Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BI

Discussion in 'Computer Security' started by David H. Lipman, Sep 20, 2005.

  1. http://research.microsoft.com/rootkit/

    States the following...
    "Note: there will be some false positives. Also, this does not detect stealth software that
    hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "

    We have discussed the possibility of infecting a BIOS over and over and the consensus has
    been that is not possible. Based upon my studying both viruses and hardware I can't see how
    it is possible. Yet the above Microsoft web site on a RootKit Detector indicates
    "...stealth software that hides in BIOS, Video card EEPROM".

    From what I believe to be true, this is faux information and pure FUD.

    If anyone has specific information (backed by authoratative URLs such as from the IEEE or
    some other organization) I welcome the replies. Both PRO and CON for the above statement.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 20, 2005
    #1
    1. Advertising

  2. David H. Lipman

    Art Guest

    On Mon, 19 Sep 2005 23:58:01 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >http://research.microsoft.com/rootkit/
    >
    >States the following...
    >"Note: there will be some false positives. Also, this does not detect stealth software that
    >hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "
    >
    >We have discussed the possibility of infecting a BIOS over and over and the consensus has
    >been that is not possible.


    I thought the consensus was that no known malware infects the BIOS.

    >Based upon my studying both viruses and hardware I can't see how
    >it is possible.


    Why? You can download BIOS updates and reflash.

    >Yet the above Microsoft web site on a RootKit Detector indicates
    >"...stealth software that hides in BIOS, Video card EEPROM".


    Maybe they've seen POCs. There probably are BIOS reflashing
    malwares that simply haven't surfaced.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #2
    1. Advertising

  3. David H. Lipman

    Imhotep Guest

    Art wrote:

    > On Mon, 19 Sep 2005 23:58:01 GMT, "David H. Lipman"
    > <DLipman~nospam~@Verizon.Net> wrote:
    >
    >>http://research.microsoft.com/rootkit/
    >>
    >>States the following...
    >>"Note: there will be some false positives. Also, this does not detect
    >>stealth software that hides in BIOS, Video card EEPROM, disk bad sectors,
    >>Alternate Data Streams, etc. "
    >>
    >>We have discussed the possibility of infecting a BIOS over and over and
    >>the consensus has been that is not possible.

    >
    > I thought the consensus was that no known malware infects the BIOS.
    >
    >>Based upon my studying both viruses and hardware I can't see how
    >>it is possible.

    >
    > Why? You can download BIOS updates and reflash.


    Agreed.I do not see any reason that they *could* not exist....

    >>Yet the above Microsoft web site on a RootKit Detector indicates
    >>"...stealth software that hides in BIOS, Video card EEPROM".

    >
    > Maybe they've seen POCs. There probably are BIOS reflashing
    > malwares that simply haven't surfaced.


    Maybe...

    > Art
    >
    > http://home.epix.net/~artnpeg


    Imhotep
     
    Imhotep, Sep 20, 2005
    #3
  4. From: "Art" <>

    the consensus was that no known malware infects the BIOS.
    |
    >> Based upon my studying both viruses and hardware I can't see how
    >> it is possible.

    |
    | Why? You can download BIOS updates and reflash.
    |


    they are specifically written by the hardware manufacturer for specific mother using a
    specific tupe of Flashable RAM or programable ROM. That is one thing, but to insert code
    and haver the BIOS still functional seems a bit far fetched.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 20, 2005
    #4
  5. David H. Lipman

    Imhotep Guest

    David H. Lipman wrote:

    > From: "Art" <>
    >
    > the consensus was that no known malware infects the BIOS.
    > |
    >>> Based upon my studying both viruses and hardware I can't see how
    >>> it is possible.

    > |
    > | Why? You can download BIOS updates and reflash.
    > |
    >
    >
    > they are specifically written by the hardware manufacturer for specific
    > mother using a
    > specific tupe of Flashable RAM or programable ROM. That is one thing, but
    > to insert code and haver the BIOS still functional seems a bit far
    > fetched.
    >


    I do not think they are all *that* diverse. I am not a hardware person
    though. Any electric engineers/BIOS software people out there wish to
    comment?

    Imhotep
     
    Imhotep, Sep 20, 2005
    #5
  6. David H. Lipman

    Jim Watt Guest

    On Tue, 20 Sep 2005 01:38:55 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >From: "Art" <>
    >
    >the consensus was that no known malware infects the BIOS.
    >|
    >>> Based upon my studying both viruses and hardware I can't see how
    >>> it is possible.

    >|
    >| Why? You can download BIOS updates and reflash.
    >|
    >
    >
    >they are specifically written by the hardware manufacturer for specific mother using a
    >specific tupe of Flashable RAM or programable ROM. That is one thing, but to insert code
    >and haver the BIOS still functional seems a bit far fetched.


    There is the possibility of doing it, and generally when something can
    be done, sooner or later it will.

    The problem of being machine model specific could be a plus point,
    lets say someone has a grudge against Dell, who have a large user
    base. A general virus which detects which machine its on and
    initiates a destructive action on that model but simply spreads on
    other machines is viable.

    Some years ago we had a virus CIH I think, which flashed the
    bios on some machines. Its a small leap from overwriting it with
    garbage to reading an image into memory, adding some code and
    rewriting it. Theres enough space there for additions.

    Lets hope the RIAA and friends does not devise a program to
    flash our CD and DVD writers so they refuse to copy pressed
    disks ...
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 20, 2005
    #6
  7. From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

    | http://research.microsoft.com/rootkit/
    |
    | States the following...
    | "Note: there will be some false positives. Also, this does not detect stealth software
    | that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "
    |
    | We have discussed the possibility of infecting a BIOS over and over and the consensus has
    | been that is not possible. Based upon my studying both viruses and hardware I can't see
    | how it is possible. Yet the above Microsoft web site on a RootKit Detector indicates
    | "...stealth software that hides in BIOS, Video card EEPROM".
    |
    | From what I believe to be true, this is faux information and pure FUD.
    |
    | If anyone has specific information (backed by authoratative URLs such as from the IEEE or
    | some other organization) I welcome the replies. Both PRO and CON for the above statement.
    |
    | --
    | Dave
    | http://www.claymania.com/removal-trojan-adware.html
    | http://www.ik-cs.com/got-a-virus.htm
    |

    Matt Braverman of Microsoft replied thusly...

    "This is a completely theoretical and academic infection vector (note the
    "may hide" part of that segment). There are no known cases of malware that
    infect the BIOS and / or EEPROM."

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 20, 2005
    #7
  8. From: "Jim Watt" <_way>


    |
    | There is the possibility of doing it, and generally when something can
    | be done, sooner or later it will.
    |
    | The problem of being machine model specific could be a plus point,
    | lets say someone has a grudge against Dell, who have a large user
    | base. A general virus which detects which machine its on and
    | initiates a destructive action on that model but simply spreads on
    | other machines is viable.
    |
    | Some years ago we had a virus CIH I think, which flashed the
    | bios on some machines. Its a small leap from overwriting it with
    | garbage to reading an image into memory, adding some code and
    | rewriting it. Theres enough space there for additions.
    |
    | Lets hope the RIAA and friends does not devise a program to
    | flash our CD and DVD writers so they refuse to copy pressed
    | disks ...
    | --
    | Jim Watt
    | http://www.gibnet.com

    Small leap ?

    No, it would be a humongous leap from wiping or corrupting a BIOS to infecting a BIOS and/or
    hide in free space in the BIOS. The technical aspects of the chip type, size, and
    programming makes it an extremely difficuly endeavour.

    Peripheral BIOS would have even greater hurdles to overcome. In theory it sounds viable but
    in reality it is a far fetched assumption and to dat, none have suceeded in infecting a BIOS
    and still leaving it viable or storing itself in unused space.

    Matt Braverman of Microsoft confirmed that the text of the URL I cited "...is a completely
    theoretical and academic infection vector..."

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 20, 2005
    #8
  9. David H. Lipman

    Art Guest

    On Tue, 20 Sep 2005 10:51:10 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >Matt Braverman of Microsoft replied thusly...
    >
    >"This is a completely theoretical and academic infection vector (note the
    >"may hide" part of that segment). There are no known cases of malware that
    >infect the BIOS and / or EEPROM."


    What you're not considering is a "insider" job ... someone working for
    a BIOS vendor creating and spreading infested "updates".

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #9
  10. David H. Lipman

    nemo_outis Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news:dgIXe.6951$nV1.1668@trnddc06:

    > http://research.microsoft.com/rootkit/
    >
    > States the following...
    > "Note: there will be some false positives. Also, this does not detect
    > stealth software that hides in BIOS, Video card EEPROM, disk bad
    > sectors, Alternate Data Streams, etc. "
    >
    > We have discussed the possibility of infecting a BIOS over and over
    > and the consensus has been that is not possible. Based upon my
    > studying both viruses and hardware I can't see how it is possible.
    > Yet the above Microsoft web site on a RootKit Detector indicates
    > "...stealth software that hides in BIOS, Video card EEPROM".
    >
    > From what I believe to be true, this is faux information and pure FUD.
    >
    > If anyone has specific information (backed by authoratative URLs such
    > as from the IEEE or some other organization) I welcome the replies.
    > Both PRO and CON for the above statement.
    >



    It would certainly be possible - although a lot of work - to manually
    "infect" the BIOS if one has physical access to the machine. Flashing the
    BIOS is easy - the tedious part would be generating a rewritten BIOS with
    hidden features to use for the flash.

    While it was quite primitive and only worked on some old-fashioned 486
    machines the Chernobyl virus *did* reflash the BIOS (trashing it rather
    than substituing different BIOS code)

    Regards,
     
    nemo_outis, Sep 20, 2005
    #10
  11. From: "Art" <>


    |
    | What you're not considering is a "insider" job ... someone working for
    | a BIOS vendor creating and spreading infested "updates".
    |
    | Art
    |
    | http://home.epix.net/~artnpeg

    Updates for what ?

    Lets say it is a particular vendor like ASUS. It wouldn't be for all motherboards. At best
    one. Even still, there s a wide variety of Flashable RAM chips that may be used. Which
    chip ? Would even even pass a CRC checksum by the Flashing program ?

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 20, 2005
    #11
  12. David H. Lipman

    Art Guest

    On Tue, 20 Sep 2005 14:53:31 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >From: "Art" <>
    >
    >
    >|
    >| What you're not considering is a "insider" job ... someone working for
    >| a BIOS vendor creating and spreading infested "updates".
    >|
    >
    >Updates for what ?
    >
    >Lets say it is a particular vendor like ASUS. It wouldn't be for all motherboards. At best
    >one. Even still, there s a wide variety of Flashable RAM chips that may be used. Which
    >chip ? Would even even pass a CRC checksum by the Flashing program ?


    Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
    would/did you know it wasn't infested? Presumably a insider job would
    pass the checksum test.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #12
  13. David H. Lipman, Sep 20, 2005
    #13
  14. David H. Lipman

    Art Guest

    On Tue, 20 Sep 2005 20:19:46 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >From: "Art" <>
    >
    >
    >|
    >| Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
    >| would/did you know it wasn't infested? Presumably a insider job would
    >| pass the checksum test.
    >|


    >I get them directly from a trusted location.


    That's obviously the best bet but the point is that it's still a
    gamble. You were insisting that it's impossible. I'm simply pointing
    out that it's not impossible, however unlikely it might be.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #14
  15. David H. Lipman

    Sugien Guest

    "Art" <> wrote in message
    news:...
    > On Tue, 20 Sep 2005 20:19:46 GMT, "David H. Lipman"
    > <DLipman~nospam~@Verizon.Net> wrote:
    >
    >>From: "Art" <>
    >>
    >>
    >>|
    >>| Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
    >>| would/did you know it wasn't infested? Presumably a insider job would
    >>| pass the checksum test.
    >>|

    >
    >>I get them directly from a trusted location.

    >
    > That's obviously the best bet but the point is that it's still a
    > gamble. You were insisting that it's impossible. I'm simply pointing
    > out that it's not impossible, however unlikely it might be.
    >

    imho, the more tech's say something is imposable the more likely someone
    will take up the challenge to prove them wrong. Some of the same tech's and
    those in the know said it was imposable to get any type of infection or
    malware by *only* reading an email. Of course they had to eat their words
    after Melissa; but some tried to even wiggle out of that by saying they
    meant to qualify what they had said in as much that they were trying to say
    that simply reading a message in plane text format that it was imposable;
    but to me that is as much a worm wiggle of what I get accused of; but I was
    and am far more innocent of the worm wiggling charge then they, lol
    I would have to guess that as a part of the development of such a bios
    infecting virus or malware an intermediate step may be to store parts of the
    virus/malware in the unused portions of the chip housing the bios program.
    Maybe hiding the portions of the virus which AV products detect there by
    avoiding detection. AFAIK no known AV product checks bios for virus or
    malware and if a virus/malware is created which is detected by AV products
    the creator of the offending software instead of completely rewriting the
    virus/malware to avoid detection could simply have the virus/malware hide
    the portions the AV software is keying on in the bios.
    --
    From the Desk of Sugien
    /}
    @###{ ]::::::Dino-Soft Software::::::>
    \}
     
