Firmware Rootkits - detection 'tool' available?

Discussion in 'Computer Security' started by ~BD~, Sep 18, 2009.

  1. ~BD~

    ~BD~ Guest

    I asked this question in the two 'security' newsgroups to which I now
    crosspost.

    "Is there *any* tool which can identify a rootkit on a ROM chip?"

    I received an answer which said ...........

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:...
    > From: "~BD~" <>


    > They should be dismissed until they are ACTUALLY found in the wild and not
    > postulated in
    > some white paper(s).



    I believe Firmware rootkits are rare - but *I* think that they should *not*
    be dismissed.

    Read : http://www.ngssoftware.com/research/papers/BH-DC-07-Heasman.pdf

    So, should I simply accept Mr Lipman's word that the subject is irrelevant?
    I'd really like to know if there is *any* way that someone could identify
    that the firmware on their machine had been infected (in other words, remain
    infected even if a new hard disk was installed).

    *Is* there a detection tool? That remains my question.

    Pure FUD? I think not!

    --
    Dave (for FUD see http://www.cavcomp.demon.co.uk/halloween/fuddef.html )
    ~BD~, Sep 18, 2009
    #1
    1. Advertising

  2. In message <>, "nobody " wrote:
    > ~BD~ wrote:
    > > I asked this question in the two 'security' newsgroups to which I now
    > > crosspost.
    > >
    > > "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >
    > If you are truly speaking of Read Only Memory that was installed at
    > assembly, there's no way that a rootkit could be there unless it was put
    > on when the ROM was "Burned"


    Really? Have you ever flashed a BIOS?

    ^_^

    --
    http://www.care2.com/click-to-donate/wolves/
    Proof of Americas 3rd world status:
    http://www.ramusa.org/
    Cash for *who*?
    http://www.bartcop.com/list-the-facts.htm
    http://www.pavlovianobeisance.com/
    §ñühw¤£f, Sep 18, 2009
    #2
    1. Advertising

  3. ~BD~

    ~BD~ Guest

    "nobody >" <> wrote in message
    news:...
    > ~BD~ wrote:
    >> I asked this question in the two 'security' newsgroups to which I now
    >> crosspost.
    >>
    >> "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >
    > If you are truly speaking of Read Only Memory that was installed at
    > assembly, there's no way that a rootkit could be there unless it was put
    > on when the ROM was "Burned"


    "§ñühw¤£f" poses the question of 'flashing' the BIOS.

    I'm suggesting that if/when this action is carried out, it might well be
    possible to introduce malware to a system - which will remain for posterity.

    If I am right, I'm asking if there is any way that ordinary folk could ever
    find out the truth. *Is* there a way?

    --
    Dave
    ~BD~, Sep 19, 2009
    #3
  4. ~BD~

    Todd H. Guest

    "~BD~" <> writes:

    > "nobody >" <> wrote in message
    > news:...
    >> ~BD~ wrote:
    >>> I asked this question in the two 'security' newsgroups to which I now
    >>> crosspost.
    >>>
    >>> "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >>
    >> If you are truly speaking of Read Only Memory that was installed at
    >> assembly, there's no way that a rootkit could be there unless it was put
    >> on when the ROM was "Burned"

    >
    > "§ñühw¤£f" poses the question of 'flashing' the BIOS.
    >
    > I'm suggesting that if/when this action is carried out, it might well be
    > possible to introduce malware to a system - which will remain for posterity.
    >
    > If I am right, I'm asking if there is any way that ordinary folk could ever
    > find out the truth. *Is* there a way?


    Dave,

    I think the short answer is no, i believe (though it's always hard to
    prove a negative). The technique is too new to have tamper detection
    commercially available.

    If you're worried, simply reflash your BIOS with an image from the
    manufacturer. And hope they haven't trojaned it themselves.

    #include <a_variety_of_global_sourcing_fears.h>


    --
    Todd H.
    http://www.toddh.net/
    Todd H., Sep 19, 2009
    #4
  5. From: "§ñühw¤£f" <>

    | In message <>, "nobody " wrote:
    >> ~BD~ wrote:
    >> > I asked this question in the two 'security' newsgroups to which I now
    >> > crosspost.
    >> >
    >> > "Is there *any* tool which can identify a rootkit on a ROM chip?"


    >> If you are truly speaking of Read Only Memory that was installed at
    >> assembly, there's no way that a rootkit could be there unless it was put
    >> on when the ROM was "Burned"


    | Really? Have you ever flashed a BIOS?

    That's not ROM that's a form of EEPROM.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
    David H. Lipman, Sep 19, 2009
    #5
  6. ~BD~

    thanatoid Guest

    "~BD~" <> wrote in
    news:h913fv$ou5$-september.org:

    >
    > "nobody >" <> wrote in message
    > news:...
    >> ~BD~ wrote:
    >>> I asked this question in the two 'security' newsgroups to
    >>> which I now crosspost.
    >>>
    >>> "Is there *any* tool which can identify a rootkit on a
    >>> ROM chip?"

    >>
    >> If you are truly speaking of Read Only Memory that was
    >> installed at assembly, there's no way that a rootkit could
    >> be there unless it was put on when the ROM was "Burned"

    >
    > "§ñühw¤£f" poses the question of 'flashing' the BIOS.
    >
    > I'm suggesting that if/when this action is carried out, it
    > might well be possible to introduce malware to a system -
    > which will remain for posterity.
    >
    > If I am right, I'm asking if there is any way that ordinary
    > folk could ever find out the truth. *Is* there a way?


    I just happen to have a rom.bin BIOS file handy and I just
    checked wit with ESET NOD32. No problems. It came from the
    computer manuf. Now if someone wants to "stick" a virus into one
    and THEN run it through an A-V program again, we'll know if A-V
    programs can "do" BIOS ROM files.


    --
    Lots of theoretical butchers are alleged and other bloody eyes
    are suitable, but will Pam secure that?
    thanatoid, Sep 19, 2009
    #6
  7. ~BD~

    nemo_outis Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news::

    > From: "§ñühw¤£f" <>
    >
    >| In message <>, "nobody
    >| " wrote:
    >>> ~BD~ wrote:
    >>> > I asked this question in the two 'security' newsgroups to which I
    >>> > now crosspost.
    >>> >
    >>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >
    >>> If you are truly speaking of Read Only Memory that was installed at
    >>> assembly, there's no way that a rootkit could be there unless it was
    >>> put on when the ROM was "Burned"

    >
    >| Really? Have you ever flashed a BIOS?
    >
    > That's not ROM that's a form of EEPROM.
    >


    While you're worrying, you might want to worry about *other* BIOSes
    besides the motherboard one. For instance, video cards have a BIOS and
    many ethernet cards do as well (as do SCSI cards and other less common
    possibilities). In principle any of these could harbour malware.

    Regards,
    nemo_outis, Sep 19, 2009
    #7
  8. ~BD~

    Todd H. Guest

    thanatoid <> writes:

    > I just happen to have a rom.bin BIOS file handy and I just
    > checked wit with ESET NOD32. No problems. It came from the
    > computer manuf. Now if someone wants to "stick" a virus into one
    > and THEN run it through an A-V program again, we'll know if A-V
    > programs can "do" BIOS ROM files.


    Writing signatures for a known issue in a BIOS ROM would be relatively
    straightfoward with current signature based file AV technology.

    That's not the same, however, as testing for malware in the system's
    current BIOS.

    --
    Todd H.
    http://www.toddh.net/
    Todd H., Sep 19, 2009
    #8
  9. ~BD~

    thanatoid Guest

    (Todd H.) wrote in
    news::

    > thanatoid <> writes:
    >
    >> I just happen to have a rom.bin BIOS file handy and I just
    >> checked wit with ESET NOD32. No problems. It came from the
    >> computer manuf. Now if someone wants to "stick" a virus
    >> into one and THEN run it through an A-V program again,
    >> we'll know if A-V programs can "do" BIOS ROM files.

    >
    > Writing signatures for a known issue in a BIOS ROM would be
    > relatively straightfoward with current signature based file
    > AV technology.
    >
    > That's not the same, however, as testing for malware in the
    > system's current BIOS.


    Well, you can SAVE your /current/ BIOS and then scan THAT,
    right?
    Unless an "entirely different and not detectable by normal AV
    programs type of malware" applies to BIOS chips.



    --
    Lots of theoretical butchers are alleged and other bloody eyes
    are suitable, but will Pam secure that?
    thanatoid, Sep 19, 2009
    #9
  10. From: "nemo_outis" <>

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    | news::

    >> From: "§ñühw¤£f" <>


    >>| In message <>, "nobody
    >>| " wrote:
    >>>> ~BD~ wrote:
    >>>> > I asked this question in the two 'security' newsgroups to which I
    >>>> > now crosspost.
    >>>> >
    >>>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"


    >>>> If you are truly speaking of Read Only Memory that was installed at
    >>>> assembly, there's no way that a rootkit could be there unless it was
    >>>> put on when the ROM was "Burned"


    >>| Really? Have you ever flashed a BIOS?


    >> That's not ROM that's a form of EEPROM.



    | While you're worrying, you might want to worry about *other* BIOSes
    | besides the motherboard one. For instance, video cards have a BIOS and
    | many ethernet cards do as well (as do SCSI cards and other less common
    | possibilities). In principle any of these could harbour malware.

    | Regards,


    In principle but not yet in actuality.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
    David H. Lipman, Sep 19, 2009
    #10
  11. David H. Lipman <DLipman~nospam~@Verizon.Net> pinched out a steaming
    pile of<>:

    >From: "nemo_outis" <>
    >
    >| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    >| news::
    >
    >>> From: "§ñühw¤£f" <>

    >
    >>>| In message <>,

    "nobody
    >>>| " wrote:
    >>>>> ~BD~ wrote:
    >>>>> > I asked this question in the two 'security' newsgroups to which

    I
    >>>>> > now crosspost.
    >>>>> >
    >>>>> > "Is there *any* tool which can identify a rootkit on a ROM

    chip?"
    >
    >>>>> If you are truly speaking of Read Only Memory that was installed

    at
    >>>>> assembly, there's no way that a rootkit could be there unless it

    was
    >>>>> put on when the ROM was "Burned"

    >
    >>>| Really? Have you ever flashed a BIOS?

    >
    >>> That's not ROM that's a form of EEPROM.

    >
    >
    >| While you're worrying, you might want to worry about *other* BIOSes
    >| besides the motherboard one. For instance, video cards have a BIOS

    and
    >| many ethernet cards do as well (as do SCSI cards and other less

    common
    >| possibilities). In principle any of these could harbour malware.
    >
    >| Regards,
    >
    >
    >In principle but not yet in actuality.
    >

    Dont worry, we're working on it ;)


    --
    http://www.youtube.com/watch?v=COaoYqkpkUA
    cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
    _____ ____ ____ __ /\_/\ __ _ ______ _____
    / __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
    _\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
    /___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\
    §ñühw¤£f, Sep 19, 2009
    #11
  12. nobody > <> pinched out a steaming pile
    of<>:

    >~BD~ wrote:
    >> "nobody >" <> wrote in message
    >> news:...
    >>> ~BD~ wrote:
    >>>> I asked this question in the two 'security' newsgroups to which I

    now
    >>>> crosspost.
    >>>>
    >>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>> If you are truly speaking of Read Only Memory that was installed at
    >>> assembly, there's no way that a rootkit could be there unless it

    was put
    >>> on when the ROM was "Burned"

    >>
    >> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
    >>
    >> I'm suggesting that if/when this action is carried out, it might

    well be
    >> possible to introduce malware to a system - which will remain for

    posterity.
    >>
    >> If I am right, I'm asking if there is any way that ordinary folk

    could ever
    >> find out the truth. *Is* there a way?
    >>
    >> --
    >> Dave
    >>
    >>

    >
    >"Flashing the BIOS" means that the chip(s) in question are
    >erasable/reprogrammable. By long convention, ROM is static and can
    >only be written to ONCE. The term "burning" came from the original
    >design where you actually burnt elements of the chip away to store the
    >contents.
    >


    Firmware Upgrade.

    Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    So when I downloaded a "flash modem tool" from USR and upgraded a modem
    with linux (it was pretty exciting btw and made me feel like I was a
    smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    Or was I mistaken?
    Hmmmm...

    --
    http://www.youtube.com/watch?v=COaoYqkpkUA
    cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
    _____ ____ ____ __ /\_/\ __ _ ______ _____
    / __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
    _\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
    /___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\
    §ñühw¤£f, Sep 19, 2009
    #12
  13. David H. Lipman, Sep 19, 2009
    #13
  14. From: "§ñühw¤£f" <>

    | nobody > <> pinched out a steaming pile
    | of<>:

    >>~BD~ wrote:
    >>> "nobody >" <> wrote in message
    >>> news:...
    >>>> ~BD~ wrote:
    >>>>> I asked this question in the two 'security' newsgroups to which I

    | now
    >>>>> crosspost.


