Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BIOS, Video card EEPROM"

Reply
Thread Tools

Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BIOS, Video card EEPROM"

 
 
David H. Lipman
Guest
Posts: n/a
 
      09-20-2005
From: "Art" <(E-Mail Removed)>


|
| What you're not considering is a "insider" job ... someone working for
| a BIOS vendor creating and spreading infested "updates".
|
| Art
|
| http://home.epix.net/~artnpeg

Updates for what ?

Lets say it is a particular vendor like ASUS. It wouldn't be for all motherboards. At best
one. Even still, there s a wide variety of Flashable RAM chips that may be used. Which
chip ? Would even even pass a CRC checksum by the Flashing program ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
 
 
 
Art
Guest
Posts: n/a
 
      09-20-2005
On Tue, 20 Sep 2005 14:53:31 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Art" <(E-Mail Removed)>
>
>
>|
>| What you're not considering is a "insider" job ... someone working for
>| a BIOS vendor creating and spreading infested "updates".
>|
>
>Updates for what ?
>
>Lets say it is a particular vendor like ASUS. It wouldn't be for all motherboards. At best
>one. Even still, there s a wide variety of Flashable RAM chips that may be used. Which
>chip ? Would even even pass a CRC checksum by the Flashing program ?


Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
would/did you know it wasn't infested? Presumably a insider job would
pass the checksum test.

Art

http://home.epix.net/~artnpeg
 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      09-20-2005
From: "Art" <(E-Mail Removed)>


|
| Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
| would/did you know it wasn't infested? Presumably a insider job would
| pass the checksum test.
|
| Art
|
| http://home.epix.net/~artnpeg

I get them directly from a trusted location.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      09-20-2005
On Tue, 20 Sep 2005 20:19:46 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Art" <(E-Mail Removed)>
>
>
>|
>| Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
>| would/did you know it wasn't infested? Presumably a insider job would
>| pass the checksum test.
>|


>I get them directly from a trusted location.


That's obviously the best bet but the point is that it's still a
gamble. You were insisting that it's impossible. I'm simply pointing
out that it's not impossible, however unlikely it might be.

Art

http://home.epix.net/~artnpeg
 
Reply With Quote
 
Sugien
Guest
Posts: n/a
 
      09-20-2005

"Art" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Tue, 20 Sep 2005 20:19:46 GMT, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
>>From: "Art" <(E-Mail Removed)>
>>
>>
>>|
>>| Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
>>| would/did you know it wasn't infested? Presumably a insider job would
>>| pass the checksum test.
>>|

>
>>I get them directly from a trusted location.

>
> That's obviously the best bet but the point is that it's still a
> gamble. You were insisting that it's impossible. I'm simply pointing
> out that it's not impossible, however unlikely it might be.
>

imho, the more tech's say something is imposable the more likely someone
will take up the challenge to prove them wrong. Some of the same tech's and
those in the know said it was imposable to get any type of infection or
malware by *only* reading an email. Of course they had to eat their words
after Melissa; but some tried to even wiggle out of that by saying they
meant to qualify what they had said in as much that they were trying to say
that simply reading a message in plane text format that it was imposable;
but to me that is as much a worm wiggle of what I get accused of; but I was
and am far more innocent of the worm wiggling charge then they, lol
I would have to guess that as a part of the development of such a bios
infecting virus or malware an intermediate step may be to store parts of the
virus/malware in the unused portions of the chip housing the bios program.
Maybe hiding the portions of the virus which AV products detect there by
avoiding detection. AFAIK no known AV product checks bios for virus or
malware and if a virus/malware is created which is detected by AV products
the creator of the offending software instead of completely rewriting the
virus/malware to avoid detection could simply have the virus/malware hide
the portions the AV software is keying on in the bios.
--
From the Desk of Sugien
/}
@###{ ]:::::ino-Soft Software::::::>
\}



 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      09-20-2005
From: "Art" <(E-Mail Removed)>


|
| That's obviously the best bet but the point is that it's still a
| gamble. You were insisting that it's impossible. I'm simply pointing
| out that it's not impossible, however unlikely it might be.
|
| Art
|
| http://home.epix.net/~artnpeg

Examine the concept of an infected BIOS. The BIOS (Basic Input-Output System) is the
middleware between a given motherboards chip-set and an Operating System. The OS looks for
specific routines to access such things as the hard disk, floppy, real-time clock, USB, etc.
The question is if the BIOS could be infected what could "it" do. That is being a
middleware and not a high level or even a low level language but a series of routines to
interface hardware through system calls.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      09-20-2005
On Tue, 20 Sep 2005 20:57:01 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Art" <(E-Mail Removed)>
>
>
>|
>| That's obviously the best bet but the point is that it's still a
>| gamble. You were insisting that it's impossible. I'm simply pointing
>| out that it's not impossible, however unlikely it might be.
>|
>| Art
>|
>| http://home.epix.net/~artnpeg
>
>Examine the concept of an infected BIOS. The BIOS (Basic Input-Output System) is the
>middleware between a given motherboards chip-set and an Operating System. The OS looks for
>specific routines to access such things as the hard disk, floppy, real-time clock, USB, etc.
>The question is if the BIOS could be infected what could "it" do. That is being a
>middleware and not a high level or even a low level language but a series of routines to
>interface hardware through system calls.


That's a no-brainer. It could do many kinds of different damage to a
hard drive, including making it unuseable without a reformat. Even
something as simple as refusing to boot and just hanging in a infinite
loop is a example.

Art

http://home.epix.net/~artnpeg
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      09-20-2005
From: "Art" <(E-Mail Removed)>


|
| That's a no-brainer. It could do many kinds of different damage to a
| hard drive, including making it unuseable without a reformat. Even
| something as simple as refusing to boot and just hanging in a infinite
| loop is a example.
|
| Art
|
| http://home.epix.net/~artnpeg

I can't see a vendor releasing a BIOS that did not pass a quality control check.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      09-20-2005
On Tue, 20 Sep 2005 21:57:58 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Art" <(E-Mail Removed)>
>
>
>|
>| That's a no-brainer. It could do many kinds of different damage to a
>| hard drive, including making it unuseable without a reformat. Even
>| something as simple as refusing to boot and just hanging in a infinite
>| loop is a example.
>|
>I can't see a vendor releasing a BIOS that did not pass a quality control check.


The bad guy might work in the QC dept. Trust noone!

Art

http://home.epix.net/~artnpeg
 
Reply With Quote
 
Jeffrey F. Bloss
Guest
Posts: n/a
 
      09-20-2005
David H. Lipman wrote:

> | That's a no-brainer. It could do many kinds of different damage to a
> | hard drive, including making it unuseable without a reformat. Even
> | something as simple as refusing to boot and just hanging in a infinite
> | loop is a example.
> |
> | Art
> |
> | http://home.epix.net/~artnpeg
>
> I can't see a vendor releasing a BIOS that did not pass a quality control
> check.
>

I can't see a major hard drive manufacturer releasing thousands of hard
drives with a boot sector infector preinstalled.

But it happened.

--
Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Marx
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem in running a basic code in python 3.3.0 that includes HTML file Satabdi Mukherjee Python 1 04-04-2013 07:48 PM
Any rootkit prevention, detection and/or repair suitable for use by the average user? Blue Event Horizon Computer Security 6 09-09-2006 12:23 AM
Any word on more Real Ghostbuster DVD's? Bratboy DVD Video 0 04-18-2006 05:04 PM
Rootkit detection and removal geermeister@gmail.com Computer Support 5 03-12-2006 03:36 AM
Microsoft Strider GhostBuster Rootkit Detection Software Download Pamela Fischer Computer Support 4 11-21-2005 02:21 PM



Advertisments