BIOS Rootkits - Detection / Prevention?

Discussion in 'other security issues & news' started by xeda, Jul 12, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    Scary.
    Last edited: Apr 26, 2007
  2. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Hello,
    And what is that supposed to tell me? Interrupt 13? Sounds like a new torpedo.
    Guys, don't exaggerate with lingo. In the meanwhile, you can unplug the machine - that way no bios / aids anti-rootbotkit will be able to get in ...
    Mrk
  3. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    What exactly do you want to tell us?
  4. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Hello,

    Unless you have a substantiated proof / evidence of the existence of such a software, it is best not to spread panic among less knowledgeable people, who will start flashing / jumpering their bioses in an attempt to protect against Mars attacks. Nothing good can come from it.

    One of the developers of an anti-rootkit tool tells us that these are myths. And to prove him wrong, people use similar tools (anti-rootkits) to find bios rootkits that are supposed to be unfindable... sounds ... interesting.

    Mrk
  5. aigle
    Offline

    aigle Registered Member

    I agree, no need to scrae the people but it,s ineresting just for the sake of discussion.
  6. ErikAlbert
    Offline

    ErikAlbert Registered Member

    I'm tired of reading these horror stories without proof. They have no value at all, except scaring people unnecessarily.
    In my newbie time, unaware of any threat, my harddisk was so infected, that even my softwares didn't work anymore, but a simple re-install was always the cure.
  7. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    Guys you are too small-minded, open your minds. Expect the unexpected.

    Don´t trust anything.:D :D :D
  8. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Hello,
    BTW, if flashing the BIOS with rootkit code is so simple, then flashing it with official code is even simpler. That's the simplest cure process ever! Just overwrite the file.... Poof. Gone...
    Mrk
  9. AJohn
    Offline

    AJohn Registered Member

    I disagree with this. Maybe a BIOS rootkit could do a better job of maintaining itself than the original BIOS could. Afterall, the original BIOS was not designed with these 'simple mars attacks' in mind.
  10. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Hello,
    Now we have a MBR in BIOS, have we?
    It's a piece of memory. You flash it, it's empty... or original content replaced. Very simple. It does not matter what the programmer intents, it matters what the architecture of the hardware is.
    Mrk
  11. AJohn
    Offline

    AJohn Registered Member

    Yea good point, I was thinking more of BIOS infection leading to more problems before you flashed the BIOS - like hardware being infected.
  12. EP_X0FF
    Offline

    EP_X0FF Registered Member

    BIOS rootkits - science fiction. If they exists then they works only in the laboratory where they was created.

    Motherboard / PCI rootkits is bad sci-fi. Common, there are infinite count of ways to hide itself without such perversions.

    vbootkit, eye bootkit - pure POC. Even if they hooks IDT, they will be listed by modern antirootkits, bootkit that patch MBR will be catched by boot record scan by almost any antivirus. Bootkit that modifies system files by iniline patching will be flagged by antirootkit (even user mode based antirootkit).

    If BIOS/PCI etc rootkits exists - show me the one which will work at least on five different systems.
  13. BlueZannetti
    Offline

    BlueZannetti Administrator

    Heck, I'd settle for two, actually I'd even settle for one...

    There are plenty of real issues to be concerned about before, as EP_XCFF notes, worrying about either good or bad science fiction..

    Blue
  14. lodore
    Offline

    lodore Registered Member

    BIOS rootkits could be easy as easy to execute as any other malware on certain pc's
    e.g. the pc's at college are dell optiplex 745
    http://www1.euro.dell.com/content/p...ptix_745?c=uk&l=en&s=bsd&cs=ukbsdt1&~lt=popup
    at the dell support website it said the bios update was highly reccomended so my lecurer downloaded it to desktop and ran it.
    the file then requested a reboot and then the bios got flashed with lastest update.
    now what stops malware writers making bios rootkits for pc's with that type of bios ram?
    its then the same as anyother malware just double click on the file then its reboots and does the damaage.
    lodore
  15. BlueZannetti
    Offline

    BlueZannetti Administrator

    Well...., nothing.

    Of course, this assumes that your money making malware efforts are somehow predicated on rendering virtually every PC that runs your special package completely inoperable. There may be a way to make some lemonade out of this lemon, but I'm having a hard time seeing it at the moment.

    If you want to get a better idea of the situation, google "flash wrong BIOS".

    Blue
  16. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Hello,

    There's a difference between random code and specially tailored BIOS code made by the manufacturer. Then, information for each BIOS is dependant on the hardware setup, which can be just about anything. This means that 'bad' code would have to include every single configuration possible - this would take 1TB of code or so - or self-compile depending on the configuration, which sounds kind of contradictory to the second law od thermodynamics.

    Of course, the problem, to begin with, is that someone writing this thingie would have to be 100% familiar with the BIOS at hand and successfully combine the first downloader, the BIOS flash code and the tertiary payload that actually does something. All in all, impossible.

    And then, the entire thing gets botches when the user decides to manually flash his BIOS as a normal update procedure... Bad code gets flushed.

    Furthermore, most BIOSes require external media (floppy, USB, CD) to flash. Another problem.

    I can go on for quite a while.

    Mrk
  17. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    Exactly.

