Firmware Rootkits - detection 'tool' available?

Discussion in 'Computer Security' started by ~BD~, Sep 18, 2009.

  1. ~BD~

    ~BD~ Guest

    I asked this question in the two 'security' newsgroups to which I now
    crosspost.

    "Is there *any* tool which can identify a rootkit on a ROM chip?"

    I received an answer which said ...........


    I believe Firmware rootkits are rare - but *I* think that they should *not*
    be dismissed.

    Read : http://www.ngssoftware.com/research/papers/BH-DC-07-Heasman.pdf

    So, should I simply accept Mr Lipman's word that the subject is irrelevant?
    I'd really like to know if there is *any* way that someone could identify
    that the firmware on their machine had been infected (in other words, remain
    infected even if a new hard disk was installed).

    *Is* there a detection tool? That remains my question.

    Pure FUD? I think not!
     
    ~BD~, Sep 18, 2009
    #1
    1. Advertisements

  2. §ñühw¤£f, Sep 18, 2009
    #2
    1. Advertisements

  3. ~BD~

    ~BD~ Guest

    "§ñühw¤£f" poses the question of 'flashing' the BIOS.

    I'm suggesting that if/when this action is carried out, it might well be
    possible to introduce malware to a system - which will remain for posterity.

    If I am right, I'm asking if there is any way that ordinary folk could ever
    find out the truth. *Is* there a way?
     
    ~BD~, Sep 19, 2009
    #3
  4. ~BD~

    Todd H. Guest

    Dave,

    I think the short answer is no, i believe (though it's always hard to
    prove a negative). The technique is too new to have tamper detection
    commercially available.

    If you're worried, simply reflash your BIOS with an image from the
    manufacturer. And hope they haven't trojaned it themselves.

    #include <a_variety_of_global_sourcing_fears.h>
     
    Todd H., Sep 19, 2009
    #4
  5. From: "§ñühw¤£f" <>


    | Really? Have you ever flashed a BIOS?

    That's not ROM that's a form of EEPROM.
     
    David H. Lipman, Sep 19, 2009
    #5
  6. ~BD~

    thanatoid Guest

    I just happen to have a rom.bin BIOS file handy and I just
    checked wit with ESET NOD32. No problems. It came from the
    computer manuf. Now if someone wants to "stick" a virus into one
    and THEN run it through an A-V program again, we'll know if A-V
    programs can "do" BIOS ROM files.
     
    thanatoid, Sep 19, 2009
    #6
  7. ~BD~

    nemo_outis Guest

    While you're worrying, you might want to worry about *other* BIOSes
    besides the motherboard one. For instance, video cards have a BIOS and
    many ethernet cards do as well (as do SCSI cards and other less common
    possibilities). In principle any of these could harbour malware.

    Regards,
     
    nemo_outis, Sep 19, 2009
    #7
  8. ~BD~

    Todd H. Guest

    Writing signatures for a known issue in a BIOS ROM would be relatively
    straightfoward with current signature based file AV technology.

    That's not the same, however, as testing for malware in the system's
    current BIOS.
     
    Todd H., Sep 19, 2009
    #8
  9. ~BD~

    thanatoid Guest

    (Todd H.) wrote in

    Well, you can SAVE your /current/ BIOS and then scan THAT,
    right?
    Unless an "entirely different and not detectable by normal AV
    programs type of malware" applies to BIOS chips.
     
    thanatoid, Sep 19, 2009
    #9
  10. From: "nemo_outis" <>



    | While you're worrying, you might want to worry about *other* BIOSes
    | besides the motherboard one. For instance, video cards have a BIOS and
    | many ethernet cards do as well (as do SCSI cards and other less common
    | possibilities). In principle any of these could harbour malware.

    | Regards,


    In principle but not yet in actuality.
     
