Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BI

Discussion in 'Computer Security' started by David H. Lipman, Sep 20, 2005.

  1. http://research.microsoft.com/rootkit/

    States the following...
    "Note: there will be some false positives. Also, this does not detect stealth software that
    hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "

    We have discussed the possibility of infecting a BIOS over and over and the consensus has
    been that is not possible. Based upon my studying both viruses and hardware I can't see how
    it is possible. Yet the above Microsoft web site on a RootKit Detector indicates
    "...stealth software that hides in BIOS, Video card EEPROM".

    From what I believe to be true, this is faux information and pure FUD.

    If anyone has specific information (backed by authoratative URLs such as from the IEEE or
    some other organization) I welcome the replies. Both PRO and CON for the above statement.
     
    David H. Lipman, Sep 20, 2005
    #1
    1. Advertisements

  2. David H. Lipman

    Art Guest

    I thought the consensus was that no known malware infects the BIOS.
    Why? You can download BIOS updates and reflash.
    Maybe they've seen POCs. There probably are BIOS reflashing
    malwares that simply haven't surfaced.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #2
    1. Advertisements

  3. David H. Lipman

    Imhotep Guest

    Agreed.I do not see any reason that they *could* not exist....
    Imhotep
     
    Imhotep, Sep 20, 2005
    #3
  4. From: "Art" <>

    the consensus was that no known malware infects the BIOS.
    ||
    | Why? You can download BIOS updates and reflash.
    |


    they are specifically written by the hardware manufacturer for specific mother using a
    specific tupe of Flashable RAM or programable ROM. That is one thing, but to insert code
    and haver the BIOS still functional seems a bit far fetched.
     
    David H. Lipman, Sep 20, 2005
    #4
  5. David H. Lipman

    Imhotep Guest

    I do not think they are all *that* diverse. I am not a hardware person
    though. Any electric engineers/BIOS software people out there wish to
    comment?

    Imhotep
     
    Imhotep, Sep 20, 2005
    #5
  6. David H. Lipman

    Jim Watt Guest

    There is the possibility of doing it, and generally when something can
    be done, sooner or later it will.

    The problem of being machine model specific could be a plus point,
    lets say someone has a grudge against Dell, who have a large user
    base. A general virus which detects which machine its on and
    initiates a destructive action on that model but simply spreads on
    other machines is viable.

    Some years ago we had a virus CIH I think, which flashed the
    bios on some machines. Its a small leap from overwriting it with
    garbage to reading an image into memory, adding some code and
    rewriting it. Theres enough space there for additions.

    Lets hope the RIAA and friends does not devise a program to
    flash our CD and DVD writers so they refuse to copy pressed
    disks ...
     
    Jim Watt, Sep 20, 2005
    #6
  7. From: "David H. Lipman" <[email protected]>

    | http://research.microsoft.com/rootkit/
    |
    | States the following...
    | "Note: there will be some false positives. Also, this does not detect stealth software
    | that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "
    |
    | We have discussed the possibility of infecting a BIOS over and over and the consensus has
    | been that is not possible. Based upon my studying both viruses and hardware I can't see
    | how it is possible. Yet the above Microsoft web site on a RootKit Detector indicates
    | "...stealth software that hides in BIOS, Video card EEPROM".
    |
    | From what I believe to be true, this is faux information and pure FUD.
    |
    | If anyone has specific information (backed by authoratative URLs such as from the IEEE or
    | some other organization) I welcome the replies. Both PRO and CON for the above statement.
    |
    | --
    | Dave
    | http://www.claymania.com/removal-trojan-adware.html
    | http://www.ik-cs.com/got-a-virus.htm
    |

    Matt Braverman of Microsoft replied thusly...

    "This is a completely theoretical and academic infection vector (note the
    "may hide" part of that segment). There are no known cases of malware that
    infect the BIOS and / or EEPROM."
     
    David H. Lipman, Sep 20, 2005
    #7
  8. From: "Jim Watt" <_way>


    |
    | There is the possibility of doing it, and generally when something can
    | be done, sooner or later it will.
    |
    | The problem of being machine model specific could be a plus point,
    | lets say someone has a grudge against Dell, who have a large user
    | base. A general virus which detects which machine its on and
    | initiates a destructive action on that model but simply spreads on
    | other machines is viable.
    |
    | Some years ago we had a virus CIH I think, which flashed the
    | bios on some machines. Its a small leap from overwriting it with
    | garbage to reading an image into memory, adding some code and
    | rewriting it. Theres enough space there for additions.
    |
    | Lets hope the RIAA and friends does not devise a program to
    | flash our CD and DVD writers so they refuse to copy pressed
    | disks ...
    | --
    | Jim Watt
    | http://www.gibnet.com

    Small leap ?

    No, it would be a humongous leap from wiping or corrupting a BIOS to infecting a BIOS and/or
    hide in free space in the BIOS. The technical aspects of the chip type, size, and
    programming makes it an extremely difficuly endeavour.

    Peripheral BIOS would have even greater hurdles to overcome. In theory it sounds viable but
    in reality it is a far fetched assumption and to dat, none have suceeded in infecting a BIOS
    and still leaving it viable or storing itself in unused space.