    There´s lots ignorance in here, I posted long time ago screens about the wicked capabilities of deep freeze,
    it ruined my floppy bootblock in bios and generated a virtual simulation of a second one. With every reboot
    you hear(!!) the remains of a former manual deep freeze uninstallation, that failed! It sounds like a "clack" with every reboot, which will stay until I change the board. This is just one event that should warn everyone to see what is possible with little assembler or asl code, cmos is locked forever in this case. No time for belittlement.

    And Mrkvonic be sure I made several reflashes of my bios! But the first part of flashing procedure is locked!!!!!!
    Because of this deep freeze code within my cmos!!! If deep freeze was not the reason then there is only one alternative: Bios Rootkit.

    The third time I will post this prove for ACPI Bios Code from China. Nobody gave a comment about it probably because nobody understands the code.
    But before downplaying anything you should stop ignorance and start analyzing.

    Look to the Past
    There you will see the blue-green part, that was locked while flashing the bios. This area is with high probability the locked bootblock that deep freeze infiltrated. No matter what you will try you can´t overwrite this section!!!!

    Now what do you think a rootkit writer would do? He would probably copy the cmos lock method and you keep flashing keep flashing until the end of times.. with no success, be sure!
    Last edited: Apr 28, 2007
  18. BlueZannetti
    Offline

    BlueZannetti Administrator

    SystemJunkie,

    There are times when you should look to Occam's razor for guidance. This is one of them.
    Deep Freeze does not function in that fashion.
    or physical hardware corruption, or software corruption, or..... BIOS rootkit shouldn't even be on the list of potential causes to tell you the truth. By the way, there's a significant difference between belittlement and suggesting a step back to perform a bit of a reality check.

    Perhaps you should closely read what was written. As a general path, the BIOS is a nonstarter. It is too hardware dependent for a general piece of malware. That doesn't mean someone couldn't decide to create a piece of custom firmware for a specific PC model..., but why bother.

    Right, as it should be.

    I don't think so...

    Blue
  19. Rmus
    Offline

    Rmus Exploit Analyst

    Hello SystemJunkie,

    This type of statement is at the least irresponsible, and certainly not becoming of someone with your capabilities and knowledge.

    In the two educational institutions I've worked at, there must be at least 800 computers that have run Deep Freeze for years without a problem: uninstalls - reinstalls for upgrades, etc. Managed both directly at individual workstations, and via the Enterprise Console over a Lan.

    I remember your post, and suggested that if you felt there was a problem with the product, that you should contact Faronics, which you won't, because the problem is not with the product, rather,

    By manual, I assume not according to what Faronics recommends. Afterall, DF Uninstall does not even appear in Add/Remove.

    So, you might as well start over with a new Board (they aren't that expensive these days) and get on with your life! :)

    regards,

    -rich
    Last edited: Apr 28, 2007
  20. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    Thanks.

    No that´s not the problem, I want to keep my privacy.

    Sooner or later but actually it works quite well and it´s a great board.

    Software Corruption, DF is able to lock the floppy bootblock/cmos, long time ago we discussed about this fact, to prevent unauthorized access via floppy.

    Good idea.
  21. SpikeyB
    Offline

    SpikeyB Registered Member

    If you look at this link: [SIZE=-1]www.faronics.com/doc/DFStd_GettingStarted.pdf [/SIZE]

    It states at the bottom

    Why would they need to state this fact if they prevented the floppy from booting?
  22. BlueZannetti
    Offline

    BlueZannetti Administrator

    As you point out SpikeyB, it's because Faronics doesn't directly deal with this facet of the machine. The computer owner has to handle this aspect of security by manually setting the machine to boot from the DF protected volume only in the BIOS and then password protecting that BIOS. Both of these steps are user initiated and outside the scope of DF.

    Blue
  23. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    Interesting! Maybe the latest versions doing so and the old one I tested more then 1 years ago did not. Probably they modified it to the better or something is damned wrong with my cmos chip. But it really sounds like a cmos lock, I hear the sound after every reboot, it´s like a "clack" or "click" that occured short time after the manual removal of a probably now very old DF Version.

    Fact is when using killdisk, you see two floppies which do not exists, one is the original empty area, the other cmos area was filled with a kind of "kernel...sys" whatever file/code, seems that this code leads to a hang up, what made it impossible to ever regain access to a floppy drive.

    Please refer to floppy problems and kernel thread
    Last edited: Apr 29, 2007
  24. BlueZannetti
    Offline

    BlueZannetti Administrator

    SystemJunkie,

    When you try to flash your BIOS, precisely what do you do?

    Blue
  25. SystemJunkie
    Offline

    SystemJunkie Resident Conspiracy Theorist

    The same thing everyone does. Insert the bootdisk start the flashtool with biosupdate. As my floppy bootblock was ruined I used a boot CD copied the bios update to harddisk and started flashtool and update from hd worked always well.

    Please refer to floppy problems and kernel thread (the unanswered thread because nobody ever seen something like that I guess)

    Check this for possible shadow walkers or super short time living emptiness

    And beside yesterday my HD 55 GB Part of D: turned in RAW, you know what that mean? 55 GB of Information were gone into nirvana. Look:

    http://i17.tinypic.com/2qn4j9d.png

    Look, only related to partition D:, controllererrors, but they never made really problems, until yesterday:

    http://i14.tinypic.com/2u4kb38.png
    Last edited: Apr 29, 2007
Thread Status:
Not open for further replies.