Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BIOS, Video card EEPROM"

Reply
Thread Tools

Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BIOS, Video card EEPROM"

 
 
Norman L. DeForest
Guest
Posts: n/a
 
      09-21-2005

On Tue, 20 Sep 2005, Art wrote:

> On Tue, 20 Sep 2005 20:19:46 GMT, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
> >From: "Art" <(E-Mail Removed)>
> >
> >
> >|
> >| Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
> >| would/did you know it wasn't infested? Presumably a insider job would
> >| pass the checksum test.
> >|

>
> >I get them directly from a trusted location.

>
> That's obviously the best bet but the point is that it's still a
> gamble. You were insisting that it's impossible. I'm simply pointing
> out that it's not impossible, however unlikely it might be.


Sabotaged BIOSes are not only possible but one was shipped to customers.
Isn't there *anyone* here who remembers this thread from 1998?
http://www.chebucto.ns.ca/~af380/happy-birthday.txt

--
``Why don't you find a more appropiate newsgroup to post this tripe into?
This is a meeting place for a totally differnt kind of "vision impairment".
Catch my drift?'' -- "jim" in alt.disability.blind.social regarding an
off-topic religious/political post, March 28, 2005

 
Reply With Quote
 
 
 
 
Art
Guest
Posts: n/a
 
      09-21-2005
On Wed, 21 Sep 2005 00:34:56 -0300, "Norman L. DeForest"
<(E-Mail Removed)> wrote:

>Sabotaged BIOSes are not only possible but one was shipped to customers.
>Isn't there *anyone* here who remembers this thread from 1998?
> http://www.chebucto.ns.ca/~af380/happy-birthday.txt


Notice how "Gareth" insisted that it couldn't be a "virus" if Dr
Solomon couldn't find it. That's the amusing part

Art

http://home.epix.net/~artnpeg
 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      09-21-2005
From: "Norman L. DeForest" <(E-Mail Removed)>


|
| Sabotaged BIOSes are not only possible but one was shipped to customers.
| Isn't there *anyone* here who remembers this thread from 1998?
| http://www.chebucto.ns.ca/~af380/happy-birthday.txt
|
| --
| ``Why don't you find a more appropiate newsgroup to post this tripe into?
| This is a meeting place for a totally differnt kind of "vision impairment".
| Catch my drift?'' -- "jim" in alt.disability.blind.social regarding an
| off-topic religious/political post, March 28, 2005

Thanx Norman !

http://www.f-secure.com/v-descs/birthday.shtml

http://www.softheap.com/internet/cmos-viruses_23.html

On November 13th, some PCs around the world will play the Happy Birthday song through the PC
speaker.

http://virusview.net/info/virus/j&a/notvirus.html

A "former" programmer at American Megatrends managed to sabotage a BIOS run. The specific
information is listed below:

BIOS Manufacturer: American Megatrends
BIOS Version: M82C498 Evaluation BIOS v1.55
BIOS Category: IBM PC/AT
BIOS ID Bytes: FC 01 00
BIOS Date: 04/04/93


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Roger Wilco
Guest
Posts: n/a
 
      09-22-2005

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:dgIXe.6951$nV1.1668@trnddc06...
> http://research.microsoft.com/rootkit/
>
> States the following...
> "Note: there will be some false positives. Also, this does not detect

stealth software that
> hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data

Streams, etc. "
>
> We have discussed the possibility of infecting a BIOS over and over

and the consensus has
> been that is not possible.


If enough room exists in the chips, malware can be stored there. IIRC
the consensus was that a "virus or worm" would most likely not be
written to do this because of the hardware specific nature of the code.
In other words, there wouldn't be enough homogeneity netwide to support
a successful worm or virus using this method. However with a specific
target in mind, a rootkit could be made very sticky - to survive a
normal wipe/reinstall.

....and for the "name one" naysayers around here - it should be noted
that some cases existed where a vulnerability exploit was known to the
underground for years before being noted by "white hat" computer
security experts.

> Based upon my studying both viruses and hardware I can't see how
> it is possible. Yet the above Microsoft web site on a RootKit

Detector indicates
> "...stealth software that hides in BIOS, Video card EEPROM".
>
> From what I believe to be true, this is faux information and pure FUD.
>
> If anyone has specific information (backed by authoratative URLs such

as from the IEEE or
> some other organization) I welcome the replies. Both PRO and CON for

the above statement.

Will a book written by Greg Hoglund and Gary McGraw do?

Exploiting Software
How to Break Code

ISBN 0-201-78695-8


 
Reply With Quote
 
Roger Wilco
Guest
Posts: n/a
 
      09-22-2005

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
newsKJXe.5376$9a2.2038@trnddc04...
> From: "Art" <(E-Mail Removed)>
>
> the consensus was that no known malware infects the BIOS.
> |
> >> Based upon my studying both viruses and hardware I can't see how
> >> it is possible.

> |
> | Why? You can download BIOS updates and reflash.
> |
>
>
> they are specifically written by the hardware manufacturer for

specific mother using a
> specific tupe of Flashable RAM or programable ROM.


This makes it a poor choice for malware that needs to be portable
between hardware platforms, but rootkits don't need to be portable.

> That is one thing, but to insert code
> and haver the BIOS still functional seems a bit far fetched.


The BIOS routine runs on the processor almost without restriction
(direct addressing, no protection) - there is no reason to assume all of
the necessary code is in that location. The code could be fragmented and
stored in multiple option ROM locations and stitched together for
instance when shadowed.

The bottom line is that what was once firmware has now entered the realm
of (malicious) mobile code.


 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      09-22-2005
From: "Roger Wilco" <(E-Mail Removed)>


|
| The BIOS routine runs on the processor almost without restriction
| (direct addressing, no protection) - there is no reason to assume all of
| the necessary code is in that location. The code could be fragmented and
| stored in multiple option ROM locations and stitched together for
| instance when shadowed.
|
| The bottom line is that what was once firmware has now entered the realm
| of (malicious) mobile code.
|

It will fail CRC checks.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Sugien
Guest
Posts: n/a
 
      09-22-2005

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:bEnYe.24103$fb6.9862@trnddc08...
> From: "Roger Wilco" <(E-Mail Removed)>
>
>
> |
> | The BIOS routine runs on the processor almost without restriction
> | (direct addressing, no protection) - there is no reason to assume all of
> | the necessary code is in that location. The code could be fragmented and
> | stored in multiple option ROM locations and stitched together for
> | instance when shadowed.
> |
> | The bottom line is that what was once firmware has now entered the realm
> | of (malicious) mobile code.
> |
>
> It will fail CRC checks.
>

maybe maybe not; because it could be configured to more or less be
invisible.
--
From the Desk of Sugien
/}
@###{ ]:::::ino-Soft Software::::::>
\}


 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      09-23-2005
David H. Lipman wrote:

> From: "Art" <(E-Mail Removed)>
>
>
> |
> | That's a no-brainer. It could do many kinds of different damage to a
> | hard drive, including making it unuseable without a reformat. Even
> | something as simple as refusing to boot and just hanging in a infinite
> | loop is a example.
> |
> | Art
> |
> | http://home.epix.net/~artnpeg
>
> I can't see a vendor releasing a BIOS that did not pass a quality control
> check.
>


Honestly, I have come across many buggy BIOSes...you notice it more when you
are working with Linux/BSD...

Im
 
Reply With Quote
 
Roger Wilco
Guest
Posts: n/a
 
      09-23-2005

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:bEnYe.24103$fb6.9862@trnddc08...
> From: "Roger Wilco" <(E-Mail Removed)>
>
>
> |
> | The BIOS routine runs on the processor almost without restriction
> | (direct addressing, no protection) - there is no reason to assume

all of
> | the necessary code is in that location. The code could be fragmented

and
> | stored in multiple option ROM locations and stitched together for
> | instance when shadowed.
> |
> | The bottom line is that what was once firmware has now entered the

realm
> | of (malicious) mobile code.
> |
>
> It will fail CRC checks.


Only if it has errors. Error in this context is a difference between the
data the CRC's cyclic check sum was generated from and the new CRC
cyclic check sum calculated from the data when received. How would a
legitimate BIOS Upgrade reflash work if the checksum reference was
inalterable? CRC's work because noise can't be expected to calculate new
checksums, and they work better than simple parity checks for
reliability and provide for error correction methods instead of only
retransmission requests.


 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      09-23-2005
From: "Roger Wilco" <(E-Mail Removed)>


|
| Only if it has errors. Error in this context is a difference between the
| data the CRC's cyclic check sum was generated from and the new CRC
| cyclic check sum calculated from the data when received. How would a
| legitimate BIOS Upgrade reflash work if the checksum reference was
| inalterable? CRC's work because noise can't be expected to calculate new
| checksums, and they work better than simple parity checks for
| reliability and provide for error correction methods instead of only
| retransmission requests.
|

If it comes from the factory (malicious or not) it will not fail a CRC check. IFF code could
be appended to the BIOS routines maliciously it would fail a CRC check.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem in running a basic code in python 3.3.0 that includes HTML file Satabdi Mukherjee Python 1 04-04-2013 07:48 PM
Any rootkit prevention, detection and/or repair suitable for use by the average user? Blue Event Horizon Computer Security 6 09-09-2006 12:23 AM
Any word on more Real Ghostbuster DVD's? Bratboy DVD Video 0 04-18-2006 05:04 PM
Rootkit detection and removal geermeister@gmail.com Computer Support 5 03-12-2006 03:36 AM
Microsoft Strider GhostBuster Rootkit Detection Software Download Pamela Fischer Computer Support 4 11-21-2005 02:21 PM



Advertisments