Rootkits Installable in BIOS

Discussion in 'Computer Security' started by nemo_outis, Jan 27, 2006.

  1. nemo_outis

    nemo_outis Guest

    Fascinating article about how rootkits may be installed in the BIOS.

    http://www.securityfocus.com/news/11372

    Regards,

    PS I think this confirms my recent post on the feasibility of capturing
    passwords for full HD OTFE encryption by installing a keylogger in the
    BIOS.
    nemo_outis, Jan 27, 2006
    #1
    1. Advertising

  2. nemo_outis

    Gogarty Guest

    In article <Xns97585D4616CAFabcxyzcom@127.0.0.1>, says...
    >
    >
    >Fascinating article about how rootkits may be installed in the BIOS.
    >
    >http://www.securityfocus.com/news/11372
    >
    >Regards,
    >
    >PS I think this confirms my recent post on the feasibility of capturing
    >passwords for full HD OTFE encryption by installing a keylogger in the
    >BIOS.
    >

    You need to associate the password with a key file which the key logger
    cannot detect. Easy to lose the key file if it comes to that. Which is also
    the hazard of keyfiles. Oops!
    Gogarty, Jan 27, 2006
    #2
    1. Advertising

  3. nemo_outis

    nemo_outis Guest

    Gogarty <> wrote in
    news::

    > In article <Xns97585D4616CAFabcxyzcom@127.0.0.1>, says...
    >>
    >>
    >>Fascinating article about how rootkits may be installed in the BIOS.
    >>
    >>http://www.securityfocus.com/news/11372
    >>
    >>Regards,
    >>
    >>PS I think this confirms my recent post on the feasibility of
    >>capturing passwords for full HD OTFE encryption by installing a
    >>keylogger in the BIOS.
    >>

    > You need to associate the password with a key file which the key
    > logger cannot detect. Easy to lose the key file if it comes to that.
    > Which is also the hazard of keyfiles. Oops!
    >
    >


    No, the problem is considerably more serious than that. For instance, if I
    install a custom rootkit in the BIOS I can, in principle, completely pass
    over the input of the key, whether by keyboard, token or whatever, and
    sniff the key directly in RAM!

    Regards,
    nemo_outis, Jan 27, 2006
    #3
  4. nemo_outis

    Gogarty Guest

    In article <Xns97586462423ADabcxyzcom@127.0.0.1>, says...
    >


    >No, the problem is considerably more serious than that. For instance, if I
    >install a custom rootkit in the BIOS I can, in principle, completely pass
    >over the input of the key, whether by keyboard, token or whatever, and
    >sniff the key directly in RAM!
    >

    I defer to your superior knowledge in this field. Our computers are
    faithless traitors. We entrust them with our secrets and they promptly
    regurgitate all they know to the first floozy that comes along.
    Gogarty, Jan 27, 2006
    #4
  5. nemo_outis

    nemo_outis Guest

    Gogarty <> wrote in
    news::

    > In article <Xns97586462423ADabcxyzcom@127.0.0.1>, says...
    >>

    >
    >>No, the problem is considerably more serious than that. For instance,
    >>if I install a custom rootkit in the BIOS I can, in principle,
    >>completely pass over the input of the key, whether by keyboard, token
    >>or whatever, and sniff the key directly in RAM!
    >>

    > I defer to your superior knowledge in this field. Our computers are
    > faithless traitors. We entrust them with our secrets and they promptly
    > regurgitate all they know to the first floozy that comes along.
    >
    >


    For the moment the risk is entirely hypothetical; it is far easier to use a
    hardware keylogger under most circumstances in which one could install a
    rootkit keylogger on a full-OTFE HD.

    However, it is wise to be aware of incipient or developing risks as well as
    more immediate ones.

    Regards,
    nemo_outis, Jan 27, 2006
    #5
  6. "nemo_outis" <> wrote in message
    news:Xns97586462423ADabcxyzcom@127.0.0.1...
    > No, the problem is considerably more serious than that. For instance, if I
    > install a custom rootkit in the BIOS I can, in principle, completely pass
    > over the input of the key, whether by keyboard, token or whatever, and
    > sniff the key directly in RAM!


