«

In article <glirsv$9hm$>, John_D@Ican says...
>
> "Leythos" <> wrote in message
> news: om...
> > In article <glatg0$2lk$>, John_D@Ican says...
> >> "Leythos" <> wrote in message
> >> news: om...
> >> > In article <>,
> >> > says...
> >> >> When you say "Wiping and reinstalling" do you mean deleting all
> >> >> partitions and formatting or do you feel that it is satisfactory
> >> >> (say,
> >> >> on a single hard disk that has two partitions C: and D to
> >> >> reinstall
> >> >> Windows on the C: drive leaving data on D: intact? TIA
> >> >
> >> > Wipe, as in the entire physical drive, everything, period, nada
> >> > left.
> >> >
> >> > --
> >>
> >> That is straight-forward advice ....... but I wonder how many (even
> >> 'professionals') follow it!
> >>
> >> Are you just as confident that ........ I'll call them 'gremlins'
> >> ......... cannot remain within a computer if the hard drive is wiped
> >> as
> >> you describe (or even replaced with a new one)?
> >
> > In my shop we wipe, delete all partitions, etc... I've yet to see
> > ANYTHING make it past that - booting from clean media and then wiping
> > the drive has always worked. Been doing this since the late 70's,
> > never
> > seen a wiped machine retain malware after a full wipe.
> >
> >> What about gremlins hiding in, say, a RAM stick or somewhere on the
> >> motherboard? There again, how could you possibly know the answer?!!
> >>
> >
> > Well, since I've not seen, actually myself, any malware that inserts
> > itself into the BIOS NVRAM/EEPROM, nor into the same for a Video Card,
> > and since I would NEVER keep any devices (USB memory) connected during
> > the cleaning phase, it's not an issue. How could I know the answer? I
> > use to actually design motherboards, the actual boards from the chip
> > level, and in the old days I actually developed several chips (analog
> > switches), so I know a little bit about computers.
> >
> >
> > --
> > - Igitur qui desiderat pacem, praeparet bellum.
> > - Calling an illegal alien an "undocumented worker" is like calling a
> > drug dealer an "unlicensed pharmacist"
> > (remove 999 for proper email address)
>
> Thanks for posting, Leythos.
>
> I do not doubt your skill and experience. I'm simply a user who still
> has much to learn. Thank you for helping me!
>
> A silly question. You said "never seen a wiped machine retain malware
> after a full wipe." If a gremlin was *really* clever (and hid from view)
> just HOW would you know it was there? Perhaps one just has to assume
> that it's not ............ !

Because I have faith in the tools I use to wipe a drive at the lowest
level and the tools that I use to detect malware (detect to a point).

While I can't be 100.0% sure the machine is clean, I can be sure enough
to warrant providing a signed certificate stating it's clean and my
attorney and insurance provider have never found a problem with it or
asked me to stop.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

"Tim Jackson" <> wrote in message
news: et...
> John D wrote:
>> "Tim Jackson" <> wrote in message
>> news:yc-dnYIInuYkH-...
>>> John D wrote:
>>>
>>>> I have been led to believe that the BIOS on a motherboad can be
>>>> attacked/infected but I have no knowledge of how one may check
>>>> and/or 'clean' same.
>>>>
>>> It can, but it isn't a likely attack route. The method varies
>>> according to the make and model of motherboard, and some boards have
>>> a jumper that must be set to allow any writing the flash ROM at all,
>>> or have a hard-coded alarm that warns you when writing is being
>>> enabled. So it is an unreliable and expensive method for a hacker.
>>>
>>> If you want to check, then look into your motherboard's flash update
>>> utility (probably on the CD that came with it, or on the
>>> manufacturer's website) and see if you can copy the existing flash
>>> contents. If so then you can make a baseline copy, and periodically
>>> repeat the process to make sure you continue to get the same data.
>>>
>>> You can probably find a security utility somewhere that will mirror
>>> the BIOS area of the memory map, which is pretty much the same thing
>>> in most cases
>>>
>>> And don't forget your tinfoil helmet to keep aliens from controlling
>>> your brain.
>>>
>>>
>>> Tim Jackson.
>>
>> I appreciate this information, Tim. Thank you for taking the time and
>> trouble to post.
>>
>> In another group, Shenan Stanley MVP said .........
>>
>> "If the 'gremlin' was in the BIOS - the only writable media I know
>> about that could act in the way you are implying internal to the
>> machine with your "somewhere on the motherboard" comment - you've
>> been more than infested with malware."
>>
>> Even whilst wearing my tinfoil helmet, my last PC was, I'm certain,
>> deliberately attacked - so there!
>>
>> --
>> John
>>
>>
>

Hi Tim - in line replies

> Deliberately attacked maybe, but actually compromised via the BIOS? I
> find that hard to believe. Although it is theoretically possible, it
> is pretty impracticable for the reasons I gave. I never heard reports
> of an attack "in the wild" that works that way. I'd agree with the
> MVP that this would be more than a simple infestation, and would look
> to physical security, I think you must have folded the tinfoil
> wrongly.

I thought I had been asking questions about such matters, not telling
you that *my* BIOS had been compromised! (Although I may have done it
myself - see later!).

> What were the characteristics of this malware, how did you identify
> it,
> does it have name, what symptoms did it cause, how did you cure it? I
> often find friends saying "my computer's got a virus" when actually
> they've got a memory defect or some such hardware fault. I'm sure
> readers here would be interested to hear technical details of such an
> attack.

How did I cure it? I scrapped the PC and bought another box - hand-built
by a mature student learning to be a computer technician at Exeter
college.

> I can't see why anyone would use such a method. If it was a personal
> attack on a single computer, then a pick-axe would probably be easier.
> If it was some sort of wild malware on the net it would have to be
> very specific to a particular type of motherboard, and why should
> someone want to take the time write that when there are much simpler
> ways to achieve their objectives.

The history is long and involved, but in the early part of 2006 I spent
hundreds of hours experimenting - including using my PC as a Honey-pot
(without any protection) and then opening up just about every file in
System32 with Notepad to read all manner of messages hidden in amongst
the gobbledegook! Instead of 'cleaning' I became quite adept at
flattening and reinstalling Windows from scratch (I have a retail copy
of XP Home and Microsoft disks - now for SP1, 2 and 3). I bought Norton
Internet Security 2006 and Ghost and spent many hours experimenting with
them too. I experimented with FDISK and used Darik's Boot and Nuke too.
http://en.wikipedia.org/wiki/Darik%27s_Boot_and_Nuke

I also downloaded - from what I thought/hoped was the bonio fido MSI
(Motherboard) web site - a copy of an updated BIOS and 'flashed' same. I
made and kept a 'BIOS Resue Disk' (Floppy). I'd like to email you a copy
of same to see if you consider it to have been 'the real McCoy'. There
is a text file called 'Copying' that begins ....

GNU GENERAL PUBLIC LICENSE
Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc.
675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

And ends like this .......

If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type
`show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the
appropriate
parts of the General Public License. Of course, the commands you use
may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:

Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James
Hacker.

<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice

************************

Might you have time to look? Please advise. Thanks.

"Tim Jackson" <> wrote in message
news:w9udnewoXpbuK-...
> John D wrote:
>> "Tim Jackson" <> wrote in message
>> news: et...
>>> John D wrote:
>>>>
>>>> In another group, Shenan Stanley MVP said .........
>>>>
>>>> "If the 'gremlin' was in the BIOS - the only writable media I know
>>>> about that could act in the way you are implying internal to the
>>>> machine with your "somewhere on the motherboard" comment - you've
>>>> been more than infested with malware."
>>>>
>>>> Even whilst wearing my tinfoil helmet, my last PC was, I'm certain,
>>>> deliberately attacked - so there!
>>>>
>>
>> Hi Tim - in line replies
>>
>>> Deliberately attacked maybe, but actually compromised via the BIOS?
>>> I find that hard to believe. Although it is theoretically possible,
>>> it is pretty impracticable for the reasons I gave. I never heard
>>> reports of an attack "in the wild" that works that way. I'd agree
>>> with the MVP that this would be more than a simple infestation, and
>>> would look to physical security, I think you must have folded the
>>> tinfoil wrongly.
>>
>> I thought I had been asking questions about such matters, not telling
>> you that *my* BIOS had been compromised! (Although I may have done it
>> myself - see later!).
>>

Hello again, Tim

> Perhaps I misunderstood. You described a BIOS attack, then said you
> were certain your computer had been attacked. I made the perhaps
> unwarranted assumption that the two statements were connected.

It's not always easy to communicate in this medium and I thank you for
your understanding. Perhaps it was me who didn't explain clearly!

> While it is surely *possible*, I have never heard of it being done and
> I think it quite *impracticable* as an attack.

Others seem to think likewise. I'll agree.

> And to another of your posts, what would be the point of a "gremlin"
> that didn't do anything. And why should you care that you had it.

Ah - difficult for me to explain, being a non-techie! Let's sufice to
say that I have 'picked up' from who-knows-where the idea that just a
"little bit of code" could remain within a machine even after normal
cleaning. Next time the box is connected to the Internet I have gathered
that additional "code" can in some way be added to that previously left
behind and then relevant malware resurrect itself.

You are, I'm sure, aware that some modern malware can (and does) lay
hidden - but active - within a machine, yet without the knowledge of the
user.

The more-or-less sole purpose of malware nowadays is to steal money or
sell 'sake-oil' products. I was bitten for £245 and didn't like that. I
especially didn't like being threatened by email messages when I
eventually had my funds reinstated by PayPal. That is when I involved
the police and subsequently discussed matters with the (then) "National
High-Tech Computer Crime Unit". They were good - but understaffed and
far too busy! Now it's http://www.soca.gov.uk/

> I understand that you want to explore the possibilities, but you have
> to draw a line somewhere else you will spend the rest of your life
> chasing the shoals of red herring that no doubt exist. I mean what if
> someone had tunnelled under your house, removed your computer then
> carefully reinstated everything including an identical but different
> computer. Sure it's possible, but pointless. One might do that to an
> ATM or a PoS terminal to capture PINs, but there has to be significant
> value in it to justify such an expensive and risky operation.

You make your point well, Tim. Perhaps, as this is a special day for me,
it is time to let things go.

I'll try.
--
John

Ooops!

In my long reply I apologise for my typo - I meant "snake-oil"!

Sorry.

"Tim Jackson" <> wrote in message
news: et...
> John D wrote:
>> Ooops!
>>
>> In my long reply I apologise for my typo - I meant "snake-oil"!
>>
>> Sorry.
>>
>>
>
> LOL
>
> Sake oil sounds like some sort of interesting Japanese cocktail.
>
> Tim

Off-the-wall humour - *just* like my boy! ))

Manchester has much to answer for!

Nick had his car stolen there. The police found it - intact. But, by the
time Nick got to it, someone had trashed it and set it on fire! C'est la
vie! Back to the bank of mum and dad!

"Tim Jackson" <> wrote in message
news: et...
> John D wrote:
>> Ooops!
>>
>> In my long reply I apologise for my typo - I meant "snake-oil"!
>>
>> Sorry.
>>
>>
>
> LOL
>
> Sake oil sounds like some sort of interesting Japanese cocktail.
>
> Tim

If you would like a tincture, explore ....... motzarella.newusers -
Pictures in groups?

Thanks for your email message btw!
--
John

FWIW - I'd trust YOU to clean *my* machine if you were close by! ))

Thanks for your helpful comments, Leythos.
--
John


"Leythos" <> wrote in message
news: om...
>
> While I can't be 100.0% sure the machine is clean, I can be sure
> enough
> to warrant providing a signed certificate stating it's clean and my
> attorney and insurance provider have never found a problem with it or
> asked me to stop.
>
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)

In article <glsg6j$2ct$>, John_D@Ican says...
> FWIW - I'd trust YOU to clean *my* machine if you were close by! ))
>
> Thanks for your helpful comments, Leythos.

Thanks, but I don't "Clean" machines for people I like, I wipe and
reinstall them.

There are a number of people in this group that I would trust as much as
I trust myself with networks. Not to offend anyone by omission, but
David Lipman as well as Stuart and Dustin, are people I would actually
trust to work on my systems and network.

There is one person that goes by many nyms that I would never allow to
have access to my trusted networks, but I won't mention his name.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

"Leythos" <> wrote in message
news: m...
> In article <glsg6j$2ct$>, John_D@Ican says...
>> FWIW - I'd trust YOU to clean *my* machine if you were close by!
>> ))
>>
>> Thanks for your helpful comments, Leythos.
>
> Thanks, but I don't "Clean" machines for people I like, I wipe and
> reinstall them.
>
> There are a number of people in this group that I would trust as much
> as
> I trust myself with networks. Not to offend anyone by omission, but
> David Lipman as well as Stuart and Dustin, are people I would actually
> trust to work on my systems and network.
>
> There is one person that goes by many nyms that I would never allow to
> have access to my trusted networks, but I won't mention his name.
>
> --

Wipe and reinstall sounds good to me, Leythos!

When you say Dustin I'm going to assume you mean Dustin Cook of
BugHunter and Malwarebytes fame.

The un-named I assume is the one that refers to you as The Stalker.

Stuart though ............ that rings no bell. Further clarification
please! Many thanks.
--
John

In article <gmbn6j$19k$>, John_D@Ican says...
>
> "Leythos" <> wrote in message
> news: m...
> > In article <glsg6j$2ct$>, John_D@Ican says...
> >> FWIW - I'd trust YOU to clean *my* machine if you were close by!
> >> ))
> >>
> >> Thanks for your helpful comments, Leythos.
> >
> > Thanks, but I don't "Clean" machines for people I like, I wipe and
> > reinstall them.
> >
> > There are a number of people in this group that I would trust as much
> > as
> > I trust myself with networks. Not to offend anyone by omission, but
> > David Lipman as well as Stuart and Dustin, are people I would actually
> > trust to work on my systems and network.
> >
> > There is one person that goes by many nyms that I would never allow to
> > have access to my trusted networks, but I won't mention his name.
> >
> > --
>
> Wipe and reinstall sounds good to me, Leythos!
>
> When you say Dustin I'm going to assume you mean Dustin Cook of
> BugHunter and Malwarebytes fame.
>
> The un-named I assume is the one that refers to you as The Stalker.
>
> Stuart though ............ that rings no bell. Further clarification
> please! Many thanks.

Sorry, not additional details possible.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)