Firmware Rootkits - detection 'tool' available?

I asked this question in the two 'security' newsgroups to which I now
crosspost.

"Is there *any* tool which can identify a rootkit on a ROM chip?"

I received an answer which said ...........

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:...
> From: "~BD~" <>

> They should be dismissed until they are ACTUALLY found in the wild and not
> postulated in
> some white paper(s).


I believe Firmware rootkits are rare - but *I* think that they should *not*
be dismissed.

Read : http://www.ngssoftware.com/research/...07-Heasman.pdf

So, should I simply accept Mr Lipman's word that the subject is irrelevant?
I'd really like to know if there is *any* way that someone could identify
that the firmware on their machine had been infected (in other words, remain
infected even if a new hard disk was installed).

*Is* there a detection tool? That remains my question.

Pure FUD? I think not!

--
Dave (for FUD see http://www.cavcomp.demon.co.uk/halloween/fuddef.html )

~BD~

In message <> , "nobody " wrote:
> ~BD~ wrote:
> > I asked this question in the two 'security' newsgroups to which I now
> > crosspost.
> >
> > "Is there *any* tool which can identify a rootkit on a ROM chip?"
>
> If you are truly speaking of Read Only Memory that was installed at
> assembly, there's no way that a rootkit could be there unless it was put
> on when the ROM was "Burned"

Really? Have you ever flashed a BIOS?

^_^

--
http://www.care2.com/click-to-donate/wolves/
Proof of Americas 3rd world status:
http://www.ramusa.org/
Cash for *who*?
http://www.bartcop.com/list-the-facts.htm
http://www.pavlovianobeisance.com/

§ñühw¤£f

"nobody >" <> wrote in message
news: m...
> ~BD~ wrote:
>> I asked this question in the two 'security' newsgroups to which I now
>> crosspost.
>>
>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>
> If you are truly speaking of Read Only Memory that was installed at
> assembly, there's no way that a rootkit could be there unless it was put
> on when the ROM was "Burned"

"§ñühw¤£f" poses the question of 'flashing' the BIOS.

I'm suggesting that if/when this action is carried out, it might well be
possible to introduce malware to a system - which will remain for posterity.

If I am right, I'm asking if there is any way that ordinary folk could ever
find out the truth. *Is* there a way?

--
Dave

~BD~

"~BD~" <> writes:

> "nobody >" <> wrote in message
> news: m...
>> ~BD~ wrote:
>>> I asked this question in the two 'security' newsgroups to which I now
>>> crosspost.
>>>
>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>
>> If you are truly speaking of Read Only Memory that was installed at
>> assembly, there's no way that a rootkit could be there unless it was put
>> on when the ROM was "Burned"
>
> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>
> I'm suggesting that if/when this action is carried out, it might well be
> possible to introduce malware to a system - which will remain for posterity.
>
> If I am right, I'm asking if there is any way that ordinary folk could ever
> find out the truth. *Is* there a way?

Dave,

I think the short answer is no, i believe (though it's always hard to
prove a negative). The technique is too new to have tamper detection
commercially available.

If you're worried, simply reflash your BIOS with an image from the
manufacturer. And hope they haven't trojaned it themselves.

#include <a_variety_of_global_sourcing_fears.h>


--
Todd H.
http://www.toddh.net/

Todd H.

From: "§ñühw¤£f" <>

| In message <> , "nobody " wrote:
>> ~BD~ wrote:
>> > I asked this question in the two 'security' newsgroups to which I now
>> > crosspost.
>> >
>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"

>> If you are truly speaking of Read Only Memory that was installed at
>> assembly, there's no way that a rootkit could be there unless it was put
>> on when the ROM was "Burned"

| Really? Have you ever flashed a BIOS?

