not possible.

I thought the consensus was that no known malware infects the BIOS.

>Based upon my studying both viruses and hardware I can't see how
>it is possible.

Why? You can download BIOS updates and reflash.

>Yet the above Microsoft web site on a RootKit Detector indicates
>"...stealth software that hides in BIOS, Video card EEPROM".

Maybe they've seen POCs. There probably are BIOS reflashing
malwares that simply haven't surfaced.

Art

http://home.epix.net/~artnpeg

Art

Art wrote:

> On Mon, 19 Sep 2005 23:58:01 GMT, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
>>http://research.microsoft.com/rootkit/
>>
>>States the following...
>>"Note: there will be some false positives. Also, this does not detect
>>stealth software that hides in BIOS, Video card EEPROM, disk bad sectors,
>>Alternate Data Streams, etc. "
>>
>>We have discussed the possibility of infecting a BIOS over and over and
>>the consensus has been that is not possible.
>
> I thought the consensus was that no known malware infects the BIOS.
>
>>Based upon my studying both viruses and hardware I can't see how
>>it is possible.
>
> Why? You can download BIOS updates and reflash.

Agreed.I do not see any reason that they *could* not exist....

>>Yet the above Microsoft web site on a RootKit Detector indicates
>>"...stealth software that hides in BIOS, Video card EEPROM".
>
> Maybe they've seen POCs. There probably are BIOS reflashing
> malwares that simply haven't surfaced.

Maybe...

> Art
>
> http://home.epix.net/~artnpeg

Imhotep

Imhotep

From: "Art" <>

the consensus was that no known malware infects the BIOS.
|
>> Based upon my studying both viruses and hardware I can't see how
>> it is possible.
|
| Why? You can download BIOS updates and reflash.
|


they are specifically written by the hardware manufacturer for specific mother using a
specific tupe of Flashable RAM or programable ROM. That is one thing, but to insert code
and haver the BIOS still functional seems a bit far fetched.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

David H. Lipman wrote:

> From: "Art" <>
>
> the consensus was that no known malware infects the BIOS.
> |
>>> Based upon my studying both viruses and hardware I can't see how
>>> it is possible.
> |
> | Why? You can download BIOS updates and reflash.
> |
>
>
> they are specifically written by the hardware manufacturer for specific
> mother using a
> specific tupe of Flashable RAM or programable ROM. That is one thing, but
> to insert code and haver the BIOS still functional seems a bit far
> fetched.
>

I do not think they are all *that* diverse. I am not a hardware person
though. Any electric engineers/BIOS software people out there wish to
comment?

Imhotep

Imhotep

On Tue, 20 Sep 2005 01:38:55 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Art" <>
>
>the consensus was that no known malware infects the BIOS.
>|
>>> Based upon my studying both viruses and hardware I can't see how
>>> it is possible.
>|
>| Why? You can download BIOS updates and reflash.
>|
>
>
>they are specifically written by the hardware manufacturer for specific mother using a
>specific tupe of Flashable RAM or programable ROM. That is one thing, but to insert code
>and haver the BIOS still functional seems a bit far fetched.

There is the possibility of doing it, and generally when something can
be done, sooner or later it will.

The problem of being machine model specific could be a plus point,
lets say someone has a grudge against Dell, who have a large user
base. A general virus which detects which machine its on and
initiates a destructive action on that model but simply spreads on
other machines is viable.

Some years ago we had a virus CIH I think, which flashed the
bios on some machines. Its a small leap from overwriting it with
garbage to reading an image into memory, adding some code and
rewriting it. Theres enough space there for additions.

Lets hope the RIAA and friends does not devise a program to
flash our CD and DVD writers so they refuse to copy pressed
disks ...
--
Jim Watt
http://www.gibnet.com

Jim Watt

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

| http://research.microsoft.com/rootkit/
|
| States the following...
| "Note: there will be some false positives. Also, this does not detect stealth software
| that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "
|
| We have discussed the possibility of infecting a BIOS over and over and the consensus has
| been that is not possible. Based upon my studying both viruses and hardware I can't see
| how it is possible. Yet the above Microsoft web site on a RootKit Detector indicates
| "...stealth software that hides in BIOS, Video card EEPROM".
|
| From what I believe to be true, this is faux information and pure FUD.
|
| If anyone has specific information (backed by authoratative URLs such as from the IEEE or
| some other organization) I welcome the replies. Both PRO and CON for the above statement.
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|

Matt Braverman of Microsoft replied thusly...

"This is a completely theoretical and academic infection vector (note the
"may hide" part of that segment). There are no known cases of malware that
infect the BIOS and / or EEPROM."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

From: "Jim Watt" <_way>


|
| There is the possibility of doing it, and generally when something can
| be done, sooner or later it will.
|
| The problem of being machine model specific could be a plus point,
| lets say someone has a grudge against Dell, who have a large user
| base. A general virus which detects which machine its on and
| initiates a destructive action on that model but simply spreads on
| other machines is viable.
|
| Some years ago we had a virus CIH I think, which flashed the
| bios on some machines. Its a small leap from overwriting it with
| garbage to reading an image into memory, adding some code and
| rewriting it. Theres enough space there for additions.
|
| Lets hope the RIAA and friends does not devise a program to
| flash our CD and DVD writers so they refuse to copy pressed
| disks ...
| --
| Jim Watt
| http://www.gibnet.com

Small leap ?

No, it would be a humongous leap from wiping or corrupting a BIOS to infecting a BIOS and/or
hide in free space in the BIOS. The technical aspects of the chip type, size, and
programming makes it an extremely difficuly endeavour.

Peripheral BIOS would have even greater hurdles to overcome. In theory it sounds viable but
in reality it is a far fetched assumption and to dat, none have suceeded in infecting a BIOS
and still leaving it viable or storing itself in unused space.

Matt Braverman of Microsoft confirmed that the text of the URL I cited "...is a completely
theoretical and academic infection vector..."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

On Tue, 20 Sep 2005 10:51:10 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Matt Braverman of Microsoft replied thusly...
>
>"This is a completely theoretical and academic infection vector (note the
>"may hide" part of that segment). There are no known cases of malware that
>infect the BIOS and / or EEPROM."

What you're not considering is a "insider" job ... someone working for
a BIOS vendor creating and spreading infested "updates".

Art

http://home.epix.net/~artnpeg

Art

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:dgIXe.6951$nV1.1668@trnddc06:

> http://research.microsoft.com/rootkit/
>
> States the following...
> "Note: there will be some false positives. Also, this does not detect
> stealth software that hides in BIOS, Video card EEPROM, disk bad
> sectors, Alternate Data Streams, etc. "
>
> We have discussed the possibility of infecting a BIOS over and over
> and the consensus has been that is not possible. Based upon my
> studying both viruses and hardware I can't see how it is possible.
> Yet the above Microsoft web site on a RootKit Detector indicates
> "...stealth software that hides in BIOS, Video card EEPROM".
>
> From what I believe to be true, this is faux information and pure FUD.
>
> If anyone has specific information (backed by authoratative URLs such
> as from the IEEE or some other organization) I welcome the replies.
> Both PRO and CON for the above statement.
>


It would certainly be possible - although a lot of work - to manually
"infect" the BIOS if one has physical access to the machine. Flashing the
BIOS is easy - the tedious part would be generating a rewritten BIOS with
hidden features to use for the flash.

While it was quite primitive and only worked on some old-fashioned 486
machines the Chernobyl virus *did* reflash the BIOS (trashing it rather
than substituing different BIOS code)

Regards,

nemo_outis