    David H. Lipman, Sep 19, 2009
    #10
  11. David H. Lipman <[email protected]> pinched out a steaming
    Dont worry, we're working on it ;)


    --

    cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
    _____ ____ ____ __ /\_/\ __ _ ______ _____
    / __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
    _\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
    /___/_/|_/\____/_//_/ \[email protected]_/ \__|\__|\____/\____\_\
     
    §ñühw¤£f, Sep 19, 2009
    #11
  12. nobody > <> pinched out a steaming pile
    Firmware Upgrade.

    Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    So when I downloaded a "flash modem tool" from USR and upgraded a modem
    with linux (it was pretty exciting btw and made me feel like I was a
    smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    Or was I mistaken?
    Hmmmm...

    --

    cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
    _____ ____ ____ __ /\_/\ __ _ ______ _____
    / __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
    _\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
    /___/_/|_/\____/_//_/ \[email protected]_/ \__|\__|\____/\____\_\
     
    §ñühw¤£f, Sep 19, 2009
    #12
  13. From: "§ñühw¤£f" <>




    | Dont worry, we're working on it ;)

    I doubt you are :)

    But... I am sure some malcious actor is but to date, nothing.
     
    David H. Lipman, Sep 19, 2009
    #13
  14. From: "§ñühw¤£f" <>

    | nobody > <> pinched out a steaming pile
    | posterity.


    | Firmware Upgrade.

    | Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    | So when I downloaded a "flash modem tool" from USR and upgraded a modem
    | with linux (it was pretty exciting btw and made me feel like I was a
    | smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    | Or was I mistaken?
    | Hmmmm...

    Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
    by actually causing leads within the microchip to be burnt away like a burned out
    lightbulb. Then there were the EPROMS where ultraviolet light was used to "erase" what
    was stored in ROM. These are noted by there glass windows which would then be covered by
    a label indicating its function and application. Then there is the Electrically Erasable
    Programmable ROM which is more like the Flashable ROM we know Today.

    BoaterDave is and idiot and he introduced FUD when he replied to someone in
    alt.computer.security with "However, have you considered that your BIOS may have
    been/could be infected? A whole new ball-game!"

    That's what started this because I replied...
    "Pure FUD.

    The BIOS is NOT infected and should not be considered tobe infected or become possibly
    infected!"

    To date NO ONE has "infected" a BIOS. There have been malware attempts and when it comes
    to Motherboard BIOS at best the BIOS is corrupted or deleted rendering the system
    incapable of booting. This subject matter has been dicussed to death in alt.comp.virus
    and alt.comp.anti-virus long before BoaterDave posted to Usenet.

    To infect a BIOS there are just too many variables from which chip-set used, entry points
    for code insertion, CRC checks, etc. Even if one particular module can be infected it
    would be an extremely small niche as there is no way a programmer is going to program a
    dictionary of chip-sets and systems into the code.

    Just consider the idea of dlashing a BIOS. Whose BIOS ? Phoenix, Award ??? For what
    system ?

    Take an Award BIOS for motherboard X. If you try to flash Motherboard X with Award BIOS
    for motherboard Y, you'll have a dead system.

    Now extrapolate that to BIOS chips on periphery. It becomes exponentially more difficult.

    Thus the idea of infecting BIOS (at this time) is pure FUD and BoaterDave is showing his
    trolling nature.
     
    David H. Lipman, Sep 19, 2009
    #14
  15. ~BD~

    Aratzio Guest

    VERY BASIC:
    ROM - Data fixed in silicon - expensive in small quantity.
    PROM - Write Once - Read Many - Much less expensive but not eraseable.
    EPROM - UV Eraseable data - Erase was slow and required UV lamps
    EEPROM - Electrically Eraseable - Essentially a RAM with retention.
    (Multiple types of flash & rom fit here)
    FLASH - An EEPROM with higher density, faster write speeds and more
    write cycles. Different technology than the original EEPROM. Multiple
    types now NAND/NOR.


