Firmware Rootkits - detection 'tool' available?

In message <>, Aratzio wrote:
> On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
> 24hoursupport.helpdesk, §ñühw¤£f <> got double
> secret probation for writing:
>
> >nobody > <> pinched out a steaming pile
> >of< >:
> >
> >>~BD~ wrote:
> >>> "nobody >" <> wrote in message
> >>> news: m...
> >>>> ~BD~ wrote:
> >>>>> I asked this question in the two 'security' newsgroups to which I
> >now
> >>>>> crosspost.
> >>>>>
> >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
> >>>> If you are truly speaking of Read Only Memory that was installed at
> >>>> assembly, there's no way that a rootkit could be there unless it
> >was put
> >>>> on when the ROM was "Burned"
> >>>
> >>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
> >>>
> >>> I'm suggesting that if/when this action is carried out, it might
> >well be
> >>> possible to introduce malware to a system - which will remain for
> >posterity.
> >>>
> >>> If I am right, I'm asking if there is any way that ordinary folk
> >could ever
> >>> find out the truth. *Is* there a way?
> >>>
> >>> --
> >>> Dave
> >>>
> >>>
> >>
> >>"Flashing the BIOS" means that the chip(s) in question are
> >>erasable/reprogrammable. By long convention, ROM is static and can
> >>only be written to ONCE. The term "burning" came from the original
> >>design where you actually burnt elements of the chip away to store the
> >>contents.
> >>
> >
> >Firmware Upgrade.
> >
> >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
> >So when I downloaded a "flash modem tool" from USR and upgraded a modem
> >with linux (it was pretty exciting btw and made me feel like I was a
> >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
> >Or was I mistaken?
> >Hmmmm...
>
> VERY BASIC:
> ROM - Data fixed in silicon - expensive in small quantity.
> PROM - Write Once - Read Many - Much less expensive but not eraseable.
> EPROM - UV Eraseable data - Erase was slow and required UV lamps
> EEPROM - Electrically Eraseable - Essentially a RAM with retention.
> (Multiple types of flash & rom fit here)
> FLASH - An EEPROM with higher density, faster write speeds and more
> write cycles. Different technology than the original EEPROM. Multiple
> types now NAND/NOR.
>
>
> A flash modem tool would have been used on any of the "electrically
> erasable" devices that could be reprogrammed under software control.
> Anything before that technology would require removal of the memory.

SUDENLY I DONT FEEL SO SPECIAL



--
http://www.care2.com/click-to-donate/wolves/
Proof of Americas 3rd world status:
http://www.ramusa.org/
Cash for *who*?
http://www.bartcop.com/list-the-facts.htm
http://www.pavlovianobeisance.com/

§ñühw¤£f

In message <>, "David H. Lipman" wrote:
> From: "§ñühw¤£f" <>
>
>
>
>
> >>In principle but not yet in actuality.
>
> | Dont worry, we're working on it
>
> I doubt you are
>
Hire a chinese kid to do it.

> But... I am sure some malcious actor is but to date, nothing.
>
Patience is a virture.

--
http://www.care2.com/click-to-donate/wolves/
Proof of Americas 3rd world status:
http://www.ramusa.org/
Cash for *who*?
http://www.bartcop.com/list-the-facts.htm
http://www.pavlovianobeisance.com/

§ñühw¤£f

From: "~BD~" <>

| David H. Lipman wrote:
>> From: "§ñühw¤£f" <>


>>>> In principle but not yet in actuality.

>> | Dont worry, we're working on it

>> I doubt you are

>> But... I am sure some malicious actor is but to date, nothing.


| Please explain just *how* you know that to be a *fact*.

| Indeed, how would a user know that his/her machine had been compromised
| in this way - especially now that modern machines are so much faster
| than in days gone by?

Speed of the PC has NOTHING to do with it.

I know this to be a fact because there is NO insider information on the occurence.

In this thread nemo mentioned about a FireWire exploit. He read about it. I read about
it and it was confirmed.

The fact there is no BIOS/FirmWare malware/RootKit is a fact based upon knowledge on the
inside.

Just because someone postulates the possibility does NOR mean there exists any.

It is postulated that there is life in the universe outside of the sphere of our Earth.
It has also peen discussed that such life has visited Earth. You can discuss this as a
possiblitty because it has NOT been proven to have happened.

Again...
When you posted "However, have you considered that your BIOS may have been/could be
infected? A whole new ball-game!"

You were injecting pure FUD as nobody should be considering this unless they are wearing
tin foil hats and expecting an invasion from Mars.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

In article <X->,
says...
> David H. Lipman wrote:
>
> > BoaterDave is and idiot
>
> That is not true. Please deal with *facts*.

Your own history seems to indicate the statement is true.

> > To date NO ONE has "infected" a BIOS.
>
> You cannot possibly know that to be true.
>
> You may simply be unaware of the truth.

I've been working with computers, designing hardware, burning EPROMS,
EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
least most of 30 years.

I have NEVER seen a malware in the wild that rewrites a BIOS, have not
read about one, have not read about anyone that has actually seen one in
real-life....

You need to put the tin-foil hat back on BD.



--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

Leythos

On Sat, 19 Sep 2009 15:37:11 -0600, in the land of
24hoursupport.helpdesk, §ñühw¤£f <> got double
secret probation for writing:

>In message <>, Aratzio wrote:
>> On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
>> 24hoursupport.helpdesk, §ñühw¤£f <> got double
>> secret probation for writing:
>>
>> >nobody > <> pinched out a steaming pile
>> >of< >:
>> >
>> >>~BD~ wrote:
>> >>> "nobody >" <> wrote in message
>> >>> news: m...
>> >>>> ~BD~ wrote:
>> >>>>> I asked this question in the two 'security' newsgroups to which I
>> >now
>> >>>>> crosspost.
>> >>>>>
>> >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>> >>>> If you are truly speaking of Read Only Memory that was installed at
>> >>>> assembly, there's no way that a rootkit could be there unless it
>> >was put
>> >>>> on when the ROM was "Burned"
>> >>>
>> >>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>> >>>
>> >>> I'm suggesting that if/when this action is carried out, it might
>> >well be
>> >>> possible to introduce malware to a system - which will remain for
>> >posterity.
>> >>>
>> >>> If I am right, I'm asking if there is any way that ordinary folk
>> >could ever
>> >>> find out the truth. *Is* there a way?
>> >>>
>> >>> --
>> >>> Dave
>> >>>
>> >>>
>> >>
>> >>"Flashing the BIOS" means that the chip(s) in question are
>> >>erasable/reprogrammable. By long convention, ROM is static and can
>> >>only be written to ONCE. The term "burning" came from the original
>> >>design where you actually burnt elements of the chip away to store the
>> >>contents.
>> >>
>> >
>> >Firmware Upgrade.
>> >
>> >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>> >So when I downloaded a "flash modem tool" from USR and upgraded a modem
>> >with linux (it was pretty exciting btw and made me feel like I was a
>> >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>> >Or was I mistaken?
>> >Hmmmm...
>>
>> VERY BASIC:
>> ROM - Data fixed in silicon - expensive in small quantity.
>> PROM - Write Once - Read Many - Much less expensive but not eraseable.
>> EPROM - UV Eraseable data - Erase was slow and required UV lamps
>> EEPROM - Electrically Eraseable - Essentially a RAM with retention.
>> (Multiple types of flash & rom fit here)
>> FLASH - An EEPROM with higher density, faster write speeds and more
>> write cycles. Different technology than the original EEPROM. Multiple
>> types now NAND/NOR.
>>
>>
>> A flash modem tool would have been used on any of the "electrically
>> erasable" devices that could be reprogrammed under software control.
>> Anything before that technology would require removal of the memory.
>
>SUDENLY I DONT FEEL SO SPECIAL

Oh you are very very special.

Aratzio

Aratzio <> pinched out a steaming pile
of<>:

>On Sat, 19 Sep 2009 15:37:11 -0600, in the land of
>24hoursupport.helpdesk, §ñühw¤£f <> got double
>secret probation for writing:
>
>>In message <>, Aratzio
wrote:
>>> On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
>>> 24hoursupport.helpdesk, §ñühw¤£f <> got
double
>>> secret probation for writing:
>>>
>>> >nobody > <> pinched out a steaming pile
>>> >of< >:
>>> >
>>> >>~BD~ wrote:
>>> >>> "nobody >" <> wrote in message
>>> >>> news: m...
>>> >>>> ~BD~ wrote:
>>> >>>>> I asked this question in the two 'security' newsgroups to
which I
>>> >now
>>> >>>>> crosspost.
>>> >>>>>
>>> >>>>> "Is there *any* tool which can identify a rootkit on a ROM
chip?"
>>> >>>> If you are truly speaking of Read Only Memory that was
installed at
>>> >>>> assembly, there's no way that a rootkit could be there unless
it
>>> >was put
>>> >>>> on when the ROM was "Burned"
>>> >>>
>>> >>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>>> >>>
>>> >>> I'm suggesting that if/when this action is carried out, it
might
>>> >well be
>>> >>> possible to introduce malware to a system - which will remain
for
>>> >posterity.
>>> >>>
>>> >>> If I am right, I'm asking if there is any way that ordinary
folk
>>> >could ever
>>> >>> find out the truth. *Is* there a way?
>>> >>>
>>> >>> --
>>> >>> Dave
>>> >>>
>>> >>>
>>> >>
>>> >>"Flashing the BIOS" means that the chip(s) in question are
>>> >>erasable/reprogrammable. By long convention, ROM is static and
can
>>> >>only be written to ONCE. The term "burning" came from the
original
>>> >>design where you actually burnt elements of the chip away to
store the
>>> >>contents.
>>> >>
>>> >
>>> >Firmware Upgrade.
>>> >
>>> >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>>> >So when I downloaded a "flash modem tool" from USR and upgraded a
modem
>>> >with linux (it was pretty exciting btw and made me feel like I was
a
>>> >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>>> >Or was I mistaken?
>>> >Hmmmm...
>>>
>>> VERY BASIC:
>>> ROM - Data fixed in silicon - expensive in small quantity.
>>> PROM - Write Once - Read Many - Much less expensive but not
eraseable.
>>> EPROM - UV Eraseable data - Erase was slow and required UV lamps
>>> EEPROM - Electrically Eraseable - Essentially a RAM with retention.
>>> (Multiple types of flash & rom fit here)
>>> FLASH - An EEPROM with higher density, faster write speeds and more
>>> write cycles. Different technology than the original EEPROM.
Multiple
>>> types now NAND/NOR.
>>>
>>>
>>> A flash modem tool would have been used on any of the "electrically
>>> erasable" devices that could be reprogrammed under software
control.
>>> Anything before that technology would require removal of the
memory.
>>
>>SUDENLY I DONT FEEL SO SPECIAL
>
>Oh you are very very special.
>
YAY
YAY

You're a nice lady...


--
http://www.youtube.com/watch?v=COaoYqkpkUA
cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
_____ ____ ____ __ /\_/\ __ _ ______ _____
/ __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
_\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
/___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\

§ñühw¤£f

~BD~ wrote:
> David H. Lipman wrote:
>
> ...... nothing at all in response to my questions.
>
>
> Maybe the dreaded swine flu is the reason, eh?
>
> Failing to answer simple, straight-forward, questions does you no credit
> at all Mr Lipman.
>
> --
> Dave (the boater)

You forget this is usenet, you are not owed an answer, you may get one
if someone else wants to spend the time to answer.


If you do some research and pose an "interesting" question you'll have a
better chance of a response.


John

John Mason Jr

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
> To date NO ONE has "infected" a BIOS. There have been malware
> attempts and when it comes to Motherboard BIOS at best the BIOS is
> corrupted or deleted rendering the system incapable of booting.
> This subject matter has been dicussed to death in alt.comp.virus and
> alt.comp.anti-virus long before BoaterDave posted to Usenet.

Dave,

You're usually reliable and helpful, but in this case you are unaware
of a presistent BIOS rootkit that happened to be shipping with a
variety of manufacturer's machines, highlighted at this year's
BlackHat conference:
http://blogs.zdnet.com/security/?p=3828

and also you may have missed this from last year's CanSec West:

http://threatpost.com/blogs/research...attack-methods

daves_not_here@SD235235.org

From: "~BD~" <>

| wrote:
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>>> To date NO ONE has "infected" a BIOS. There have been malware
>>> attempts and when it comes to Motherboard BIOS at best the BIOS is
>>> corrupted or deleted rendering the system incapable of booting.
>>> This subject matter has been dicussed to death in alt.comp.virus and
>>> alt.comp.anti-virus long before BoaterDave posted to Usenet.

>> Dave,

>> You're usually reliable and helpful, but in this case you are unaware
>> of a persistent BIOS rootkit that happened to be shipping with a
>> variety of manufacturer's machines, highlighted at this year's
>> BlackHat conference:
>> http://blogs.zdnet.com/security/?p=3828

>> and also you may have missed this from last year's CanSec West:

>> http://threatpost.com/blogs/research...attack-methods


| More detail here, too
| http://blogs.zdnet.com/security/?p=2962

| My suspicion is that the 'bad guys' had discovered how to exploit this
| long ago - pure conjecture, of course!

| I also don't think Mr Lipman has missed anything at all. I think *he*
| knows full well what is happening on the Wild, Wild, Web but doesn't
| want 'us' to know about it!

| --
| Dave

These are NOT "in the wild". The CoreSecurity method is lab experiment.

The Computer form of LoJack is not a third party RootKit nor really a RootKit but a
possible exploitable vector.

Promoting your suspicions, even with an appended smiley, is again injecting FUD.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman

In article <>,
says...
> You're usually reliable and helpful, but in this case you are unaware
> of a presistent BIOS rootkit that happened to be shipping with a
> variety of manufacturer's machines, highlighted at this year's
> BlackHat conference:
>

Notice how IT SHIPPED ALREADY INSTALLED - that's significantly different
than being installed by browsing a website....


--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

Leythos