BIOS Rootkits - Detection / Prevention?

[SystemJunkie]

Quote:

Just after vbootkit takes control, it hijacks the interrupt 13

Scary.

[Mrkvonic]

Hello,
And what is that supposed to tell me? Interrupt 13? Sounds like a new torpedo.
Guys, don't exaggerate with lingo. In the meanwhile, you can unplug the machine - that way no bios / aids anti-rootbotkit will be able to get in ...
Mrk

[SystemJunkie]

Quote:

In the meanwhile, you can unplug the machine - that way no bios / aids anti-rootbotkit will be able to get in ...

What exactly do you want to tell us?

[Mrkvonic]

Hello,

Unless you have a substantiated proof / evidence of the existence of such a software, it is best not to spread panic among less knowledgeable people, who will start flashing / jumpering their bioses in an attempt to protect against Mars attacks. Nothing good can come from it.

One of the developers of an anti-rootkit tool tells us that these are myths. And to prove him wrong, people use similar tools (anti-rootkits) to find bios rootkits that are supposed to be unfindable... sounds ... interesting.

Mrk

[aigle]

I agree, no need to scrae the people but it,s ineresting just for the sake of discussion.

[ErikAlbert]

I'm tired of reading these horror stories without proof. They have no value at all, except scaring people unnecessarily.
In my newbie time, unaware of any threat, my harddisk was so infected, that even my softwares didn't work anymore, but a simple re-install was always the cure.

[SystemJunkie]

Guys you are too small-minded, open your minds. Expect the unexpected.

Don´t trust anything.

[Mrkvonic]

Hello,
BTW, if flashing the BIOS with rootkit code is so simple, then flashing it with official code is even simpler. That's the simplest cure process ever! Just overwrite the file.... Poof. Gone...
Mrk

[AJohn]

Quote:

Originally Posted by Mrkvonic

Hello,
BTW, if flashing the BIOS with rootkit code is so simple, then flashing it with official code is even simpler. That's the simplest cure process ever! Just overwrite the file.... Poof. Gone...
Mrk

I disagree with this. Maybe a BIOS rootkit could do a better job of maintaining itself than the original BIOS could. Afterall, the original BIOS was not designed with these 'simple mars attacks' in mind.

[Mrkvonic]

Hello,
Now we have a MBR in BIOS, have we?
It's a piece of memory. You flash it, it's empty... or original content replaced. Very simple. It does not matter what the programmer intents, it matters what the architecture of the hardware is.
Mrk

[AJohn]

Yea good point, I was thinking more of BIOS infection leading to more problems before you flashed the BIOS - like hardware being infected.

[EP_X0FF]

BIOS rootkits - science fiction. If they exists then they works only in the laboratory where they was created.

Motherboard / PCI rootkits is bad sci-fi. Common, there are infinite count of ways to hide itself without such perversions.

vbootkit, eye bootkit - pure POC. Even if they hooks IDT, they will be listed by modern antirootkits, bootkit that patch MBR will be catched by boot record scan by almost any antivirus. Bootkit that modifies system files by iniline patching will be flagged by antirootkit (even user mode based antirootkit).

If BIOS/PCI etc rootkits exists - show me the one which will work at least on five different systems.

[BlueZannetti]

Quote:

Originally Posted by EP_X0FF

If BIOS/PCI etc rootkits exists - show me the one which will work at least on five different systems.

Heck, I'd settle for two, actually I'd even settle for one...

There are plenty of real issues to be concerned about before, as EP_XCFF notes, worrying about either good or bad science fiction..

Blue

[lodore]

BIOS rootkits could be easy as easy to execute as any other malware on certain pc's
e.g. the pc's at college are dell optiplex 745
http://www1.euro.dell.com/content/pr...sdt1&~lt=popup
at the dell support website it said the bios update was highly reccomended so my lecurer downloaded it to desktop and ran it.
the file then requested a reboot and then the bios got flashed with lastest update.
now what stops malware writers making bios rootkits for pc's with that type of bios ram?
its then the same as anyother malware just double click on the file then its reboots and does the damaage.
lodore

[BlueZannetti]

Quote:

Originally Posted by lodore

now what stops malware writers making bios rootkits for pc's with that type of bios ram?
its then the same as anyother malware just double click on the file then its reboots and does the damaage.
lodore

Well...., nothing.