    Sugien, Sep 20, 2005
    #15
  16. From: "Art" <>


    |
    | That's obviously the best bet but the point is that it's still a
    | gamble. You were insisting that it's impossible. I'm simply pointing
    | out that it's not impossible, however unlikely it might be.
    |
    | Art
    |
    | http://home.epix.net/~artnpeg

    Examine the concept of an infected BIOS. The BIOS (Basic Input-Output System) is the
    middleware between a given motherboards chip-set and an Operating System. The OS looks for
    specific routines to access such things as the hard disk, floppy, real-time clock, USB, etc.
    The question is if the BIOS could be infected what could "it" do. That is being a
    middleware and not a high level or even a low level language but a series of routines to
    interface hardware through system calls.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 20, 2005
    #16
  17. David H. Lipman

    Art Guest

    On Tue, 20 Sep 2005 20:57:01 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >From: "Art" <>
    >
    >
    >|
    >| That's obviously the best bet but the point is that it's still a
    >| gamble. You were insisting that it's impossible. I'm simply pointing
    >| out that it's not impossible, however unlikely it might be.
    >|
    >| Art
    >|
    >| http://home.epix.net/~artnpeg
    >
    >Examine the concept of an infected BIOS. The BIOS (Basic Input-Output System) is the
    >middleware between a given motherboards chip-set and an Operating System. The OS looks for
    >specific routines to access such things as the hard disk, floppy, real-time clock, USB, etc.
    >The question is if the BIOS could be infected what could "it" do. That is being a
    >middleware and not a high level or even a low level language but a series of routines to
    >interface hardware through system calls.


    That's a no-brainer. It could do many kinds of different damage to a
    hard drive, including making it unuseable without a reformat. Even
    something as simple as refusing to boot and just hanging in a infinite
    loop is a example.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #17
  18. David H. Lipman, Sep 20, 2005
    #18
  19. David H. Lipman

    Art Guest

    On Tue, 20 Sep 2005 21:57:58 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >From: "Art" <>
    >
    >
    >|
    >| That's a no-brainer. It could do many kinds of different damage to a
    >| hard drive, including making it unuseable without a reformat. Even
    >| something as simple as refusing to boot and just hanging in a infinite
    >| loop is a example.
    >|
    >I can't see a vendor releasing a BIOS that did not pass a quality control check.


    The bad guy might work in the QC dept. :) Trust noone!

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #19
  20. David H. Lipman wrote:

    > | That's a no-brainer. It could do many kinds of different damage to a
    > | hard drive, including making it unuseable without a reformat. Even
    > | something as simple as refusing to boot and just hanging in a infinite
    > | loop is a example.
    > |
    > | Art
    > |
    > | http://home.epix.net/~artnpeg
    >
    > I can't see a vendor releasing a BIOS that did not pass a quality control
    > check.
    >

    I can't see a major hard drive manufacturer releasing thousands of hard
    drives with a boot sector infector preinstalled.

    But it happened. :)

    --
    Outside of a dog, a book is a man's best friend.
    Inside of a dog, it's too dark to read.
    -Marx
     
    Jeffrey F. Bloss, Sep 20, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Annette Kurten

    New stealth rootkit

    Annette Kurten, Apr 9, 2005, in forum: Computer Support
    Replies:
    22
    Views:
    2,462
    trout
    Apr 9, 2005
  2. Blue Event Horizon
    Replies:
    6
    Views:
    3,149
    raincoater
    Sep 9, 2006
  3. Replies:
    18
    Views:
    6,870
    Sue Perficial
    Nov 23, 2005
  4. Pamela Fischer
    Replies:
    4
    Views:
    856
  5. Rootkit detection and removal

    , Mar 12, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    2,668
    Plato
    Mar 12, 2006
Loading...

Share This Page