    Normally once Windows has loaded the BIOS is doing very little, proper
    drivers designed for a multi-tasking environment take over.

    --

    Brian Gregory. (In the UK)

    To email me remove the letter vee.
    Brian Gregory [UK], Jan 27, 2006
    #6
  7. nemo_outis

    nemo_outis Guest

    "Brian Gregory [UK]" <> wrote in
    news::

    > "nemo_outis" <> wrote in message
    > news:Xns97586462423ADabcxyzcom@127.0.0.1...
    >> No, the problem is considerably more serious than that. For instance,
    >> if I install a custom rootkit in the BIOS I can, in principle,
    >> completely pass over the input of the key, whether by keyboard, token
    >> or whatever, and sniff the key directly in RAM!

    >
    > Normally once Windows has loaded the BIOS is doing very little, proper
    > drivers designed for a multi-tasking environment take over.
    >



    Yes, the usual sequence is BIOS itself, in-memory image of BIOS, and then
    a handoff to Windows 32-bit drivers, etc. However, a compromised BIOS
    could subvert this handoff leaving itself still hooked in.

    Not that it need do so, of course. A compromised BIOS targeting the OTFE
    HD password entered at boottime could have performed its capture and
    stashed the data long before the 32-bit portion of Windows was running. It
    would gracefully relinquish control to Windows well-satisfied with its
    accomplishment :)

    Regards,

    PS. Compromising other BIOSs, such as the video BIOS, also remains a
    possibility.
    nemo_outis, Jan 27, 2006
    #7
  8. Gogarty wrote:

    > In article <Xns97585D4616CAFabcxyzcom@127.0.0.1>, says...
    >>
    >>
    >>Fascinating article about how rootkits may be installed in the BIOS.
    >>
    >>http://www.securityfocus.com/news/11372
    >>
    >>Regards,
    >>
    >>PS I think this confirms my recent post on the feasibility of capturing
    >>passwords for full HD OTFE encryption by installing a keylogger in the
    >>BIOS.
    >>

    > You need to associate the password with a key file which the key logger
    > cannot detect. Easy to lose the key file if it comes to that. Which is
    > also the hazard of keyfiles. Oops!


    In the scenario at hand there either is no key file, or it will be copied
    when the drive is imaged. Assuming no "smart card" or challenge-response
    scenario as nemo and I have already discussed.

    It all breaks down to the (again) stated fact that OTFE can easily fail
    where physical security is lax or as it is in this scenario, essentially
    nonexistent.
    George Orwell, Jan 28, 2006
    #8
  9. Brian Gregory [UK] wrote:

    > "nemo_outis" <> wrote in message
    > news:Xns97586462423ADabcxyzcom@127.0.0.1...
    >> No, the problem is considerably more serious than that. For instance, if
    >> I install a custom rootkit in the BIOS I can, in principle, completely
    >> pass over the input of the key, whether by keyboard, token or whatever,
    >> and sniff the key directly in RAM!

    >
    > Normally once Windows has loaded the BIOS is doing very little, proper
    > drivers designed for a multi-tasking environment take over.


    That's because a normal BIOS willingly hands over control. It's not
    necessary for it to be that way. The only confines that determine what
    BIOS code can do are the limited space BIOS is stored in, the fact that if
    it doesn't hand over at least an illusion of control it's useless, and the
    imagination of the attacker that installs a trojanized version of your
    BIOS code. ;-)
    Borked Pseudo Mailed, Jan 28, 2006
    #9
  10. nemo_outis

    traveler 66 Guest

    On 27 Jan 2006 16:10:19 GMT, nemo_outis wrote:

    > Fascinating article about how rootkits may be installed in the BIOS.
    >
    > http://www.securityfocus.com/news/11372
    >
    > Regards,
    >
    > PS I think this confirms my recent post on the feasibility of capturing
    > passwords for full HD OTFE encryption by installing a keylogger in the
    > BIOS.


    Yes it does, I hope one of the anti-virus companies finds a solution for
    this soon.
    traveler 66, Jan 28, 2006
    #10
  11. traveler 66 wrote:

    >> Fascinating article about how rootkits may be installed in the BIOS.
    >>
    >> http://www.securityfocus.com/news/11372
    >>
    >> Regards,
    >>
    >> PS I think this confirms my recent post on the feasibility of
    >> capturing passwords for full HD OTFE encryption by installing a
    >> keylogger in the BIOS.