    A flash modem tool would have been used on any of the "electrically
    erasable" devices that could be reprogrammed under software control.
    Anything before that technology would require removal of the memory.
     
    Aratzio, Sep 19, 2009
    #15
  16. ~BD~

    Aratzio Guest

    Err, no, ROM were masked devices where data was etched in the raw
    material. No "leads" burnt. Early ROM were not even "chips" but blocks
    of laminate with hardwired address.

    PROM were the first that used a high voltage to disable one of two
    paths within the silicon. Later as technology changed they reoriented
    the junctions rather than use destructive means which changed the
    location from a 1 to a 0.

    EPROM used a high frequency light to reset the juction to its original
    1 state and allow reprogramming.
     
    Aratzio, Sep 19, 2009
    #16
  17. ~BD~

    nemo_outis Guest

    ....
    We agree on my qualification: in principle. To my knowledge there's
    nothing "in the wild." Yet!

    However, if I were targetting a BIOS for malware insertion a graphics
    card would have considerable appeal.

    For instance, nVidia has for a long time supported direct programming of
    the GPU (that's "G" not "C") through CUDA (and ATI more recently with
    Stream) using high-level languages such as C. The GPU is a very
    powerful processor and, to my knowledge, no anti-virus (or other
    anti-malware) program even looks at it as a threat source. Very likely
    a compromise of the graphics BIOS could be leveraged to use this
    separate processor.

    Vaguely redolent of how a fireware DMA attack completely bypasses the
    CPU and therefore any anti-virus programs.

    Regards,
     
    nemo_outis, Sep 19, 2009
    #17
  18. ~BD~

    nemo_outis Guest

    ....

    You're not quite right: the Chernobyl virus of a few years back could -
    and did! - trash the motherboard BIOS of many machines.

    But as you go on to describe this was simple trashing, NOT the insertion
    of workable code.

    Moreover, your core point, that BIOS malware is, at present, only a
    theoretical possibility and not a live threat, is well-taken.
    Accordingly, BoaterDave raising the issue to be considered by the OP when
    protecting his system was pure bullshit.

    Regards,
     
    nemo_outis, Sep 19, 2009
    #18
  19. From: "nemo_outis" <>

    |
    | ...
    | We agree on my qualification: in principle. To my knowledge there's
    | nothing "in the wild." Yet!

    | However, if I were targetting a BIOS for malware insertion a graphics
    | card would have considerable appeal.

    | For instance, nVidia has for a long time supported direct programming of
    | the GPU (that's "G" not "C") through CUDA (and ATI more recently with
    | Stream) using high-level languages such as C. The GPU is a very
    | powerful processor and, to my knowledge, no anti-virus (or other
    | anti-malware) program even looks at it as a threat source. Very likely
    | a compromise of the graphics BIOS could be leveraged to use this
    | separate processor.

    | Vaguely redolent of how a fireware DMA attack completely bypasses the
    | CPU and therefore any anti-virus programs.

    | Regards,


    I remember reading about the FireWire exploitation,
     
    David H. Lipman, Sep 19, 2009
    #19
  20. From: "nemo_outis" <>

    | | ...

    | You're not quite right: the Chernobyl virus of a few years back could -
    | and did! - trash the motherboard BIOS of many machines.

    | But as you go on to describe this was simple trashing, NOT the insertion
    | of workable code.

    | Moreover, your core point, that BIOS malware is, at present, only a
    | theoretical possibility and not a live threat, is well-taken.
    | Accordingly, BoaterDave raising the issue to be considered by the OP when
    | protecting his system was pure bullshit.

    | Regards,

    Right. It trashed it. It did not replace the code nor infect the BIOS. It rendered the
    motherboard useless.

    The Chrnobyl was not the only one as there were copycats. None however could replace the
    code nor infect the BIOS.

    There was one case but that was unusual. It was the case of a disgruntled employee who
    modified the BIOS code at the factory.
     
    David H. Lipman, Sep 19, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.