Of course, this assumes that your money making malware efforts are somehow predicated on rendering virtually every PC that runs your special package completely inoperable. There may be a way to make some lemonade out of this lemon, but I'm having a hard time seeing it at the moment.

If you want to get a better idea of the situation, google "flash wrong BIOS".

Blue

[Mrkvonic]

Hello,

There's a difference between random code and specially tailored BIOS code made by the manufacturer. Then, information for each BIOS is dependant on the hardware setup, which can be just about anything. This means that 'bad' code would have to include every single configuration possible - this would take 1TB of code or so - or self-compile depending on the configuration, which sounds kind of contradictory to the second law od thermodynamics.

Of course, the problem, to begin with, is that someone writing this thingie would have to be 100% familiar with the BIOS at hand and successfully combine the first downloader, the BIOS flash code and the tertiary payload that actually does something. All in all, impossible.

And then, the entire thing gets botches when the user decides to manually flash his BIOS as a normal update procedure... Bad code gets flushed.

Furthermore, most BIOSes require external media (floppy, USB, CD) to flash. Another problem.

I can go on for quite a while.

Mrk

[SystemJunkie]

Quote:

I disagree with this. Maybe a BIOS rootkit could do a better job of maintaining itself than the original BIOS could.

Exactly.

There´s lots ignorance in here, I posted long time ago screens about the wicked capabilities of deep freeze,
it ruined my floppy bootblock in bios and generated a virtual simulation of a second one. With every reboot
you hear(!!) the remains of a former manual deep freeze uninstallation, that failed! It sounds like a "clack" with every reboot, which will stay until I change the board. This is just one event that should warn everyone to see what is possible with little assembler or asl code, cmos is locked forever in this case. No time for belittlement.

And Mrkvonic be sure I made several reflashes of my bios! But the first part of flashing procedure is locked!!!!!!
Because of this deep freeze code within my cmos!!! If deep freeze was not the reason then there is only one alternative: Bios Rootkit.

The third time I will post this prove for ACPI Bios Code from China. Nobody gave a comment about it probably because nobody understands the code.
But before downplaying anything you should stop ignorance and start analyzing.

Look to the Past
There you will see the blue-green part, that was locked while flashing the bios. This area is with high probability the locked bootblock that deep freeze infiltrated. No matter what you will try you can´t overwrite this section!!!!

Now what do you think a rootkit writer would do? He would probably copy the cmos lock method and you keep flashing keep flashing until the end of times.. with no success, be sure!

[BlueZannetti]

Quote:

Originally Posted by SystemJunkie

There´s lots ignorance in here,

SystemJunkie,

There are times when you should look to Occam's razor for guidance. This is one of them.

Quote:

I posted long time ago screens about the wicked capabilities of deep freeze,
it ruined my floppy bootblock in bios and generated a virtual simulation of a second one. With every reboot
you hear(!!) the remains of a former manual deep freeze uninstallation, that failed! It sounds like a "clack" with every reboot, which will stay until I change the board. This is just one event that should warn everyone to see what is possible with little assembler or asl code, cmos is locked forever in this case.

Deep Freeze does not function in that fashion.

Quote:

No time for belittlement.

And Mrkvonic be sure I made several reflashes of my bios! But the first part of flashing procedure is locked!!!!!!
Because of this deep freeze code within my cmos!!! If deep freeze was not the reason then there is only one alternative: Bios Rootkit.

or physical hardware corruption, or software corruption, or..... BIOS rootkit shouldn't even be on the list of potential causes to tell you the truth. By the way, there's a significant difference between belittlement and suggesting a step back to perform a bit of a reality check.

Quote:

The third time I will post this prove for ACPI Bios Code from China. Nobody gave a comment about it probably because nobody understands the code.
But before downplaying anything you should stop ignorance and start analyzing.

Perhaps you should closely read what was written. As a general path, the BIOS is a nonstarter. It is too hardware dependent for a general piece of malware. That doesn't mean someone couldn't decide to create a piece of custom firmware for a specific PC model..., but why bother.

Quote:

Look to the Past
There you will see the blue-green part, that was locked while flashing the bios. This area is with high probability the locked bootblock that deep freeze infiltrated. No matter what you will try you can´t overwrite this section!!!!

Right, as it should be.

Quote:

Now what do you think a rootkit writer would do? He would probably copy the cmos lock method and you keep flashing keep flashing until the end of times.. with no success, be sure!

I don't think so...