    >
    > Yes it does, I hope one of the anti-virus companies finds a solution for
    > this soon.


    By all means do tell us how an anti-virus software company is suppose to
    in any way reliably address a corrupt BIOS that does it's evil deeds long
    before that software can even be run. Explain how it's going to survive a
    piece of "firmware" that has direct control of how the operating system
    loads, and memory and devices are seen and accessed.

    And while you're at it, take a stab at how software is going to correct a
    problem that has very hardware-specific access control and solutions, even
    if it could detect such a problem reliably.

    Do you really even understand what BIOS is?
    George Orwell, Jan 28, 2006
    #11
  12. nemo_outis

    traveler 66 Guest

    George Orwell wrote:
    > traveler 66 wrote:
    >
    >
    >>>Fascinating article about how rootkits may be installed in the BIOS.
    >>>
    >>>http://www.securityfocus.com/news/11372
    >>>
    >>>Regards,
    >>>
    >>>PS I think this confirms my recent post on the feasibility of
    >>>capturing passwords for full HD OTFE encryption by installing a
    >>>keylogger in the BIOS.

    >>
    >>Yes it does, I hope one of the anti-virus companies finds a solution for
    >>this soon.

    >
    >
    > By all means do tell us how an anti-virus software company is suppose to
    > in any way reliably address a corrupt BIOS that does it's evil deeds long
    > before that software can even be run. Explain how it's going to survive a
    > piece of "firmware" that has direct control of how the operating system
    > loads, and memory and devices are seen and accessed.
    >
    > And while you're at it, take a stab at how software is going to correct a
    > problem that has very hardware-specific access control and solutions, even
    > if it could detect such a problem reliably.
    >
    > Do you really even understand what BIOS is?


    I should have posted more clearly, I meant root kits in general, not
    just the type mentioned here.
    traveler 66, Jan 28, 2006
    #12
  13. nemo_outis

    Gogarty Guest

    I am a bit confused here. Does the root kit in the BIOS only function while
    the BIOS is in boot up and before it hands control to the operating system?
    If that is so, how does it compromize an OTFE hard disk? I should think the
    key logger would have to be active at all times. My OTFE disk does not run
    all the time and only runs when I type in the password, which would be long
    after the BIOS has done its thing. It is most unlikely that anyone could ever
    install a hardware key logger on my system and software ones are soon found
    and removed. Which leads me to ask: why is anyone putting key loggers on my
    system? They do turn up from time to time along with other adware and
    spyware.
    Gogarty, Jan 28, 2006
    #13
  14. nemo_outis

    nemo_outis Guest

    Gogarty <> wrote in
    news::

    > I am a bit confused here. Does the root kit in the BIOS only function
    > while the BIOS is in boot up and before it hands control to the
    > operating system? If that is so, how does it compromize an OTFE hard
    > disk? I should think the key logger would have to be active at all
    > times. My OTFE disk does not run all the time and only runs when I
    > type in the password, which would be long after the BIOS has done its
    > thing. It is most unlikely that anyone could ever install a hardware
    > key logger on my system and software ones are soon found and removed.
    > Which leads me to ask: why is anyone putting key loggers on my system?
    > They do turn up from time to time along with other adware and spyware.
    >
    >



    Different type of OTFE application - you're thinking about
    partition/container-file encryption (e.g., Truecrypt) while I'm talking
    about *full* HD OTFE encryption (e.g., Compusec).

    The password for full HD encryption is entered very early in the boot
    process and a compromised BIOS could, in principle, capture the password
    (or the key itself), stash it somewhere, and then let the rest of the boot
    and user session proceed normally. The adversary would surreptitiously
    "harvest" the captured password later when the computer was unattended..