    >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>>> If you are truly speaking of Read Only Memory that was installed at
    >>>> assembly, there's no way that a rootkit could be there unless it

    | was put
    >>>> on when the ROM was "Burned"


    >>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.


    >>> I'm suggesting that if/when this action is carried out, it might

    | well be
    >>> possible to introduce malware to a system - which will remain for

    | posterity.

    >>> If I am right, I'm asking if there is any way that ordinary folk

    | could ever
    >>> find out the truth. *Is* there a way?


    >>> --
    >>> Dave




    >>"Flashing the BIOS" means that the chip(s) in question are
    >>erasable/reprogrammable. By long convention, ROM is static and can
    >>only be written to ONCE. The term "burning" came from the original
    >>design where you actually burnt elements of the chip away to store the
    >>contents.



    | Firmware Upgrade.

    | Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    | So when I downloaded a "flash modem tool" from USR and upgraded a modem
    | with linux (it was pretty exciting btw and made me feel like I was a
    | smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    | Or was I mistaken?
    | Hmmmm...

    Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
    by actually causing leads within the microchip to be burnt away like a burned out
    lightbulb. Then there were the EPROMS where ultraviolet light was used to "erase" what
    was stored in ROM. These are noted by there glass windows which would then be covered by
    a label indicating its function and application. Then there is the Electrically Erasable
    Programmable ROM which is more like the Flashable ROM we know Today.

    BoaterDave is and idiot and he introduced FUD when he replied to someone in
    alt.computer.security with "However, have you considered that your BIOS may have
    been/could be infected? A whole new ball-game!"

    That's what started this because I replied...
    "Pure FUD.

    The BIOS is NOT infected and should not be considered tobe infected or become possibly
    infected!"

    To date NO ONE has "infected" a BIOS. There have been malware attempts and when it comes
    to Motherboard BIOS at best the BIOS is corrupted or deleted rendering the system
    incapable of booting. This subject matter has been dicussed to death in alt.comp.virus
    and alt.comp.anti-virus long before BoaterDave posted to Usenet.

    To infect a BIOS there are just too many variables from which chip-set used, entry points
    for code insertion, CRC checks, etc. Even if one particular module can be infected it
    would be an extremely small niche as there is no way a programmer is going to program a
    dictionary of chip-sets and systems into the code.

    Just consider the idea of dlashing a BIOS. Whose BIOS ? Phoenix, Award ??? For what
    system ?

    Take an Award BIOS for motherboard X. If you try to flash Motherboard X with Award BIOS
    for motherboard Y, you'll have a dead system.

    Now extrapolate that to BIOS chips on periphery. It becomes exponentially more difficult.

    Thus the idea of infecting BIOS (at this time) is pure FUD and BoaterDave is showing his
    trolling nature.



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
    David H. Lipman, Sep 19, 2009
    #14
  15. ~BD~

    Aratzio Guest

    On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
    24hoursupport.helpdesk, §ñühw¤£f <> got double
    secret probation for writing:

    >nobody > <> pinched out a steaming pile
    >of<>:
    >
    >>~BD~ wrote:
    >>> "nobody >" <> wrote in message
    >>> news:...
    >>>> ~BD~ wrote:
    >>>>> I asked this question in the two 'security' newsgroups to which I

    >now
    >>>>> crosspost.
    >>>>>
    >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>>> If you are truly speaking of Read Only Memory that was installed at
    >>>> assembly, there's no way that a rootkit could be there unless it

    >was put
    >>>> on when the ROM was "Burned"
    >>>
    >>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
    >>>
    >>> I'm suggesting that if/when this action is carried out, it might

    >well be
    >>> possible to introduce malware to a system - which will remain for

    >posterity.
    >>>
    >>> If I am right, I'm asking if there is any way that ordinary folk

    >could ever
    >>> find out the truth. *Is* there a way?
    >>>
    >>> --
    >>> Dave
    >>>
    >>>

    >>
    >>"Flashing the BIOS" means that the chip(s) in question are
    >>erasable/reprogrammable. By long convention, ROM is static and can
    >>only be written to ONCE. The term "burning" came from the original
    >>design where you actually burnt elements of the chip away to store the
    >>contents.
    >>

    >
    >Firmware Upgrade.
    >
    >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    >So when I downloaded a "flash modem tool" from USR and upgraded a modem
    >with linux (it was pretty exciting btw and made me feel like I was a
    >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    >Or was I mistaken?
    >Hmmmm...