Blue

[Rmus]

Hello SystemJunkie,

Quote:

Originally Posted by SystemJunkie

I posted long time ago screens about the wicked capabilities of deep freeze,

This type of statement is at the least irresponsible, and certainly not becoming of someone with your capabilities and knowledge.

In the two educational institutions I've worked at, there must be at least 800 computers that have run Deep Freeze for years without a problem: uninstalls - reinstalls for upgrades, etc. Managed both directly at individual workstations, and via the Enterprise Console over a Lan.

I remember your post, and suggested that if you felt there was a problem with the product, that you should contact Faronics, which you won't, because the problem is not with the product, rather,

Quote:

...the remains of a former manual deep freeze uninstallation, that failed!

By manual, I assume not according to what Faronics recommends. Afterall, DF Uninstall does not even appear in Add/Remove.

So, you might as well start over with a new Board (they aren't that expensive these days) and get on with your life!

regards,

-rich

[SystemJunkie]

Quote:

This type of statement is at the least irresponsible, and certainly not becoming of someone with your capabilities and knowledge.

Thanks.

Quote:

I remember your post, and suggested that if you felt there was a problem with the product, that you should contact Faronics, which you won't, because the problem is not with the product, rather,

No that´s not the problem, I want to keep my privacy.

Quote:

So, you might as well start over with a new Board

Sooner or later but actually it works quite well and it´s a great board.

Quote:

or software corruption, or..... .. there's a significant difference between belittlement and suggesting a step back to perform a bit of a reality check.

Software Corruption, DF is able to lock the floppy bootblock/cmos, long time ago we discussed about this fact, to prevent unauthorized access via floppy.

Quote:

There are times when you should look to Occam's razor for guidance. This is one of them.

Good idea.

[SpikeyB]

If you look at this link: www.faronics.com/doc/DFStd_GettingStarted.pdf

It states at the bottom

Quote:

Deep Freeze Security Notice: Deep Freeze does not protect against booting from a floppy drive or CD-ROM drive. The CMOS should be configured to prevent booting from the floppy drive or CD-ROM drive (i.e. set to boot to the hard drive) and the CMOS must be password protected. This is a normal precaution for most public access computers. The Windows Registry, the
computer CMOS and the boot sector are protected by Deep Freeze from within Windows.

Why would they need to state this fact if they prevented the floppy from booting?

[BlueZannetti]

Quote:

Originally Posted by SpikeyB

Why would they need to state this fact if they prevented the floppy from booting?

As you point out SpikeyB, it's because Faronics doesn't directly deal with this facet of the machine. The computer owner has to handle this aspect of security by manually setting the machine to boot from the DF protected volume only in the BIOS and then password protecting that BIOS. Both of these steps are user initiated and outside the scope of DF.

Blue

[SystemJunkie]

Quote:

Why would they need to state this fact if they prevented the floppy from booting?

Interesting! Maybe the latest versions doing so and the old one I tested more then 1 years ago did not. Probably they modified it to the better or something is damned wrong with my cmos chip. But it really sounds like a cmos lock, I hear the sound after every reboot, it´s like a "clack" or "click" that occured short time after the manual removal of a probably now very old DF Version.

Fact is when using killdisk, you see two floppies which do not exists, one is the original empty area, the other cmos area was filled with a kind of "kernel...sys" whatever file/code, seems that this code leads to a hang up, what made it impossible to ever regain access to a floppy drive.

Please refer to floppy problems and kernel thread

[BlueZannetti]

Quote:

Originally Posted by SystemJunkie

But it really sounds like a cmos lock, I hear the sound after every reboot, it´s like a "clack" or "click" that occured short time after the manual removal of a probably now very old DF Version.

SystemJunkie,

When you try to flash your BIOS, precisely what do you do?

Blue

[SystemJunkie]

The same thing everyone does. Insert the bootdisk start the flashtool with biosupdate. As my floppy bootblock was ruined I used a boot CD copied the bios update to harddisk and started flashtool and update from hd worked always well.

Please refer to floppy problems and kernel thread (the unanswered thread because nobody ever seen something like that I guess)

Check this for possible shadow walkers or super short time living emptiness

And beside yesterday my HD 55 GB Part of D: turned in RAW, you know what that mean? 55 GB of Information were gone into nirvana. Look:

http://i17.tinypic.com/2qn4j9d.png

Look, only related to partition D:, controllererrors, but they never made really problems, until yesterday:

http://i14.tinypic.com/2u4kb38.png