    Regards,

    PS As for your "software ones are soon found and removed" that is a very
    rash statement. In principle, a rootkit can be absolutely undetectable by
    any program on the compromised system - the rootkit could only be detected
    by booting from known-good media (e.g., CD or USB). That current rootkits
    can sometimes be detected by software on the compromised system (e.g., by
    an AV program) only indicates that - so far - they have been imperfectly
    implemented.
    nemo_outis, Jan 28, 2006
    #14
  15. nemo_outis

    Gogarty Guest

    In article <Xns9759635A8229Babcxyzcom@204.153.244.170>, says...
    >
    >
    >Gogarty <> wrote in
    >news::
    >
    >> I am a bit confused here. Does the root kit in the BIOS only function
    >> while the BIOS is in boot up and before it hands control to the
    >> operating system? If that is so, how does it compromize an OTFE hard
    >> disk? I should think the key logger would have to be active at all
    >> times. My OTFE disk does not run all the time and only runs when I
    >> type in the password, which would be long after the BIOS has done its
    >> thing. It is most unlikely that anyone could ever install a hardware
    >> key logger on my system and software ones are soon found and removed.
    >> Which leads me to ask: why is anyone putting key loggers on my system?
    >> They do turn up from time to time along with other adware and spyware.
    >>
    >>

    >
    >
    >Different type of OTFE application - you're thinking about
    >partition/container-file encryption (e.g., Truecrypt) while I'm talking
    >about *full* HD OTFE encryption (e.g., Compusec).
    >
    >The password for full HD encryption is entered very early in the boot
    >process and a compromised BIOS could, in principle, capture the password
    >(or the key itself), stash it somewhere, and then let the rest of the boot
    >and user session proceed normally. The adversary would surreptitiously
    >"harvest" the captured password later when the computer was unattended..
    >
    >Regards,
    >
    >PS As for your "software ones are soon found and removed" that is a very
    >rash statement. In principle, a rootkit can be absolutely undetectable by
    >any program on the compromised system - the rootkit could only be detected
    >by booting from known-good media (e.g., CD or USB). That current rootkits
    >can sometimes be detected by software on the compromised system (e.g., by
    >an AV program) only indicates that - so far - they have been imperfectly
    >implemented.
    >

    Thank you. Glad toi have people like you around who really know what they
    are talking about.
    Gogarty, Jan 28, 2006
    #15
  16. On Sat, 28 Jan 2006 12:01:54 -0500, Gogarty wrote:

    > Thank you. Glad toi have people like you around who really know what they
    > are talking about.


    You're welcome. Damn near anything nemo know, he learned from me. :)
    --
    Drop the alphabet for email
    Ari Silverstein, Jan 28, 2006
    #16
  17. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    In article <lqke4jz4eotr.1sg0f2civvyl8$>
    traveler 66 <> wrote:
    >
    > On 27 Jan 2006 16:10:19 GMT, nemo_outis wrote:
    >
    > > Fascinating article about how rootkits may be installed in the BIOS.
    > >
    > > http://www.securityfocus.com/news/11372
    > >
    > > Regards,
    > >
    > > PS I think this confirms my recent post on the feasibility of capturing
    > > passwords for full HD OTFE encryption by installing a keylogger in the
    > > BIOS.

    >
    > Yes it does, I hope one of the anti-virus companies finds a solution for
    > this soon.


    Personally, I'd rather see something like spybot, Ad-Aware or A-Squared
    incorporate detection for this kind of thing


    *Crash Override
    - --
    A: Maybe because some people are too annoyed by top-posting.
    Q: Why do I not get an answer to my question(s)?
    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?

    -----BEGIN PGP SIGNATURE-----
    Version: N/A

    iQEVAwUBQ917kKNoq/RyQ662AQjKlgf9G50NoVncbuNYB0UFalwDJ+464o0+pVg9
    Ggcdf1AVkRCzcw4sjzIDCjSPofVRuKMKAYFYqEeGqYj7UJBSjt/rkoBgdcPZ7VFS
    KRhff4mnEEZTl0OKgkszlXpSEqa7e7PSojezvIVXEKDI46K+vkhd5D98KU1kds/J
    ygoBS8GcSZPGdxN57LeqdAsxqT8Yftaw/rldmgcxXiP2+CCJK09nLrfZ3Tu6xZZ8
    NCJlg++ZcJ12eK7TQ2847cW2rRNEd078lGfQBewFUjyk5eTTzxlZDAG9PbT9mwTq
    UvDLaE9rBn2h51nSzrtHggWO57+guXQXzoM8Dm29n8hvikUEL9XQAQ==
    =JV3i
    -----END PGP SIGNATURE-----
    Crash Override, Jan 30, 2006
    #17
  18. nemo_outis

    nemo_outis Guest

    "Crash Override" <> wrote in
    news::

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA256
    >
    > In article <lqke4jz4eotr.1sg0f2civvyl8$>
    > traveler 66 <> wrote:
    >>
    >> On 27 Jan 2006 16:10:19 GMT, nemo_outis wrote:
    >>
    >> > Fascinating article about how rootkits may be installed in the
    >> > BIOS.
    >> >
    >> > http://www.securityfocus.com/news/11372
    >> >
    >> > Regards,
    >> >
    >> > PS I think this confirms my recent post on the feasibility of
    >> > capturing passwords for full HD OTFE encryption by installing a
    >> > keylogger in the BIOS.

    >>
    >> Yes it does, I hope one of the anti-virus companies finds a solution
    >> for this soon.

    >
    > Personally, I'd rather see something like spybot, Ad-Aware or
    > A-Squared incorporate detection for this kind of thing
    >



    I have greater faith in Russinovich of sysinternals:

    http://www.sysinternals.com/Utilities/RootkitRevealer.html

    For instance, the widestep elite keylogger uses a kernel-level rootkit to
    conceal itself. Yes, it can now be detected (by only a few!) but it had a
    pretty good run before that, making it one of the better software
    keyloggers (if one can use "better" in conjunction with such despicable
    spyware). Now imagine what the NSA could do.

    Regards,
    nemo_outis, Jan 30, 2006
    #18
  19. nemo_outis

    Roger Parks Guest

    Ironically, a compromised bios could give new life to this and other
    rootkits.

    RootkitRevealer, Adinf, and other single-OS integrity checkers compare
    logical I/O from the OS, with physical I/O via the BIOS. And a tweaked
    bios could be changed to substitute information (or eliminate it
    altogether) so as to match the logical I/O.

    The challenge here, imho, is to get an unprivileged, WAN-connected
    process (e.g. browser, or browser extension) to either flash a bios, or
    successfully issue ACPI commands. This might be down through a
    privilege escalation following a buffer overflow of some sort, a
    wmf-type bug, or perhaps through a compromised extension!?

    --
    Vista error#4711: TCPA / RIAA / NGSCP VIOLATION: Microsoft optical
    mouse detected Linux patterns on mousepad. Partition scan in progress
    to
    remove offending, unapproved products. Request permission, and apply
    for
    a new key to reactivate MS software at www.ms.com

    ..
    Roger Parks, Jan 31, 2006
    #19
  20. "Borked Pseudo Mailed" <> wrote in message
    news:...
    > That's because a normal BIOS willingly hands over control. It's not
    > necessary for it to be that way.


    How would that work in practise?

    --

    Brian Gregory. (In the UK)

    To email me remove the letter vee.
    Brian Gregory [UK], Feb 1, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lance Malish

    45 rootkits listed on my system? Ouch!!

    Lance Malish, Apr 24, 2004, in forum: Computer Support
    Replies:
    12
    Views:
    1,754
    Gary G. Taylor
    Apr 27, 2004
  2. Kimba W. Lion

    Rootkits on DVDs

    Kimba W. Lion, Feb 15, 2006, in forum: DVD Video
    Replies:
    2
    Views:
    407
    Nicholas Andrade
    Feb 15, 2006
  3. John Jay Smith

    light installable linux with SAMBA server for old pc

    John Jay Smith, Feb 15, 2006, in forum: Computer Support
    Replies:
    9
    Views:
    10,658
  4. =?Utf-8?B?bWFoZXNo?=

    creating an installable DVD for XP 64

    =?Utf-8?B?bWFoZXNo?=, Jul 31, 2007, in forum: Windows 64bit
    Replies:
    4
    Views:
    486
    S.SubZero
    Aug 2, 2007
  5. Juergen Kluth
    Replies:
    9
    Views:
    539
    Carlos
    Jan 30, 2008
Loading...

Share This Page