BIOS Rootkits - Detection / Prevention?

And probably that all are only hardware problems.

Ever seen to lose a partition that simply turned to RAW?

Why not Partition C, E or F? Why D: ?

Most information were stored on D:

Pure chance or evil mind behind that? It´s up to you, make your own choice.

[And yes I have a firewall, and yes I have a router, and yes I have many AV programs, and yes I own most Anti-Rootkits in existence, so how big is the chance?] I bet it was chance

http://i16.tinypic.com/4gqpmit.png

Ups, I forgot to tell you size of emptiness: 0 bytes. (the red hidden window in the upper right corner).
Thats pure topic: BIOS Rootkits - Detection / Prevention?

 

Hello,

Once, my brother had a partition problem where the MBR "took a trip" from the beginning of the drive to the end of it... So? He fixed it. Problems happen. They do not have to include a super-stealthy super-evil things from hell. They can be simple, complicated hardware-software problems.

Don't look for evidence in coincidence, you will get the wrong kinds of conclusions.

Mrk

 

Good idea, too.

Probably one problem is spybro itself, lawenforcer.dll may be the reason for the red csrss.exe

 

SystemJunkie,

The types of problems you raise I wouldn't even hazard a guess at without unfettered physical access to the machine in question. There are simply too many unknowns and these are issues that cannot be adequately addressed remotely.

That said, if I had ongoing issues of this nature, I would simply wipe the slate clean. Force a boot block reflash of the BIOS with a clear of the CMOS and reinstall the OS and applications to a clean drive. It's not that hard to do. I'd probably also save the existing physical HDD and do a post-mortem on it after the system was working as desired.

Cheers,

Blue

 

IceSword alert comes from Spybro, it´s nearly sure. Spybro is a bit crazy application with paranoid scan results. That´s my experience for now. I quit using it, its totally confusing and unnecessary app.

Okay! Thanks for support so far.

 

A lot of people here say this or that cannot be done on a widespread breakout, that is mostly true. The basis for infection which seems to be widely accepted is someone running a file they shouldn't for whatever reason. Assuming someone were to run a malicous file, how hard would it be for the file to get the information it needed for the author to specialize something? Once the file were to infiltrate the machine it shouldn't be impossible in most cases for it to transmit the data back and forth to the author.

 

I would like answers to:

Can something be flashed into bios / firmware without killing the data that was allready there?

Would a complete flash (including bootblock) clear the complete bios space?

How would a bios rootkit execute? Would it need to infiltrate the OS MBR / bootloader to execute?

Please, respond only when you know what you're talking about. I want facts, not fiction. Thanks!

 

1. Yes
2. Yes
3. BIOS comes before MBR

 

No, if the bootblock is locked look at this screen.

My first flash procedure was totally white (as my floppy still worked), the picture you see here shows
a modified bootblock that is locked, I made 3 reflashs there were no chances to unlock the block.
(until you remove the cmos chip)

 

I see "No Update", not "Flash Fail"...?

 

You should get your answers thanks to Xeda

 

I have read many times ur posts about this problem with DeepFreeze.
Now i have a Q in my mind( actually I wanted to ask it since long). I have used a trial of DF on my Toshiba laptop in the past. I don,t remember the version no. but it was in March 2006. I was though able to un-install it OK. I wonder if I should worry about its remnanats in my BIOS?
Any ideas?

 

Should you worry? No.

Blue

 

Thanks Ajohn, SpikeyB!

Makes me wonder if this whole bios / firmware rootkit thingy couldn't be blocked by letting the bios do a self-check on boot (something like a checksum verification or similar).

Re: the picture SystemJunkie posted: there are command-line options to write the bootblock as well. In your picture, it shows that that command-line option was not used.

 

or course, the need for this assumes that it's not just a paranoid pipedream floating through the forums.....

Let's be serious and do the math for a moment..., googling "failed BIOS flash" pulls up over 800,000 hits. This is connected to people wanting to flash their BIOS, on their own, supposedly using the proper tool, and either messing it up or having a mid-flash glitch... And we're discussing having a piece of software stealthily perform a BIOS flash operation, say on restart or whenever, on a random piece of hardware from a random generation of PC..., and the end result is expected to be something other than a big woefull box sitting there emitting a last beep or two before silence falls? There are real threats to be aware of. There's really no need to augment the real threats with a conjectures of a potential hypothetical partial outline proof of half-a-concept..., at least IMHO.

Blue

 

I think the main concern of a BIOS rootkit is not the ability to re-flash the BIOS or not, but the ability of the rootkit spreading to a PCI card which can in turn re-flash the BIOS with modified BIOS. Here is a post from the link provided by Xeda which illustrates this: http://www.broadbandreports.com/forum/remark,13871455

 

Thanks infact I am not worrying otherwise i would have asked it long ago when I read system junkie,s posts about DF in an older thread. But the thing remained in my to-ask list and when i saw his similar posts again, i thought I must ask it now. May be SystemJunkie will disagree!

 

and the likelihood that can be performed as a generic approach is as viable now as it was a couple of years ago - which is nil...

If the extant hardware base was homogeneous, they may (and that's a very big may) be reason to focus on it - as a potential POC. However, the extant hardware is heterogeneous, which significantly up the ante that this could ever be pulled off. Given the complexity of the task, someone with the skill to pull this off would pursue a richer target set.

Blue

 

Maybe I'm a big ballin' target.

I don't stress about this, just like people to have correct information so that they can apply it to their current situation.

 

Thanks Blue. I was more wondering out loud how bios / firmware _could_ be protected if ever necessary.
I agree with your ideas that it is not a current valid way to put malware on a machine.

 

If it were a real necessity, use a hardware solution to gate the possibility, physical jumpers for example, but something a little more convenient. This is something that would be done only a few times during the lifetime of a machine, so a hardware approach is quite viable.

Blue

 

You're right. Most people don't even know what bios flashing is

 

concerning deep freeze experiences:

I am wondering why people talk so much about cmos, when df supposedly did not made any changes.

And again a refresher for all who forgot:

http://i14.tinypic.com/4876obd.png

F-Prot Antivirus proves the changes of df. But that was not exebug but df, at least the version I tested.

Yes, what do you think? Would that not be the perfect camouflage?!

As long as I have made biosflashes (and I flashed on several computers) of any kind I have never seen this event that a part of the bios was not updated!!

 

Most of the discussion about BIOS Rootkits has focussed on what this thing can do once in the system. While this makes for interesting reading, more apt, it seems to me, is how to prevent it in the first place.

From the vbootkit article:

Now, SpikeyB and BlueZannetti have mentioned the topic of preventing any external media from being able to boot. And CMOS password protected of course. That should be the end of it.

However, to consider other scenarios from the article:

Doesn't this pretty much negate the threat to home users? Maybe it's a good time to review your own security procedures: could an unauthorized person easily gain access to your computer? (disregarding someone opening it up) Could they boot from an external media? Could they install a malicious program from a USB or CD drive?

As for institutions: I spoke with one System Adminstrator, and with the protection they have in place, he wasn't worried. Further, writing to MBR is writing to Disk, and with a Reboot-to-Restore program, once rebooted, any changes would be removed from the system. Naturally, anyone with unencumbered physical access to a computer could perhaps eventually do something, but he felt sure that with their physical security procedures, that would be very unlikely. This is speaking for one institution.

They need to explain what they mean by "installed" because above, they say it doesn't need to install.

Regarding BIOS: I asked someone to comment on that part of the article. It echoes statements made here already:

As with some of the esoteric methods in firewall leaktests, there are prevention solutions for intrusion of these types of threats. This deserves more attention than it is getting.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

What about those guys who built the computer?

Once they inserted the false cpu in my case, I received 15 bucks indemnification, just one example (probably these sharks thought that I wouldn´t know cpu-z), how bad sometimes built-to-order pcs are created nowadays.