Hi,

I was reading an older yet interesting article over at: http://www.securityfocus.com/news/11372

-{ Quote: "However, the ability to flash the memory depends on whether the motherboard allows the BIOS to be changed by default or if a jumper or setting in the machine setup program has to be changed." }-

How do I determine if my motherboard allows the BIOS to be changed by default?

Secondly, how would one go about detecting a rootkit that uses this method?

What are your thoughts concerning this?

Thanks!

Hi xeda,

We had a Thread back in April, 2006: Rootkits headed for BIOS which you can read for more information:
http://www.wilderssecurity.com/showthread.php?t=117896

-- Tom

Here look what I found:

ACPI Rootkit example from China (http://www.i-boy.net/boynet/content/view/18/113/)

scary isn´t it?

You should investigate this registry entry HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT

Actually the mainboard creators don´t give a penny on this hidden danger.

-{ Quote: "Hi xeda,

We had a Thread back in April, 2006: Rootkits headed for BIOS which you can read for more information:
http://www.wilderssecurity.com/showthread.php?t=117896

-- Tom" }-

Thanks Tom, that's an excellent thread. I found a lot of useful info and links.

-{ Quote: "Here look what I found:

ACPI Rootkit example from China

scary isn´t it?

You should investigate this registry entry HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT

Actually the mainboard creators don´t give a penny on this hidden danger." }-

Yes, it IS scary...but I love a new challenge. How about you? :)

Hmmm, would you recommend disabling ACPI?


I've been researching this topic a lot recently (I spent the last 7 hours reading material surrounding this).

I especially found this discussion interesting: http://www.broadbandreports.com/forum/remark,13853178

Pay attention to the posts made by stefaanE, tcp1, and ZOverLord.

Hello,
Science fiction.
Mrk

-{ Quote: "Hello,
Science fiction.
Mrk" }-

So, you think it's purely theoretical?

I myself am on the fence about the whole subject.

I mean there seems to be a lot of proof of concept examples floating around.

Hello,
Relax and enjoy.
Atomic bomb - proofed conceptually twice.
Does it happen every day - no.
Besides, there has been lots of talk about how this and that. In short, this is very highly unlikely.
Mrk

-{ Quote: "Firmware resident trojans are very rare in the consumer and business environment, but my opinion as a consultant with almost 30 years experience means little. A sample of what infected you is much more authoritative. " }- very rare does not mean no danger. It may always be possible that hardware with flash memory is contaminated

-{ Quote: "With no way to independently reset that memory you can't really ever truly clean a system. Wiping the hard drive is only going to be half the job, with code left intact on the motherboard." }-

How right he is! True, true!

-{ Quote: "If you have any Disk based root kit, which is not located in bad sectors ("which also is being done, working example at root kit.com") a re-format should remove your problem.
" }- But what if it is located in bad sectors... ;-)

-{ Quote: "this is very highly unlikely.
" }- no, this may be the future standard attack method, if mainboard manufacturers still will sleep deep.

-{ Quote: "Hmmm, would you recommend disabling ACPI?" }-
Xeda, this won´t really help too much, in my opinion, because Windows installs acpi.sys and this file is essential and don´t underestimate hal.sys. You can use external hal and acpi, modifying the boot.ini, but if bios is infected I still doubt that this will solve the problem totally and what about file infection, some viruses adds a few bytes to an exe file and you start these exes and your new system may be reinfected very fast. Stealth by design.

I recommend to read black hat federal 2006. Rootkit hunting vs Compromise detection.

To take the view that "if it can happen," then it's a real threat, you need to reconsider walking out the door each morning. A threat assessment is only as good as its realism. The chances of a bios virus/root-kit is so ridiculously small as to be insignificant. If you're prone to worry, worry about a 757 falling out of the sky and destroying your house. (Just make sure you have a computer backup offsite!) Seriously, relax.

haha.. good idea.. I relax a little bit. But to step a bit further in this discussion. People who were hit by a lightning,
do you think they ever thought that they ´d be hit`? Even if the probability may be small, some people always will be hit.

Then if you talk about probability, you migth as well consider the danger than the processor can do things other than what you want it to do as electron are by nature quantic object. You migth also consider that the flow of "bad" electron by luck form a meaningfull command to the rest of the computer and something very bad happens.

There is also a chance that the sun explode, crushing whatever remains of your computer.

When you take EVERYHITNG in consideration, then you realize you are never safe. I really think you have more chance of getting your comp stolen or damaged by a power outage than being infected by a superior-being-like bios rootkit.

if you fear bios then switch motehrboard .. or buy one of the hardware bios backup / restore solution.

-------------------

@ Mrkvonic (off topic)
Talking of science fiction...
Nice reading about physic (im)possibility of going back thrue time

I have to agree with the others who are saying there are other things to worry about.
Bios virus? Bios root-kit? As Gerard said, "relax."

----securityx----

Not easy to find a mobo with switch.

Hi,

I have managed to figure out that I have a MSI MS-7184 motherboard with a Phoenix Award BIOS, can anyone tell me if I´m protected against BIOS modification/flashing and thus against BIOS rootkits? ???

http://h10025.www1.hp.com/ewfrf/wc/document?lc=en%C3%A2%C5%92%C2%A9=en&cc=us&product=1127350&dlc=en&docname=c00378480

No I think you would need a dual bios or a jumper to block write access..

Have you looked at the specifications? There is also a bit info about jumpers in it, but I could not figure it out. :lurking:

Even the latest boards from MSI (2007) have absolutely no bios protection. Seems that no one in this industry believes in a real danger concerning this.

Interesting link concerning: firmware rootkits (http://blogs.zdnet.com/BTL/?p=4590)

Bios rootkits are not a real danger right now. Companies should think about real threats, not highly unlikely ones. There are so many easy ways to infect a machine, why use the difficult and potential disastrous method of using bios / firmware infections?

(Why disastrous? Bios / firmware is critical in the machine's operation. Crashing the machine will 1) rob you of your means to achieve your goal and 2) make your presence that more obvious.)

BTW: the idea of a bios / firmware rootkit for espionage has been used in a Tom clancy novel some years ago, to spy on the Chines government ;-)

-{ Quote: "Even the latest boards from MSI (2007) have absolutely no bios protection. Seems that no one in this industry believes in a real danger concerning this.

Interesting link concerning: firmware rootkits (http://blogs.zdnet.com/BTL/?p=4590)" }-
Thats, too bad.
BTW anyone knows which motherboard vendors are using physical BIOS protection( jumper etc)?

Hello,

BIOS rootkits are a nice concept. And that's all.

Implementing rootkits in BIOS is akin to planting a new kidney in a person. Will work successfully only in 0.00000000005% of cases. Writing code that will perfectly fit the target (including 1E13 combinations of hardware), not break BIOS and actually do something effective via installed OS - which might be just about anything - has the same chances of succeeding as waking Disney from his cryo chamber back to life.

To the best of my knowledge, some of my mobos have BIOS write protection.

That article is pure ... random opinion.

Giant meteors can strike Earth. So? I don't see people preparing for the doomsday. Possible. Yes. Likely. No.

Mrk

As for malware,

BIOS rootkits, motherboard rootkits, rootkits in DVD flash memory, pills, hardware hypervisors = bad science fiction and nothing more.

;D 8) ;D except for those chinese fanatics who posts codes for acpi rootkits,
remember this link (http://www.i-boy.net/boynet/content/view/18/113/) ? Actually the author made anything black to prevent view, just scroll over with mouse button to see the source code.

-{ Quote: "
Compilation of "d:\rootkit\rk_asl\rootkit.asl" - Sun Feb 12 18:53:02 2006
" }-

Maybe I am one of the few, but I take this issue seriously. How long ago was it that no one took leaktests seriously?

-{ Quote: "As for malware,

BIOS rootkits, motherboard rootkits, rootkits in DVD flash memory, pills, hardware hypervisors = bad science fiction and nothing more." }-
Fiction becomes true sometimes rapidly in the modern world.

Sometimes our minds try to make things fiction when in actuality they are closer to us then we can conceive. I doubt anyone person knows of all of technology people have these days.

I heard somene saying on theses forums that such rootkits are already out from China. Who know?
Anyway what,s the harm of having a physical protection on motherbard, a jumper etc!?

Is the assumption that the hardware could come pre-infected? Or is it a case of a rootkit being installed on the system which then infects the hardware?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

2nd one I think.

-{ Quote: "Anyway what,s the harm of having a physical protection on motherbard, a jumper etc!?" }-Agreed!

Looking back through this thread which is about both detection/prevention, and most of the discussion is on how the exploit might work and subsequent detection (or non-detection) -- which, by the way, makes for very interesting reading -- nonetheless I thought I would review the matter to see about prevention, so I looked again at the long thread at DLSR:

Undetectable Trojan??
http://www.broadbandreports.com/forum/remark,13853178~days=9999

Amongst all of the technical babble-jabble -- also very interesting reading -- emerged a few note-worthy comments:

-{ Quote: " First of all, the allegation of a virus that escapes detection. It still relies on the oldest security flaw in the book- the mark had to download a file. Second the file needed to be executed by the mark.

Video cards and network cards CANNOT get code into system memory by themselves (supplemental software is needed to do it),

you can't take code sitting on a PCI card and run it in system memory with out the use of an external program run by the OS,

If you were "rooted" or "backdoored" and said hacker sent this tool to determine EXACTLY what you board and revision levels were, he could very easily d/l the approriate bios hacks to your system.

That being said, the system would have to be rootkitted first, so the reflashing etc. could take place on the next reboot, and be invisible to the user.
" }-There was one scenario posted, with accompanying code. I stopped reading after the first line:

-{ Quote: "Initial payload received via Web/Email attachment" }-

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

If the hardware were to come infected chances are you would have a very small chance of even knowing. I think the biggest issue here is becoming infected after getting your computer and never being able to get rid of the problem.

How do you think you might get infected?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Hi Rmus, very nice points indeed but it,s only for those who control executables on their PC.

So what is the verdict ?
Do I need to be afraid of the numerous BIOS Rootkits and Hardware Viruses, when I reboot in a clean snapshot or not ?

Hello aigle,

I'm not sure what you mean: doesn't everyone control executables on their PC?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "So what is the verdict ?
Do I need to be afraid of the numerous BIOS Rootkits and Hardware Viruses, when I reboot in a clean snapshot or not ?" }-Not unless that "clean" snapshot somehow became "unclean."

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

I mean in this case best protection can be only by some HIPS, policy restictions, safe surfing, common sense etc etc.
Average PC user doesn,t know about executables, what to speak of controlling them.-{ Quote: "Hello aigle,

I'm not sure what you mean: doesn't everyone control executables on their PC?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier" }-

-{ Quote: "Average PC user doesn,t know about executables, what to speak of controlling them." }-This is the crux of the whole problem of security: people don't know about executables.

Ask someone you know - neighbor, friend, relative - to explain how the computer knows to start MSWord when you double-click on a *.doc file. Or how their picture viewer knows to start when they d-click on a *.jpg file. Or the difference between a *.txt and *.exe file?

Ask them what a "file association" is.

This is why I've always insisted that security begins with understanding file types and file associations.

Now, how you accomplish that with the "average PC user" is the big question. It can be done, but they have to be willing to learn, and there has to be someone to teach.

Everyone here can teach someone what you know. So do it! That will be one more knowledgeable person!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

But Anti-Executable recognizes more than 80 executables, so it knows better than me what executables are and AE will stop them, if they aren't whitelisted.
It's impossible for me to learn more than 80 file extensions by heart, unless I have a photographic memory or an I.Q. of 180, which is not the case. :)

-{ Quote: "But Anti-Executable recognizes more than 80 executables
" }- I use HIPS for the very same reason plus more...

-{ Quote: "I use HIPS for the very same reason plus more..." }-
Yes, but HIPS with multiple choice questions, like YES or NO are too dangerous for me, I have only 50% chance to guess it right and that was unacceptable for me. With Anti-Executable I don't have to guess, it's always RIGHT.
My last weapon is a frozen snapshot, which kills them all.

-{ Quote: "It's impossible for me to learn more than 80 file extensions by heart, " }-This is not necessary. All you need to know is the concept: most malware are executable files. So, the protection you need is a solution which deals with executables.

How do you apply that? Well, you have to know the various entry points that a malware executable can exploit,such as web-embedded code, aka remote code execution, drive-by download. What solution will block that?

Suppose you accidently open an infected email attachment? What solution will block that?

You don't have to know that *.ocx is an executable, but you know the concept of an executable, and that your solution will block any unauthorized executable, and you may discover that *.ocx is one.

Whether the product for your prevention solution is a full-blown HIPS program or a simple stand-alone execution protection program matters little: it is the concept you are working with.

For years I did not know that a screensaver was an executable file. I just thought it was a picture file. I never used them, so I had no acquaintance with them.

But when the Netsky worm showed up, it made use of the double-extension trick, and turned out to be a *.scr file. When it was blocked in the test, I was puzzled, and then learned that it is indeed an executable, and in this case, carried a bad payload:

http://www.urs2.net/rsj/computing/imgs/zip1.gif
______________________________________________________________

http://www.urs2.net/rsj/computing/imgs/zip3.gif
______________________________________________________________

http://www.urs2.net/rsj/computing/imgs/zip2.gif
______________________________________________________________

http://www.urs2.net/rsj/computing/imgs/netsky-scan.gif
______________________________________________________________

What if it were a rootkit? So what?

To enlarge on what I mentioned in my first post: once the concept of file types, file associations is learned, then you move to the attack points, and then you apply solutions.

To me, this is a much more effective way of developing a security strategy than just recommending a list of products. That may work for the experienced user, who already understands the concepts. But aigle mentioned the "average user" and this is the user that needs good instruction. Unfortunately, the person purchasing her/his first computer at a local store probably will purchase an AV program at the suggestion of the salesperson, "to protect your computer against the viruses out there."

They go home having no idea what an AV really does, probably won't know to keep it updated, and it's all downhill from there. Don't you think that the preponderance of people harvested for botnets fall into that category?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Here's a short extract from a recent 3 page interview with Nitin & Vipin.

New school is back to the old school ! Very interesting, and alarming.

***********************

-{ Quote: "Is it small enough to fit inside BIOS flash memory?

Nitin & Vipin: Definitely, It's just about 1500 bytes in size. It can be reduced further. Todays BIOSes are big in size, therefore, it can easily hide in there.

How does vbootkit work?

Nitin & Vipin: A small summary: BIOS --> Vbootkit code(from CD,PXE etc.) --> MBR --> NT Boot sector --> Windows Boot manager --> Windows Loader --> Vista Kernel.

Just after vbootkit takes control, it hijacks the interrupt 13, then searches for Signature for Vista OS. After detecting Vista, it starts patching Vista, meanwhile hiding itself (in smaller chunks at different memory locations). The patches includes bypassing several protections such as checksum, digital signature verification etc, and takes steps to keep itself in control, while boot process continues to phase 2.

Phase 2 includes patching vista kernel, so as vbootkit maintains control over the system till the system reboots. Several protection schemes of Vista were analyzed such as the famous PE header checksum (every Windows EXE contains it), the Digital Signature of files.

So, you have vbootkit loaded in Vista's Kernel. " }-

http://www.securityfocus.com/columnists/442/2


StevieO

Very interesting read but no real detils how to proterct against it.

Hi StevieO, I tried to download this POC rootkit( bootkit) but their site seems down. :(

@ aigle

BOOT KIT by Nitin Kumar and Vipin Kumar is downloadable from here if you're still having difficulties hxxp://www.rootkit.com/project.php?id=34

You might also like to check out the (eEye) BootRootkit whilst you're there.

I was able to DL the BK from here http://www.nvlabs.in/?q=node/11

I've heard it mentioned that enabling the BIOS boot virus checker might help ? But that wouldn't prevent it being loaded from USB devices etc.

Strange why they have had no official contact from MS on this, especially as Vista is "supposed" to be a lot more secure !


StevieO

Thanks Stevio, I tried again and this time I was able to download from their site.
I wish I could play with it. But I need to set up a VM and also I am not sure if it needs to be compiled or not( I can,t compile of course). I have requested some people to test it( but not sure if they will/ can do).

I uploaded both basic and advanced versions on VT,
Basic detected by Antivir, BD, Ewido, Ikarus, and WebWasher, plus Fortinet(possible threat).
Advanced version detected by KAV and F-secure.
I submitted to Avira, KAV and NOD.

What,s special with (eEye) BootRootkit?

-{ Quote: "What,s special with (eEye) BootRootkit?" }-
I searched the site and found nothing. Can u ngive me a link?
Thanks

Ok, I googled and got it.

I downloaded eeye bootRootKit but it has password and no password mentioned on their site. Any help?

Thanks

I think again here the main defence is control of unauthorized/ unwanted/ unknown execution. If u can do it, nothing can harm ur system.

-{ Quote: "Just after vbootkit takes control, it hijacks the interrupt 13" }-

Scary.

Hello,
And what is that supposed to tell me? Interrupt 13? Sounds like a new torpedo.
Guys, don't exaggerate with lingo. In the meanwhile, you can unplug the machine - that way no bios / aids anti-rootbotkit will be able to get in ...
Mrk

-{ Quote: " In the meanwhile, you can unplug the machine - that way no bios / aids anti-rootbotkit will be able to get in ...
" }-

What exactly do you want to tell us?

Hello,

Unless you have a substantiated proof / evidence of the existence of such a software, it is best not to spread panic among less knowledgeable people, who will start flashing / jumpering their bioses in an attempt to protect against Mars attacks. Nothing good can come from it.

One of the developers of an anti-rootkit tool tells us that these are myths. And to prove him wrong, people use similar tools (anti-rootkits) to find bios rootkits that are supposed to be unfindable... sounds ... interesting.

Mrk

I agree, no need to scrae the people but it,s ineresting just for the sake of discussion.

I'm tired of reading these horror stories without proof. They have no value at all, except scaring people unnecessarily.
In my newbie time, unaware of any threat, my harddisk was so infected, that even my softwares didn't work anymore, but a simple re-install was always the cure.

Guys you are too small-minded, open your minds. Expect the unexpected.

Don´t trust anything.;D ;D ;D

Hello,
BTW, if flashing the BIOS with rootkit code is so simple, then flashing it with official code is even simpler. That's the simplest cure process ever! Just overwrite the file.... Poof. Gone...
Mrk

-{ Quote: "Hello,
BTW, if flashing the BIOS with rootkit code is so simple, then flashing it with official code is even simpler. That's the simplest cure process ever! Just overwrite the file.... Poof. Gone...
Mrk" }-

I disagree with this. Maybe a BIOS rootkit could do a better job of maintaining itself than the original BIOS could. Afterall, the original BIOS was not designed with these 'simple mars attacks' in mind.

Hello,
Now we have a MBR in BIOS, have we?
It's a piece of memory. You flash it, it's empty... or original content replaced. Very simple. It does not matter what the programmer intents, it matters what the architecture of the hardware is.
Mrk

Yea good point, I was thinking more of BIOS infection leading to more problems before you flashed the BIOS - like hardware being infected.

BIOS rootkits - science fiction. If they exists then they works only in the laboratory where they was created.

Motherboard / PCI rootkits is bad sci-fi. Common, there are infinite count of ways to hide itself without such perversions.

vbootkit, eye bootkit - pure POC. Even if they hooks IDT, they will be listed by modern antirootkits, bootkit that patch MBR will be catched by boot record scan by almost any antivirus. Bootkit that modifies system files by iniline patching will be flagged by antirootkit (even user mode based antirootkit).

If BIOS/PCI etc rootkits exists - show me the one which will work at least on five different systems.

-{ Quote: "If BIOS/PCI etc rootkits exists - show me the one which will work at least on five different systems." }-Heck, I'd settle for two, actually I'd even settle for one...

There are plenty of real issues to be concerned about before, as EP_XCFF notes, worrying about either good or bad science fiction..

Blue

BIOS rootkits could be easy as easy to execute as any other malware on certain pc's
e.g. the pc's at college are dell optiplex 745
http://www1.euro.dell.com/content/products/featuresdetails.aspx/optix_745?c=uk&l=en&s=bsd&cs=ukbsdt1&~lt=popup
at the dell support website it said the bios update was highly reccomended so my lecurer downloaded it to desktop and ran it.
the file then requested a reboot and then the bios got flashed with lastest update.
now what stops malware writers making bios rootkits for pc's with that type of bios ram?
its then the same as anyother malware just double click on the file then its reboots and does the damaage.
lodore

-{ Quote: "now what stops malware writers making bios rootkits for pc's with that type of bios ram?
its then the same as anyother malware just double click on the file then its reboots and does the damaage.
lodore" }-Well...., nothing.

Of course, this assumes that your money making malware efforts are somehow predicated on rendering virtually every PC that runs your special package completely inoperable. There may be a way to make some lemonade out of this lemon, but I'm having a hard time seeing it at the moment.

If you want to get a better idea of the situation, google "flash wrong BIOS".

Blue

Hello,

There's a difference between random code and specially tailored BIOS code made by the manufacturer. Then, information for each BIOS is dependant on the hardware setup, which can be just about anything. This means that 'bad' code would have to include every single configuration possible - this would take 1TB of code or so - or self-compile depending on the configuration, which sounds kind of contradictory to the second law od thermodynamics.

Of course, the problem, to begin with, is that someone writing this thingie would have to be 100% familiar with the BIOS at hand and successfully combine the first downloader, the BIOS flash code and the tertiary payload that actually does something. All in all, impossible.

And then, the entire thing gets botches when the user decides to manually flash his BIOS as a normal update procedure... Bad code gets flushed.

Furthermore, most BIOSes require external media (floppy, USB, CD) to flash. Another problem.

I can go on for quite a while.

Mrk

-{ Quote: "I disagree with this. Maybe a BIOS rootkit could do a better job of maintaining itself than the original BIOS could. " }-

Exactly.

There´s lots ignorance in here, I posted long time ago screens about the wicked capabilities of deep freeze,
it ruined my floppy bootblock in bios and generated a virtual simulation of a second one. With every reboot
you hear(!!) the remains of a former manual deep freeze uninstallation, that failed! It sounds like a "clack" with every reboot, which will stay until I change the board. This is just one event that should warn everyone to see what is possible with little assembler or asl code, cmos is locked forever in this case. No time for belittlement.

And Mrkvonic be sure I made several reflashes of my bios! But the first part of flashing procedure is locked!!!!!!
Because of this deep freeze code within my cmos!!! If deep freeze was not the reason then there is only one alternative: Bios Rootkit.

The third time I will post this prove (http://www.i-boy.net/boynet/content/view/18/113/) for ACPI Bios Code from China. Nobody gave a comment about it probably because nobody understands the code.
But before downplaying anything you should stop ignorance and start analyzing.

Look to the Past (http://i2.tinypic.com/qs9u90.jpg)
There you will see the blue-green part, that was locked while flashing the bios. This area is with high probability the locked bootblock that deep freeze infiltrated. No matter what you will try you can´t overwrite this section!!!!

Now what do you think a rootkit writer would do? He would probably copy the cmos lock method and you keep flashing keep flashing until the end of times.. with no success, be sure!

-{ Quote: "There´s lots ignorance in here," }-SystemJunkie,

There are times when you should look to Occam's razor (http://en.wikipedia.org/wiki/Ockham%27s_Razor) for guidance. This is one of them.
-{ Quote: "I posted long time ago screens about the wicked capabilities of deep freeze,
it ruined my floppy bootblock in bios and generated a virtual simulation of a second one. With every reboot
you hear(!!) the remains of a former manual deep freeze uninstallation, that failed! It sounds like a "clack" with every reboot, which will stay until I change the board. This is just one event that should warn everyone to see what is possible with little assembler or asl code, cmos is locked forever in this case." }-Deep Freeze does not function in that fashion.
-{ Quote: "No time for belittlement.

And Mrkvonic be sure I made several reflashes of my bios! But the first part of flashing procedure is locked!!!!!!
Because of this deep freeze code within my cmos!!! If deep freeze was not the reason then there is only one alternative: Bios Rootkit." }-or physical hardware corruption, or software corruption, or..... BIOS rootkit shouldn't even be on the list of potential causes to tell you the truth. By the way, there's a significant difference between belittlement and suggesting a step back to perform a bit of a reality check.

-{ Quote: "The third time I will post this prove (http://www.i-boy.net/boynet/content/view/18/113/) for ACPI Bios Code from China. Nobody gave a comment about it probably because nobody understands the code.
But before downplaying anything you should stop ignorance and start analyzing." }-Perhaps you should closely read what was written. As a general path, the BIOS is a nonstarter. It is too hardware dependent for a general piece of malware. That doesn't mean someone couldn't decide to create a piece of custom firmware for a specific PC model..., but why bother.

-{ Quote: "Look to the Past (http://i2.tinypic.com/qs9u90.jpg)
There you will see the blue-green part, that was locked while flashing the bios. This area is with high probability the locked bootblock that deep freeze infiltrated. No matter what you will try you can´t overwrite this section!!!!" }-Right, as it should be.

-{ Quote: "Now what do you think a rootkit writer would do? He would probably copy the cmos lock method and you keep flashing keep flashing until the end of times.. with no success, be sure!" }-I don't think so...

Blue

Hello SystemJunkie,

-{ Quote: "I posted long time ago screens about the wicked capabilities of deep freeze, " }-This type of statement is at the least irresponsible, and certainly not becoming of someone with your capabilities and knowledge.

In the two educational institutions I've worked at, there must be at least 800 computers that have run Deep Freeze for years without a problem: uninstalls - reinstalls for upgrades, etc. Managed both directly at individual workstations, and via the Enterprise Console over a Lan.

I remember your post, and suggested that if you felt there was a problem with the product, that you should contact Faronics, which you won't, because the problem is not with the product, rather,

-{ Quote: "...the remains of a former manual deep freeze uninstallation, that failed! " }-By manual, I assume not according to what Faronics recommends. Afterall, DF Uninstall does not even appear in Add/Remove.

So, you might as well start over with a new Board (they aren't that expensive these days) and get on with your life! :)

regards,

-rich

-{ Quote: "This type of statement is at the least irresponsible, and certainly not becoming of someone with your capabilities and knowledge. " }-
Thanks.

-{ Quote: "I remember your post, and suggested that if you felt there was a problem with the product, that you should contact Faronics, which you won't, because the problem is not with the product, rather,
" }-
No that´s not the problem, I want to keep my privacy.

-{ Quote: "So, you might as well start over with a new Board " }-
Sooner or later but actually it works quite well and it´s a great board.

-{ Quote: "or software corruption, or..... .. there's a significant difference between belittlement and suggesting a step back to perform a bit of a reality check. " }-
Software Corruption, DF is able to lock the floppy bootblock/cmos, long time ago we discussed about this fact, to prevent unauthorized access via floppy.

-{ Quote: "There are times when you should look to Occam's razor for guidance. This is one of them." }-
Good idea.

If you look at this link: www.faronics.com/doc/DFStd_GettingStarted.pdf

It states at the bottom

-{ Quote: "Deep Freeze Security Notice: Deep Freeze does not protect against booting from a floppy drive or CD-ROM drive. The CMOS should be configured to prevent booting from the floppy drive or CD-ROM drive (i.e. set to boot to the hard drive) and the CMOS must be password protected. This is a normal precaution for most public access computers. The Windows Registry, the
computer CMOS and the boot sector are protected by Deep Freeze from within Windows." }-Why would they need to state this fact if they prevented the floppy from booting?

-{ Quote: "Why would they need to state this fact if they prevented the floppy from booting?" }-As you point out SpikeyB, it's because Faronics doesn't directly deal with this facet of the machine. The computer owner has to handle this aspect of security by manually setting the machine to boot from the DF protected volume only in the BIOS and then password protecting that BIOS. Both of these steps are user initiated and outside the scope of DF.

Blue

-{ Quote: "Why would they need to state this fact if they prevented the floppy from booting?" }-

Interesting! Maybe the latest versions doing so and the old one I tested more then 1 years ago did not. Probably they modified it to the better or something is damned wrong with my cmos chip. But it really sounds like a cmos lock, I hear the sound after every reboot, it´s like a "clack" or "click" that occured short time after the manual removal of a probably now very old DF Version.

Fact is when using killdisk, you see two floppies which do not exists, one is the original empty area, the other cmos area was filled with a kind of "kernel...sys" whatever file/code, seems that this code leads to a hang up, what made it impossible to ever regain access to a floppy drive.

Please refer to floppy problems and kernel thread (http://www.wilderssecurity.com/showthread.php?t=138588)

-{ Quote: "But it really sounds like a cmos lock, I hear the sound after every reboot, it´s like a "clack" or "click" that occured short time after the manual removal of a probably now very old DF Version." }-SystemJunkie,

When you try to flash your BIOS, precisely what do you do?

Blue

The same thing everyone does. Insert the bootdisk start the flashtool with biosupdate. As my floppy bootblock was ruined I used a boot CD copied the bios update to harddisk and started flashtool and update from hd worked always well.

Please refer to floppy problems and kernel thread (http://www.wilderssecurity.com/showthread.php?t=138588) (the unanswered thread because nobody ever seen something like that I guess)

Check this for possible shadow walkers or super short time living emptiness (http://www.wilderssecurity.com/showthread.php?t=172916)

And beside yesterday my HD 55 GB Part of D: turned in RAW, you know what that mean? 55 GB of Information were gone into nirvana. Look:

http://i17.tinypic.com/2qn4j9d.png

Look, only related to partition D:, controllererrors, but they never made really problems, until yesterday:

http://i14.tinypic.com/2u4kb38.png

And probably that all are only hardware problems.

Ever seen to lose a partition that simply turned to RAW?

Why not Partition C, E or F? Why D: ?

Most information were stored on D:

Pure chance or evil mind behind that? It´s up to you, make your own choice.

[And yes I have a firewall, and yes I have a router, and yes I have many AV programs, and yes I own most Anti-Rootkits in existence, so how big is the chance?] I bet it was chance :-)

http://i16.tinypic.com/4gqpmit.png

Ups, I forgot to tell you size of emptiness: 0 bytes. (the red hidden window in the upper right corner).
Thats pure topic: BIOS Rootkits - Detection / Prevention?

Hello,

Once, my brother had a partition problem where the MBR "took a trip" from the beginning of the drive to the end of it... So? He fixed it. Problems happen. They do not have to include a super-stealthy super-evil things from hell. They can be simple, complicated hardware-software problems.

Don't look for evidence in coincidence, you will get the wrong kinds of conclusions.

Mrk

-{ Quote: "They do not have to include a super-stealthy super-evil things from hell. They can be simple, complicated hardware-software problems.

Don't look for evidence in coincidence, you will get the wrong kinds of conclusions." }-

Good idea, too. :D :D :D

Probably one problem is spybro itself, lawenforcer.dll may be the reason for the red csrss.exe

SystemJunkie,

The types of problems you raise I wouldn't even hazard a guess at without unfettered physical access to the machine in question. There are simply too many unknowns and these are issues that cannot be adequately addressed remotely.

That said, if I had ongoing issues of this nature, I would simply wipe the slate clean. Force a boot block reflash of the BIOS with a clear of the CMOS and reinstall the OS and applications to a clean drive. It's not that hard to do. I'd probably also save the existing physical HDD and do a post-mortem on it after the system was working as desired.

Cheers,

Blue

IceSword alert comes from Spybro, it´s nearly sure. Spybro is a bit crazy application with paranoid scan results. That´s my experience for now. I quit using it, its totally confusing and unnecessary app.

Okay! Thanks for support so far.

A lot of people here say this or that cannot be done on a widespread breakout, that is mostly true. The basis for infection which seems to be widely accepted is someone running a file they shouldn't for whatever reason. Assuming someone were to run a malicous file, how hard would it be for the file to get the information it needed for the author to specialize something? Once the file were to infiltrate the machine it shouldn't be impossible in most cases for it to transmit the data back and forth to the author.

I would like answers to:

Can something be flashed into bios / firmware without killing the data that was allready there?

Would a complete flash (including bootblock) clear the complete bios space?

How would a bios rootkit execute? Would it need to infiltrate the OS MBR / bootloader to execute?

Please, respond only when you know what you're talking about. I want facts, not fiction. Thanks! :)

1. Yes
2. Yes
3. BIOS comes before MBR

-{ Quote: "Would a complete flash (including bootblock) clear the complete bios space?" }-

No, if the bootblock is locked look at this screen (http://i2.tinypic.com/qs9u90.jpg).

My first flash procedure was totally white (as my floppy still worked), the picture you see here (http://i2.tinypic.com/qs9u90.jpg)shows
a modified bootblock that is locked, I made 3 reflashs there were no chances to unlock the block.
(until you remove the cmos chip)

I see "No Update", not "Flash Fail"...?

-{ Quote: "How would a bios rootkit execute? Would it need to infiltrate the OS MBR / bootloader to execute?

Please, respond only when you know what you're talking about. I want facts, not fiction. Thanks! :)" }-You should get your answers thanks to Xeda-{ Quote: " I've been researching this topic a lot recently (I spent the last 7 hours reading material surrounding this).

I especially found this discussion interesting: http://www.broadbandreports.com/forum/remark,13853178

Pay attention to the posts made by stefaanE, tcp1, and ZOverLord." }-

-{ Quote: "
There´s lots ignorance in here, I posted long time ago screens about the wicked capabilities of deep freeze,
it ruined my floppy bootblock in bios and generated a virtual simulation of a second one. With every reboot
you hear(!!) the remains of a former manual deep freeze uninstallation, that failed! It sounds like a "clack" with every reboot, which will stay until I change the board. This is just one event that should warn everyone to see what is possible with little assembler or asl code, cmos is locked forever in this case. No time for belittlement.
And Mrkvonic be sure I made several reflashes of my bios! But the first part of flashing procedure is locked!!!!!!
Because of this deep freeze code within my cmos!!! If deep freeze was not the reason then there is only one alternative: Bios Rootkit.
" }-
I have read many times ur posts about this problem with DeepFreeze.
Now i have a Q in my mind( actually I wanted to ask it since long). I have used a trial of DF on my Toshiba laptop in the past. I don,t remember the version no. but it was in March 2006. I was though able to un-install it OK. I wonder if I should worry about its remnanats in my BIOS?
Any ideas?

-{ Quote: "I wonder if I should worry about its remnanats in my BIOS?
Any ideas?" }-Should you worry? No.

Blue

Thanks Ajohn, SpikeyB! :)

Makes me wonder if this whole bios / firmware rootkit thingy couldn't be blocked by letting the bios do a self-check on boot (something like a checksum verification or similar).

Re: the picture SystemJunkie posted: there are command-line options to write the bootblock as well. In your picture, it shows that that command-line option was not used.

-{ Quote: "Makes me wonder if this whole bios / firmware rootkit thingy couldn't be blocked by letting the bios do a self-check on boot (something like a checksum verification or similar)." }-or course, the need for this assumes that it's not just a paranoid pipedream floating through the forums.....

Let's be serious and do the math for a moment..., googling "failed BIOS flash" pulls up over 800,000 hits. This is connected to people wanting to flash their BIOS, on their own, supposedly using the proper tool, and either messing it up or having a mid-flash glitch... And we're discussing having a piece of software stealthily perform a BIOS flash operation, say on restart or whenever, on a random piece of hardware from a random generation of PC..., and the end result is expected to be something other than a big woefull box sitting there emitting a last beep or two before silence falls? There are real threats to be aware of. There's really no need to augment the real threats with a conjectures of a potential hypothetical partial outline proof of half-a-concept..., at least IMHO.

Blue

I think the main concern of a BIOS rootkit is not the ability to re-flash the BIOS or not, but the ability of the rootkit spreading to a PCI card which can in turn re-flash the BIOS with modified BIOS. Here is a post from the link provided by Xeda which illustrates this: http://www.broadbandreports.com/forum/remark,13871455

-{ Quote: "Should you worry? No.

Blue" }-Thanks infact I am not worrying;D otherwise i would have asked it long ago when I read system junkie,s posts about DF in an older thread. But the thing remained in my to-ask list and when i saw his similar posts again, i thought I must ask it now. May be SystemJunkie will disagree!:)

-{ Quote: "I think the main concern of a BIOS rootkit is not the ability to re-flash the BIOS or not, but the ability of the rootkit spreading to a PCI card which can in turn re-flash the BIOS with modified BIOS. Here is a post from the link provided by Xeda which illustrates this: http://www.broadbandreports.com/forum/remark,13871455" }-and the likelihood that can be performed as a generic approach is as viable now as it was a couple of years ago - which is nil...

If the extant hardware base was homogeneous, they may (and that's a very big may) be reason to focus on it - as a potential POC. However, the extant hardware is heterogeneous, which significantly up the ante that this could ever be pulled off. Given the complexity of the task, someone with the skill to pull this off would pursue a richer target set.

Blue

Maybe I'm a big ballin' target.

I don't stress about this, just like people to have correct information so that they can apply it to their current situation.

Thanks Blue. I was more wondering out loud how bios / firmware _could_ be protected if ever necessary.
I agree with your ideas that it is not a current valid way to put malware on a machine. :)

-{ Quote: "Thanks Blue. I was more wondering out loud how bios / firmware _could_ be protected if ever necessary.
I agree with your ideas that it is not a current valid way to put malware on a machine. :)" }-If it were a real necessity, use a hardware solution to gate the possibility, physical jumpers for example, but something a little more convenient. This is something that would be done only a few times during the lifetime of a machine, so a hardware approach is quite viable.