    VERY BASIC:
    ROM - Data fixed in silicon - expensive in small quantity.
    PROM - Write Once - Read Many - Much less expensive but not eraseable.
    EPROM - UV Eraseable data - Erase was slow and required UV lamps
    EEPROM - Electrically Eraseable - Essentially a RAM with retention.
    (Multiple types of flash & rom fit here)
    FLASH - An EEPROM with higher density, faster write speeds and more
    write cycles. Different technology than the original EEPROM. Multiple
    types now NAND/NOR.


    A flash modem tool would have been used on any of the "electrically
    erasable" devices that could be reprogrammed under software control.
    Anything before that technology would require removal of the memory.
    Aratzio, Sep 19, 2009
    #15
  16. ~BD~

    Aratzio Guest

    On Sat, 19 Sep 2009 11:24:11 -0400, in the land of
    24hoursupport.helpdesk, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> got double secret probation for writing:

    >From: "§ñühw¤£f" <>
    >
    >| nobody > <> pinched out a steaming pile
    >| of<>:
    >
    >>>~BD~ wrote:
    >>>> "nobody >" <> wrote in message
    >>>> news:...
    >>>>> ~BD~ wrote:
    >>>>>> I asked this question in the two 'security' newsgroups to which I

    >| now
    >>>>>> crosspost.

    >
    >>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>>>> If you are truly speaking of Read Only Memory that was installed at
    >>>>> assembly, there's no way that a rootkit could be there unless it

    >| was put
    >>>>> on when the ROM was "Burned"

    >
    >>>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.

    >
    >>>> I'm suggesting that if/when this action is carried out, it might

    >| well be
    >>>> possible to introduce malware to a system - which will remain for

    >| posterity.
    >
    >>>> If I am right, I'm asking if there is any way that ordinary folk

    >| could ever
    >>>> find out the truth. *Is* there a way?

    >
    >>>> --
    >>>> Dave

    >
    >
    >
    >>>"Flashing the BIOS" means that the chip(s) in question are
    >>>erasable/reprogrammable. By long convention, ROM is static and can
    >>>only be written to ONCE. The term "burning" came from the original
    >>>design where you actually burnt elements of the chip away to store the
    >>>contents.

    >
    >
    >| Firmware Upgrade.
    >
    >| Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    >| So when I downloaded a "flash modem tool" from USR and upgraded a modem
    >| with linux (it was pretty exciting btw and made me feel like I was a
    >| smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    >| Or was I mistaken?
    >| Hmmmm...
    >
    >Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
    >by actually causing leads within the microchip to be burnt away like a burned out
    >lightbulb.


    Err, no, ROM were masked devices where data was etched in the raw
    material. No "leads" burnt. Early ROM were not even "chips" but blocks
    of laminate with hardwired address.

    PROM were the first that used a high voltage to disable one of two
    paths within the silicon. Later as technology changed they reoriented
    the junctions rather than use destructive means which changed the
    location from a 1 to a 0.

    EPROM used a high frequency light to reset the juction to its original
    1 state and allow reprogramming.
    Aratzio, Sep 19, 2009
    #16
  17. ~BD~

    nemo_outis Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news::

    ....
    >| While you're worrying, you might want to worry about *other* BIOSes
    >| besides the motherboard one. For instance, video cards have a BIOS
    >| and many ethernet cards do as well (as do SCSI cards and other less
    >| common possibilities). In principle any of these could harbour
    >| malware.
    >


    > In principle but not yet in actuality.


    We agree on my qualification: in principle. To my knowledge there's
    nothing "in the wild." Yet!

    However, if I were targetting a BIOS for malware insertion a graphics
    card would have considerable appeal.

    For instance, nVidia has for a long time supported direct programming of
    the GPU (that's "G" not "C") through CUDA (and ATI more recently with
    Stream) using high-level languages such as C. The GPU is a very
    powerful processor and, to my knowledge, no anti-virus (or other
    anti-malware) program even looks at it as a threat source. Very likely
    a compromise of the graphics BIOS could be leveraged to use this
    separate processor.

    Vaguely redolent of how a fireware DMA attack completely bypasses the
    CPU and therefore any anti-virus programs.

