Firmware Rootkits - detection 'tool' available?

David H. Lipman <DLipman~nospam~@Verizon.Net> pinched out a steaming
pile of<>:

>From: "nemo_outis" <>
>
>| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
>| news::
>
>>> From: "§ñühw¤£f" <>
>
>>>| In message <> ,
"nobody
>>>| " wrote:
>>>>> ~BD~ wrote:
>>>>> > I asked this question in the two 'security' newsgroups to which
I
>>>>> > now crosspost.
>>>>> >
>>>>> > "Is there *any* tool which can identify a rootkit on a ROM
chip?"
>
>>>>> If you are truly speaking of Read Only Memory that was installed
at
>>>>> assembly, there's no way that a rootkit could be there unless it
was
>>>>> put on when the ROM was "Burned"
>
>>>| Really? Have you ever flashed a BIOS?
>
>>> That's not ROM that's a form of EEPROM.
>
>
>| While you're worrying, you might want to worry about *other* BIOSes
>| besides the motherboard one. For instance, video cards have a BIOS
and
>| many ethernet cards do as well (as do SCSI cards and other less
common
>| possibilities). In principle any of these could harbour malware.
>
>| Regards,
>
>
>In principle but not yet in actuality.
>
Dont worry, we're working on it


--
http://www.youtube.com/watch?v=COaoYqkpkUA
cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
_____ ____ ____ __ /\_/\ __ _ ______ _____
/ __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
_\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
/___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\

§ñühw¤£f

nobody > <> pinched out a steaming pile
of<> :

>~BD~ wrote:
>> "nobody >" <> wrote in message
>> news: m...
>>> ~BD~ wrote:
>>>> I asked this question in the two 'security' newsgroups to which I
now
>>>> crosspost.
>>>>
>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>> If you are truly speaking of Read Only Memory that was installed at
>>> assembly, there's no way that a rootkit could be there unless it
was put
>>> on when the ROM was "Burned"
>>
>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>>
>> I'm suggesting that if/when this action is carried out, it might
well be
>> possible to introduce malware to a system - which will remain for
posterity.
>>
>> If I am right, I'm asking if there is any way that ordinary folk
could ever
>> find out the truth. *Is* there a way?
>>
>> --
>> Dave
>>
>>
>
>"Flashing the BIOS" means that the chip(s) in question are
>erasable/reprogrammable. By long convention, ROM is static and can
>only be written to ONCE. The term "burning" came from the original
>design where you actually burnt elements of the chip away to store the
>contents.
>

Firmware Upgrade.

Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
So when I downloaded a "flash modem tool" from USR and upgraded a modem
with linux (it was pretty exciting btw and made me feel like I was a
smarty) I bet it wasnt an EEPROM chip but a ROM chip.
Or was I mistaken?
Hmmmm...

--
http://www.youtube.com/watch?v=COaoYqkpkUA
cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
_____ ____ ____ __ /\_/\ __ _ ______ _____
/ __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
_\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
/___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\

§ñühw¤£f

From: "§ñühw¤£f" <>




>>In principle but not yet in actuality.

| Dont worry, we're working on it

I doubt you are

But... I am sure some malcious actor is but to date, nothing.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

From: "§ñühw¤£f" <>

| nobody > <> pinched out a steaming pile
| of<> :

>>~BD~ wrote:
>>> "nobody >" <> wrote in message
>>> news: m...
>>>> ~BD~ wrote:
>>>>> I asked this question in the two 'security' newsgroups to which I
| now
>>>>> crosspost.

>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>> If you are truly speaking of Read Only Memory that was installed at
>>>> assembly, there's no way that a rootkit could be there unless it
| was put
>>>> on when the ROM was "Burned"

>>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.

>>> I'm suggesting that if/when this action is carried out, it might
| well be
>>> possible to introduce malware to a system - which will remain for
| posterity.

>>> If I am right, I'm asking if there is any way that ordinary folk
| could ever
>>> find out the truth. *Is* there a way?

>>> --
>>> Dave



>>"Flashing the BIOS" means that the chip(s) in question are
>>erasable/reprogrammable. By long convention, ROM is static and can
>>only be written to ONCE. The term "burning" came from the original
>>design where you actually burnt elements of the chip away to store the
>>contents.


| Firmware Upgrade.

| Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
| So when I downloaded a "flash modem tool" from USR and upgraded a modem
| with linux (it was pretty exciting btw and made me feel like I was a
| smarty) I bet it wasnt an EEPROM chip but a ROM chip.
| Or was I mistaken?
| Hmmmm...

Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
by actually causing leads within the microchip to be burnt away like a burned out
lightbulb. Then there were the EPROMS where ultraviolet light was used to "erase" what
was stored in ROM. These are noted by there glass windows which would then be covered by
a label indicating its function and application. Then there is the Electrically Erasable
Programmable ROM which is more like the Flashable ROM we know Today.

BoaterDave is and idiot and he introduced FUD when he replied to someone in
alt.computer.security with "However, have you considered that your BIOS may have
been/could be infected? A whole new ball-game!"

That's what started this because I replied...
"Pure FUD.

The BIOS is NOT infected and should not be considered tobe infected or become possibly
infected!"

To date NO ONE has "infected" a BIOS. There have been malware attempts and when it comes
to Motherboard BIOS at best the BIOS is corrupted or deleted rendering the system
incapable of booting. This subject matter has been dicussed to death in alt.comp.virus
and alt.comp.anti-virus long before BoaterDave posted to Usenet.

To infect a BIOS there are just too many variables from which chip-set used, entry points
for code insertion, CRC checks, etc. Even if one particular module can be infected it
would be an extremely small niche as there is no way a programmer is going to program a
dictionary of chip-sets and systems into the code.

Just consider the idea of dlashing a BIOS. Whose BIOS ? Phoenix, Award ??? For what
system ?

Take an Award BIOS for motherboard X. If you try to flash Motherboard X with Award BIOS
for motherboard Y, you'll have a dead system.

Now extrapolate that to BIOS chips on periphery. It becomes exponentially more difficult.

Thus the idea of infecting BIOS (at this time) is pure FUD and BoaterDave is showing his
trolling nature.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
24hoursupport.helpdesk, §ñühw¤£f <> got double
secret probation for writing:

>nobody > <> pinched out a steaming pile
>of< >:
>
>>~BD~ wrote:
>>> "nobody >" <> wrote in message
>>> news: m...
>>>> ~BD~ wrote:
>>>>> I asked this question in the two 'security' newsgroups to which I
>now
>>>>> crosspost.
>>>>>
>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>> If you are truly speaking of Read Only Memory that was installed at
>>>> assembly, there's no way that a rootkit could be there unless it
>was put
>>>> on when the ROM was "Burned"
>>>
>>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>>>
>>> I'm suggesting that if/when this action is carried out, it might
>well be
>>> possible to introduce malware to a system - which will remain for
>posterity.
>>>
>>> If I am right, I'm asking if there is any way that ordinary folk
>could ever
>>> find out the truth. *Is* there a way?
>>>
>>> --
>>> Dave
>>>
>>>
>>
>>"Flashing the BIOS" means that the chip(s) in question are
>>erasable/reprogrammable. By long convention, ROM is static and can
>>only be written to ONCE. The term "burning" came from the original
>>design where you actually burnt elements of the chip away to store the
>>contents.
>>
>
>Firmware Upgrade.
>
>Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>So when I downloaded a "flash modem tool" from USR and upgraded a modem
>with linux (it was pretty exciting btw and made me feel like I was a
>smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>Or was I mistaken?
>Hmmmm...

VERY BASIC:
ROM - Data fixed in silicon - expensive in small quantity.
PROM - Write Once - Read Many - Much less expensive but not eraseable.
EPROM - UV Eraseable data - Erase was slow and required UV lamps
EEPROM - Electrically Eraseable - Essentially a RAM with retention.
(Multiple types of flash & rom fit here)
FLASH - An EEPROM with higher density, faster write speeds and more
write cycles. Different technology than the original EEPROM. Multiple
types now NAND/NOR.


A flash modem tool would have been used on any of the "electrically
erasable" devices that could be reprogrammed under software control.
Anything before that technology would require removal of the memory.

Aratzio

On Sat, 19 Sep 2009 11:24:11 -0400, in the land of
24hoursupport.helpdesk, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> got double secret probation for writing:

>From: "§ñühw¤£f" <>
>
>| nobody > <> pinched out a steaming pile
>| of<> :
>
>>>~BD~ wrote:
>>>> "nobody >" <> wrote in message
>>>> news: m...
>>>>> ~BD~ wrote:
>>>>>> I asked this question in the two 'security' newsgroups to which I
>| now
>>>>>> crosspost.
>
>>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>>> If you are truly speaking of Read Only Memory that was installed at
>>>>> assembly, there's no way that a rootkit could be there unless it
>| was put
>>>>> on when the ROM was "Burned"
>
>>>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>
>>>> I'm suggesting that if/when this action is carried out, it might
>| well be
>>>> possible to introduce malware to a system - which will remain for
>| posterity.
>
>>>> If I am right, I'm asking if there is any way that ordinary folk
>| could ever
>>>> find out the truth. *Is* there a way?
>
>>>> --
>>>> Dave
>
>
>
>>>"Flashing the BIOS" means that the chip(s) in question are
>>>erasable/reprogrammable. By long convention, ROM is static and can
>>>only be written to ONCE. The term "burning" came from the original
>>>design where you actually burnt elements of the chip away to store the
>>>contents.
>
>
>| Firmware Upgrade.
>
>| Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>| So when I downloaded a "flash modem tool" from USR and upgraded a modem
>| with linux (it was pretty exciting btw and made me feel like I was a
>| smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>| Or was I mistaken?
>| Hmmmm...
>
>Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
>by actually causing leads within the microchip to be burnt away like a burned out
>lightbulb.

Err, no, ROM were masked devices where data was etched in the raw
material. No "leads" burnt. Early ROM were not even "chips" but blocks
of laminate with hardwired address.

PROM were the first that used a high voltage to disable one of two
paths within the silicon. Later as technology changed they reoriented
the junctions rather than use destructive means which changed the
location from a 1 to a 0.

EPROM used a high frequency light to reset the juction to its original
1 state and allow reprogramming.

Aratzio

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news::

....
>| While you're worrying, you might want to worry about *other* BIOSes
>| besides the motherboard one. For instance, video cards have a BIOS
>| and many ethernet cards do as well (as do SCSI cards and other less
>| common possibilities). In principle any of these could harbour
>| malware.
>

> In principle but not yet in actuality.

We agree on my qualification: in principle. To my knowledge there's
nothing "in the wild." Yet!

However, if I were targetting a BIOS for malware insertion a graphics
card would have considerable appeal.

For instance, nVidia has for a long time supported direct programming of
the GPU (that's "G" not "C") through CUDA (and ATI more recently with
Stream) using high-level languages such as C. The GPU is a very
powerful processor and, to my knowledge, no anti-virus (or other
anti-malware) program even looks at it as a threat source. Very likely
a compromise of the graphics BIOS could be leveraged to use this
separate processor.

Vaguely redolent of how a fireware DMA attack completely bypasses the
CPU and therefore any anti-virus programs.

Regards,

nemo_outis

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news::
....
> BoaterDave is and idiot and he introduced FUD when he replied to
> someone in alt.computer.security with "However, have you considered
> that your BIOS may have been/could be infected? A whole new
> ball-game!"
>
> That's what started this because I replied...
> "Pure FUD.
>
> The BIOS is NOT infected and should not be considered tobe infected or
> become possibly infected!"
>
> To date NO ONE has "infected" a BIOS. ....


You're not quite right: the Chernobyl virus of a few years back could -
and did! - trash the motherboard BIOS of many machines.

But as you go on to describe this was simple trashing, NOT the insertion
of workable code.

Moreover, your core point, that BIOS malware is, at present, only a
theoretical possibility and not a live threat, is well-taken.
Accordingly, BoaterDave raising the issue to be considered by the OP when
protecting his system was pure bullshit.

Regards,

nemo_outis

From: "nemo_outis" <>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news::

| ...
>>| While you're worrying, you might want to worry about *other* BIOSes
>>| besides the motherboard one. For instance, video cards have a BIOS
>>| and many ethernet cards do as well (as do SCSI cards and other less
>>| common possibilities). In principle any of these could harbour
>>| malware.


>> In principle but not yet in actuality.

| We agree on my qualification: in principle. To my knowledge there's
| nothing "in the wild." Yet!

| However, if I were targetting a BIOS for malware insertion a graphics
| card would have considerable appeal.

| For instance, nVidia has for a long time supported direct programming of
| the GPU (that's "G" not "C") through CUDA (and ATI more recently with
| Stream) using high-level languages such as C. The GPU is a very
| powerful processor and, to my knowledge, no anti-virus (or other
| anti-malware) program even looks at it as a threat source. Very likely
| a compromise of the graphics BIOS could be leveraged to use this
| separate processor.

| Vaguely redolent of how a fireware DMA attack completely bypasses the
| CPU and therefore any anti-virus programs.

| Regards,


I remember reading about the FireWire exploitation,

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

From: "nemo_outis" <>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news::
| ...
>> BoaterDave is and idiot and he introduced FUD when he replied to
>> someone in alt.computer.security with "However, have you considered
>> that your BIOS may have been/could be infected? A whole new
>> ball-game!"

>> That's what started this because I replied...
>> "Pure FUD.

>> The BIOS is NOT infected and should not be considered tobe infected or
>> become possibly infected!"

>> To date NO ONE has "infected" a BIOS. ....


| You're not quite right: the Chernobyl virus of a few years back could -
| and did! - trash the motherboard BIOS of many machines.

| But as you go on to describe this was simple trashing, NOT the insertion
| of workable code.

| Moreover, your core point, that BIOS malware is, at present, only a
| theoretical possibility and not a live threat, is well-taken.
| Accordingly, BoaterDave raising the issue to be considered by the OP when
| protecting his system was pure bullshit.

| Regards,

Right. It trashed it. It did not replace the code nor infect the BIOS. It rendered the
motherboard useless.

The Chrnobyl was not the only one as there were copycats. None however could replace the
code nor infect the BIOS.

There was one case but that was unusual. It was the case of a disgruntled employee who
modified the BIOS code at the factory.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman