Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Rootkits Installable in BIOS

Reply
Thread Tools

Rootkits Installable in BIOS

 
 
Brian Gregory [UK]
Guest
Posts: n/a
 
      02-04-2006
"Roger Parks" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> RootkitRevealer, Adinf, and other single-OS integrity checkers compare
> logical I/O from the OS, with physical I/O via the BIOS.


I'm pretty certain RKR compares logical I/O via the OS with physical I/O via
the OS (not BIOS).

In some circumstances physical I/O via the OS might just call the BIOS but
normally this won't be the case.

--

Brian Gregory. (In the UK)
http://www.velocityreviews.com/forums/(E-Mail Removed)
To email me remove the letter vee.


 
Reply With Quote
 
 
 
 
nemo_outis
Guest
Posts: n/a
 
      02-04-2006
"Brian Gregory [UK]" <(E-Mail Removed)> wrote in
news(E-Mail Removed):

> "Roger Parks" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
>> RootkitRevealer, Adinf, and other single-OS integrity checkers
>> compare logical I/O from the OS, with physical I/O via the BIOS.

>
> I'm pretty certain RKR compares logical I/O via the OS with physical
> I/O via the OS (not BIOS).
>
> In some circumstances physical I/O via the OS might just call the BIOS
> but normally this won't be the case.
>



FWIW a new version of Rootkit Revealer (1.70) was released yesterday.

http://www.sysinternals.com/Utilitie...tRevealer.html

Regards,

 
Reply With Quote
 
 
 
 
Brian Gregory [UK]
Guest
Posts: n/a
 
      02-04-2006
"nemo_outis" <(E-Mail Removed)> wrote in message
news:Xns975FD9AC762CDabcxyzcom@204.153.244.170...
> FWIW a new version of Rootkit Revealer (1.70) was released yesterday.


Thanks.

I'll try it.
I had problems with V1.6.

--

Brian Gregory. (In the UK)
(E-Mail Removed)
To email me remove the letter vee.


 
Reply With Quote
 
Roger Parks
Guest
Posts: n/a
 
      02-04-2006
Brian Gregory [UK] wrote:
> "Roger Parks" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > RootkitRevealer, Adinf, and other single-OS integrity checkers compare
> > logical I/O from the OS, with physical I/O via the BIOS.

>
> I'm pretty certain RKR compares logical I/O via the OS with physical I/O via
> the OS (not BIOS).
>
> In some circumstances physical I/O via the OS might just call the BIOS but
> normally this won't be the case.
>


IIRC, Adinf directly uses Bios int-13 to get disk data, and does its
own formating (to avoid, as much as possible, the OS), and I (wrongly)
presumed that Russinovich would do the same.

Adinf has been around for a while; could it be that XP blocks pio!? Or
perhaps Russinovich did not want to invest the significant effort into
writing lio routines!?

--
Vista error#4711: TCPA / RIAA / NGSCP VIOLATION: Microsoft optical
mouse detected Linux patterns on mousepad. Partition scan in progress
to remove offending, unapproved products. Request permission, and
apply for a new key to reactivate MS software at www.ms.com

..

 
Reply With Quote
 
Cornpone
Guest
Posts: n/a
 
      02-04-2006
nemo_outis wrote:
> "Brian Gregory [UK]" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>
>>"nemo_outis" <(E-Mail Removed)> wrote in message
>>news:Xns97586462423ADabcxyzcom@127.0.0.1...
>>
>>>No, the problem is considerably more serious than that. For instance,
>>>if I install a custom rootkit in the BIOS I can, in principle,
>>>completely pass over the input of the key, whether by keyboard, token
>>>or whatever, and sniff the key directly in RAM!

>>
>>Normally once Windows has loaded the BIOS is doing very little, proper
>>drivers designed for a multi-tasking environment take over.
>>

>
>
>
> Yes, the usual sequence is BIOS itself, in-memory image of BIOS, and then
> a handoff to Windows 32-bit drivers, etc. However, a compromised BIOS
> could subvert this handoff leaving itself still hooked in.
>
> Not that it need do so, of course. A compromised BIOS targeting the OTFE
> HD password entered at boottime could have performed its capture and
> stashed the data long before the 32-bit portion of Windows was running. It
> would gracefully relinquish control to Windows well-satisfied with its
> accomplishment
>
> Regards,
>
> PS. Compromising other BIOSs, such as the video BIOS, also remains a
> possibility.
>


I use an ATI All in Wonder 9600 and it has something running called a
BIOS poller. I'll watch cable TV at times on my computer and after
several hours of use it will just quit, most times freezing
everything else in XP that only a reboot will fix. When I reboot,
watching the BIOS post screen, I always see an "[ESD?] Update
Success!," line as if I'd went in and changed the BIOS settings
myself. What could be made of this? I cannot find anything changed
in the BIOS that is available to my access.

 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      02-04-2006
Cornpone <(E-Mail Removed)> wrote in
news:43e52d06$0$1836$(E-Mail Removed):

....snip...
>> PS. Compromising other BIOSs, such as the video BIOS, also remains
>> a possibility.
>>

>
> I use an ATI All in Wonder 9600 and it has something running called a
> BIOS poller. I'll watch cable TV at times on my computer and after
> several hours of use it will just quit, most times freezing
> everything else in XP that only a reboot will fix. When I reboot,
> watching the BIOS post screen, I always see an "[ESD?] Update
> Success!," line as if I'd went in and changed the BIOS settings
> myself. What could be made of this?



The overwhelming likelihood is that you are the unfortunate victim of the
"ordinary strange **** and bugs" that plague computer systems rather than
of a deliberate compromise of the video BIOS. That is, unless you are
close pals with Osama or chief bookkeeper for the mafia, in which case more
sinister suspicions are not entirely out of place

Regards,


PS To the best of my knowledge, compromises of the video BIOS are, at
this time, a purely theoretical possibility with no known "in the wild"
occurences.

 
Reply With Quote
 
Brian Gregory [UK]
Guest
Posts: n/a
 
      02-05-2006
"Roger Parks" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> IIRC, Adinf directly uses Bios int-13 to get disk data, and does its
> own formating (to avoid, as much as possible, the OS), and I (wrongly)
> presumed that Russinovich would do the same.
>
> Adinf has been around for a while; could it be that XP blocks pio!? Or
> perhaps Russinovich did not want to invest the significant effort into
> writing lio routines!?


I would have thought it would be very complicated to do this if Windows was
using a proper driver for the disk I/O (as it normally would be) and not
calling the BIOS itself.

--

Brian Gregory. (In the UK)
(E-Mail Removed)
To email me remove the letter vee.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Rootkits on DVDs Kimba W. Lion DVD Video 2 02-15-2006 06:29 PM
RIAA backs rootkits,,Everyone does it, what is the problem? winged Computer Security 1 11-22-2005 05:45 PM
No Defense Against Windows Rootkits? Imhotep Computer Security 20 10-02-2005 11:28 PM
Detecting rootkits? Alind Computer Security 6 06-26-2005 08:20 AM
45 rootkits listed on my system? Ouch!! Lance Malish Computer Support 12 04-27-2004 09:04 PM



Advertisments