    Regards,
    nemo_outis, Sep 19, 2009
    #17
  18. ~BD~

    nemo_outis Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news::
    ....
    > BoaterDave is and idiot and he introduced FUD when he replied to
    > someone in alt.computer.security with "However, have you considered
    > that your BIOS may have been/could be infected? A whole new
    > ball-game!"
    >
    > That's what started this because I replied...
    > "Pure FUD.
    >
    > The BIOS is NOT infected and should not be considered tobe infected or
    > become possibly infected!"
    >
    > To date NO ONE has "infected" a BIOS. ....



    You're not quite right: the Chernobyl virus of a few years back could -
    and did! - trash the motherboard BIOS of many machines.

    But as you go on to describe this was simple trashing, NOT the insertion
    of workable code.

    Moreover, your core point, that BIOS malware is, at present, only a
    theoretical possibility and not a live threat, is well-taken.
    Accordingly, BoaterDave raising the issue to be considered by the OP when
    protecting his system was pure bullshit.

    Regards,
    nemo_outis, Sep 19, 2009
    #18
  19. From: "nemo_outis" <>

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    | news::

    | ...
    >>| While you're worrying, you might want to worry about *other* BIOSes
    >>| besides the motherboard one. For instance, video cards have a BIOS
    >>| and many ethernet cards do as well (as do SCSI cards and other less
    >>| common possibilities). In principle any of these could harbour
    >>| malware.



    >> In principle but not yet in actuality.


    | We agree on my qualification: in principle. To my knowledge there's
    | nothing "in the wild." Yet!

    | However, if I were targetting a BIOS for malware insertion a graphics
    | card would have considerable appeal.

    | For instance, nVidia has for a long time supported direct programming of
    | the GPU (that's "G" not "C") through CUDA (and ATI more recently with
    | Stream) using high-level languages such as C. The GPU is a very
    | powerful processor and, to my knowledge, no anti-virus (or other
    | anti-malware) program even looks at it as a threat source. Very likely
    | a compromise of the graphics BIOS could be leveraged to use this
    | separate processor.

    | Vaguely redolent of how a fireware DMA attack completely bypasses the
    | CPU and therefore any anti-virus programs.

    | Regards,


    I remember reading about the FireWire exploitation,

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
    David H. Lipman, Sep 19, 2009
    #19
  20. From: "nemo_outis" <>

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    | news::
    | ...
    >> BoaterDave is and idiot and he introduced FUD when he replied to
    >> someone in alt.computer.security with "However, have you considered
    >> that your BIOS may have been/could be infected? A whole new
    >> ball-game!"


    >> That's what started this because I replied...
    >> "Pure FUD.


    >> The BIOS is NOT infected and should not be considered tobe infected or
    >> become possibly infected!"


    >> To date NO ONE has "infected" a BIOS. ....



    | You're not quite right: the Chernobyl virus of a few years back could -
    | and did! - trash the motherboard BIOS of many machines.

    | But as you go on to describe this was simple trashing, NOT the insertion
    | of workable code.

    | Moreover, your core point, that BIOS malware is, at present, only a
    | theoretical possibility and not a live threat, is well-taken.
    | Accordingly, BoaterDave raising the issue to be considered by the OP when
    | protecting his system was pure bullshit.

    | Regards,

    Right. It trashed it. It did not replace the code nor infect the BIOS. It rendered the
    motherboard useless.

    The Chrnobyl was not the only one as there were copycats. None however could replace the
    code nor infect the BIOS.

    There was one case but that was unusual. It was the case of a disgruntled employee who
    modified the BIOS code at the factory.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
    David H. Lipman, Sep 19, 2009
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lance Malish

    45 rootkits listed on my system? Ouch!!

    Lance Malish, Apr 24, 2004, in forum: Computer Support
    Replies:
    12
    Views:
    1,766
    Gary G. Taylor
    Apr 27, 2004
  2. Kimba W. Lion

    Rootkits on DVDs

    Kimba W. Lion, Feb 15, 2006, in forum: DVD Video
    Replies:
    2
    Views:
    421
    Nicholas Andrade
    Feb 15, 2006
  3. Alind

    Detecting rootkits?

    Alind, Jun 25, 2005, in forum: Computer Security
    Replies:
    6
    Views:
    473
    Jim Watt
    Jun 26, 2005
  4. ~BD~

    Firmware rootkits

    ~BD~, Sep 18, 2009, in forum: Computer Security
    Replies:
    1
    Views:
    837
    David H. Lipman
    Sep 18, 2009
  5. ~BD~
    Replies:
    33
    Views:
    1,032
    Jeffrey Bloss
    Oct 4, 2009
Loading...

Share This Page