    Matt Braverman of Microsoft confirmed that the text of the URL I cited "...is a completely
    theoretical and academic infection vector..."
     
    David H. Lipman, Sep 20, 2005
    #8
  9. David H. Lipman

    Art Guest

    What you're not considering is a "insider" job ... someone working for
    a BIOS vendor creating and spreading infested "updates".

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #9
  10. David H. Lipman

    nemo_outis Guest


    It would certainly be possible - although a lot of work - to manually
    "infect" the BIOS if one has physical access to the machine. Flashing the
    BIOS is easy - the tedious part would be generating a rewritten BIOS with
    hidden features to use for the flash.

    While it was quite primitive and only worked on some old-fashioned 486
    machines the Chernobyl virus *did* reflash the BIOS (trashing it rather
    than substituing different BIOS code)

    Regards,
     
    nemo_outis, Sep 20, 2005
    #10
  11. From: "Art" <>


    |
    | What you're not considering is a "insider" job ... someone working for
    | a BIOS vendor creating and spreading infested "updates".
    |
    | Art
    |
    | http://home.epix.net/~artnpeg

    Updates for what ?

    Lets say it is a particular vendor like ASUS. It wouldn't be for all motherboards. At best
    one. Even still, there s a wide variety of Flashable RAM chips that may be used. Which
    chip ? Would even even pass a CRC checksum by the Flashing program ?
     
    David H. Lipman, Sep 20, 2005
    #11
  12. David H. Lipman

    Art Guest

    Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
    would/did you know it wasn't infested? Presumably a insider job would
    pass the checksum test.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #12
  13. From: "Art" <>


    |
    | Haven't you ever downloaded a BIOS update and reflashed a BIOS? How
    | would/did you know it wasn't infested? Presumably a insider job would
    | pass the checksum test.
    |
    | Art
    |
    | http://home.epix.net/~artnpeg

    I get them directly from a trusted location.
     
    David H. Lipman, Sep 20, 2005
    #13
  14. David H. Lipman

    Art Guest

    That's obviously the best bet but the point is that it's still a
    gamble. You were insisting that it's impossible. I'm simply pointing
    out that it's not impossible, however unlikely it might be.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #14
  15. David H. Lipman

    Sugien Guest

    imho, the more tech's say something is imposable the more likely someone
    will take up the challenge to prove them wrong. Some of the same tech's and
    those in the know said it was imposable to get any type of infection or
    malware by *only* reading an email. Of course they had to eat their words
    after Melissa; but some tried to even wiggle out of that by saying they
    meant to qualify what they had said in as much that they were trying to say
    that simply reading a message in plane text format that it was imposable;
    but to me that is as much a worm wiggle of what I get accused of; but I was
    and am far more innocent of the worm wiggling charge then they, lol
    I would have to guess that as a part of the development of such a bios
    infecting virus or malware an intermediate step may be to store parts of the
    virus/malware in the unused portions of the chip housing the bios program.
    Maybe hiding the portions of the virus which AV products detect there by
    avoiding detection. AFAIK no known AV product checks bios for virus or
    malware and if a virus/malware is created which is detected by AV products
    the creator of the offending software instead of completely rewriting the
    virus/malware to avoid detection could simply have the virus/malware hide
    the portions the AV software is keying on in the bios.
     
    Sugien, Sep 20, 2005
    #15
  16. From: "Art" <>


    |
    | That's obviously the best bet but the point is that it's still a
    | gamble. You were insisting that it's impossible. I'm simply pointing
    | out that it's not impossible, however unlikely it might be.
    |
    | Art
    |
    | http://home.epix.net/~artnpeg

    Examine the concept of an infected BIOS. The BIOS (Basic Input-Output System) is the
    middleware between a given motherboards chip-set and an Operating System. The OS looks for
    specific routines to access such things as the hard disk, floppy, real-time clock, USB, etc.
    The question is if the BIOS could be infected what could "it" do. That is being a
    middleware and not a high level or even a low level language but a series of routines to
    interface hardware through system calls.
     
    David H. Lipman, Sep 20, 2005
    #16
  17. David H. Lipman

    Art Guest

    That's a no-brainer. It could do many kinds of different damage to a
    hard drive, including making it unuseable without a reformat. Even
    something as simple as refusing to boot and just hanging in a infinite
    loop is a example.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #17
  18. From: "Art" <>


    |
    | That's a no-brainer. It could do many kinds of different damage to a
    | hard drive, including making it unuseable without a reformat. Even
    | something as simple as refusing to boot and just hanging in a infinite
    | loop is a example.
    |
    | Art
    |
    | http://home.epix.net/~artnpeg

    I can't see a vendor releasing a BIOS that did not pass a quality control check.
     
    David H. Lipman, Sep 20, 2005
    #18
  19. David H. Lipman

    Art Guest

    The bad guy might work in the QC dept. :) Trust noone!

    Art

    http://home.epix.net/~artnpeg
     
    Art, Sep 20, 2005
    #19
  20. I can't see a major hard drive manufacturer releasing thousands of hard
    drives with a boot sector infector preinstalled.

    But it happened. :)
     
    Jeffrey F. Bloss, Sep 20, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.