Blue

You're right. Most people don't even know what bios flashing is ;D

concerning deep freeze experiences: (http://www.wilderssecurity.com/showthread.php?t=60158&page=3&highlight=deep+freeze)

-{ Quote: "Shadow user isn't even comparable to Deep Freeze. DF uses a kernell mode driver thus it can't be exploited or crashed unless you change your CMOS configuration, " }-
I am wondering why people talk so much about cmos, when df supposedly did not made any changes.

-{ Quote: "And Gerard from what I know the only known way to break DF is bypassing windows by making changes to your CMOS." }-

And again a refresher for all who forgot:

http://i14.tinypic.com/4876obd.png

F-Prot Antivirus proves the changes of df. But that was not exebug but df, at least the version I tested.

-{ Quote: "I see "No Update", not "Flash Fail"...?" }-
Yes, what do you think? Would that not be the perfect camouflage?!

As long as I have made biosflashes (and I flashed on several computers) of any kind I have never seen this event that a part of the bios was not updated!!

Most of the discussion about BIOS Rootkits has focussed on what this thing can do once in the system. While this makes for interesting reading, more apt, it seems to me, is how to prevent it in the first place.

From the vbootkit article:

-{ Quote: "How does vbootkit work?

Nitin & Vipin: A small summary: BIOS --> Vbootkit code(from CD,PXE etc.) --> MBR --> NT Boot sector --> Windows Boot manager --> Windows Loader --> Vista Kernel.

How can an attacker deploy it?

Nitin & Vipin: An attacker doesn't need to install, that's the way it has been designed. Just boot the system by placing the vbootkit media (containing vbootkit in bootsectors) in the drive, and start booting." }-Now, SpikeyB and BlueZannetti have mentioned the topic of preventing any external media from being able to boot. And CMOS password protected of course. That should be the end of it.

However, to consider other scenarios from the article:

-{ Quote: "It doesn't need any privileges only physical access to the machine." }-Doesn't this pretty much negate the threat to home users? Maybe it's a good time to review your own security procedures: could an unauthorized person easily gain access to your computer? (disregarding someone opening it up) Could they boot from an external media? Could they install a malicious program from a USB or CD drive?

As for institutions: I spoke with one System Adminstrator, and with the protection they have in place, he wasn't worried. Further, writing to MBR is writing to Disk, and with a Reboot-to-Restore program, once rebooted, any changes would be removed from the system. Naturally, anyone with unencumbered physical access to a computer could perhaps eventually do something, but he felt sure that with their physical security procedures, that would be very unlikely. This is speaking for one institution.

-{ Quote: "It can also be installed to a remote system under some conditions (without physical access)." }-They need to explain what they mean by "installed" because above, they say it doesn't need to install.

Regarding BIOS: I asked someone to comment on that part of the article. It echoes statements made here already:

-{ Quote: "As for placing the information in the BIOS/CMOS of the system - while possible
this is a lot more complicated than the authors seem to imply.
When loading the code in they would have to be sure that they did not
overwrite any section of the CMOS memory critical for the operation of the
computer - something they couldn't do with certainty due to the difference in
BIOS implementations." }-As with some of the esoteric methods in firewall leaktests, there are prevention solutions for intrusion of these types of threats. This deserves more attention than it is getting.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Could they boot from an external media? Could they install a malicious program from a USB or CD drive?
" }-

What about those guys who built the computer?

Once they inserted the false cpu in my case, I received 15 bucks indemnification, just one example (probably these sharks thought that I wouldn´t know cpu-z), how bad sometimes built-to-order pcs are created nowadays.

-{ Quote: "I would simply wipe the slate clean. Force a boot block reflash of the BIOS with a clear of the CMOS and reinstall the OS and applications to a clean drive. It's not that hard to do. I'd probably also save the existing physical HDD and do a post-mortem on it after the system was working as desired." }-

Do you really think that will cure? Did you ever read articles of rutkowska?
Blue Pill. You should do that, Rutkowska advises you to buy a whole new system. The HD Format story is totally out of date now and in future. Ever heard of PCI Intrusion? A whole new pc is the real alternative, but if you use your old software you might get reinfected with your new computer, too.

Beside Reflash of Bios = impossible if boot block locked by stealth virus.

READ: The Game is over!! (http://theinvisiblethings.blogspot.com/2007/03/game-is-over.html)

I thought I would post a thought fwiw. I've read much of this thread but not all of it so apologies if I'm repeating something that's been said before.

The flash virus would not have to be a trojan. It could simply be a destructive virus that could cause 'damage' e.g. terrorism. A lot has been made of how easy it is to incorrectly flash updates.

For maximum impact, it would be a Windows virus. It would be written to corrupt as many BIOS/CMOS/flash memory devices on a system in as general a way as possible - just the motherboard would do however. When a user next powers on their machine, it won't start. How is the average user going to recover from this? They will need to re-flash the affected devices from Windows but if they can't get into Windows...
If they don't have their driver CDs or alternative Internet access then they're stuffed.
This would be a DoS attack against equipment, not Internet access. Equipment failure would be the goal and many if not most users would not be able to fully recover their systems.

Is it really that difficult to write a Windows flash memory corrupting virus? Maybe it is, I don't know but if/when someone does, it will be very nasty if released into the wild.