That's not ROM that's a form of EEPROM.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

"~BD~" <> wrote in
news:h913fv$ou5$:

>
> "nobody >" <> wrote in message
> news: m...
>> ~BD~ wrote:
>>> I asked this question in the two 'security' newsgroups to
>>> which I now crosspost.
>>>
>>> "Is there *any* tool which can identify a rootkit on a
>>> ROM chip?"
>>
>> If you are truly speaking of Read Only Memory that was
>> installed at assembly, there's no way that a rootkit could
>> be there unless it was put on when the ROM was "Burned"
>
> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>
> I'm suggesting that if/when this action is carried out, it
> might well be possible to introduce malware to a system -
> which will remain for posterity.
>
> If I am right, I'm asking if there is any way that ordinary
> folk could ever find out the truth. *Is* there a way?

I just happen to have a rom.bin BIOS file handy and I just
checked wit with ESET NOD32. No problems. It came from the
computer manuf. Now if someone wants to "stick" a virus into one
and THEN run it through an A-V program again, we'll know if A-V
programs can "do" BIOS ROM files.


--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?

thanatoid

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news::

> From: "§ñühw¤£f" <>
>
>| In message <> , "nobody
>| " wrote:
>>> ~BD~ wrote:
>>> > I asked this question in the two 'security' newsgroups to which I
>>> > now crosspost.
>>> >
>>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"
>
>>> If you are truly speaking of Read Only Memory that was installed at
>>> assembly, there's no way that a rootkit could be there unless it was
>>> put on when the ROM was "Burned"
>
>| Really? Have you ever flashed a BIOS?
>
> That's not ROM that's a form of EEPROM.
>

While you're worrying, you might want to worry about *other* BIOSes
besides the motherboard one. For instance, video cards have a BIOS and
many ethernet cards do as well (as do SCSI cards and other less common
possibilities). In principle any of these could harbour malware.

Regards,

nemo_outis

thanatoid <> writes:

> I just happen to have a rom.bin BIOS file handy and I just
> checked wit with ESET NOD32. No problems. It came from the
> computer manuf. Now if someone wants to "stick" a virus into one
> and THEN run it through an A-V program again, we'll know if A-V
> programs can "do" BIOS ROM files.

Writing signatures for a known issue in a BIOS ROM would be relatively
straightfoward with current signature based file AV technology.

That's not the same, however, as testing for malware in the system's
current BIOS.

--
Todd H.
http://www.toddh.net/

Todd H.

(Todd H.) wrote in
news::

> thanatoid <> writes:
>
>> I just happen to have a rom.bin BIOS file handy and I just
>> checked wit with ESET NOD32. No problems. It came from the
>> computer manuf. Now if someone wants to "stick" a virus
>> into one and THEN run it through an A-V program again,
>> we'll know if A-V programs can "do" BIOS ROM files.
>
> Writing signatures for a known issue in a BIOS ROM would be
> relatively straightfoward with current signature based file
> AV technology.
>
> That's not the same, however, as testing for malware in the
> system's current BIOS.

Well, you can SAVE your /current/ BIOS and then scan THAT,
right?
Unless an "entirely different and not detectable by normal AV
programs type of malware" applies to BIOS chips.



--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?

thanatoid

From: "nemo_outis" <>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news::

>> From: "§ñühw¤£f" <>

>>| In message <> , "nobody
>>| " wrote:
>>>> ~BD~ wrote:
>>>> > I asked this question in the two 'security' newsgroups to which I
>>>> > now crosspost.
>>>> >
>>>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"

>>>> If you are truly speaking of Read Only Memory that was installed at
>>>> assembly, there's no way that a rootkit could be there unless it was
>>>> put on when the ROM was "Burned"

>>| Really? Have you ever flashed a BIOS?

>> That's not ROM that's a form of EEPROM.


| While you're worrying, you might want to worry about *other* BIOSes
| besides the motherboard one. For instance, video cards have a BIOS and
| many ethernet cards do as well (as do SCSI cards and other less common
| possibilities). In principle any of these could harbour malware.

| Regards,


In principle but not yet in actuality.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman