Can sophos detect firmware rootkits?

I've been wondering about this lately as I used a copy of windows XP slip streamed with SP3 that I didn't make and I'm wondering if someone put a rootkit on it that could have gotten into any firmware. I know its not likely but I'm just wondering if sophos would have picked it up at all. Thanks.

 

Sophos Endpoint Security and Control 8.x have anti-rootkit component.

For other users, Sophos has released Sophos Anti-Rootkit as a freeware.
http://sophos.com/products/free-tools/sophos-anti-rootkit.html

 

But could this stuff detect a rootkit in the bios is what im wondering?

 

This person who provided you is a blackhat? If no then dont worry

 

Probably not someone who was. It was from a torrenting site however. I did it because I couldn't make a slip streamed version myself. I do have a copy of windows and did authenticate it with my CD key aswell. I'm just wondering if there could have been something really nasty on it as I think that would be the perfect way for any kind of firmware/bios rootkit to get on. But then I think it would be crazy to implement that method because it has to be too specific to the motherboard and parts used. You could get like one guy out of 500,0000. Seems software rootkits and trojans would be a lot easier to make and implement. At least thats what I think. But I still worry about this kind of thing.

 

Bit OT but there are some good video tutorials on using Nlite on youtube.It's actually much easier than it first seems.

http://www.youtube.com/results?search_type=&search_query=nlite&aq=f

 

You could always run as much scanners as you can, if they dont turn op any true positives then you set your mind at rest - if you need some recommendations holla

 

I ran massive ammounts of scanners and found nothing. But I'm still worried about some rootkit that could be hiding somewhere I couldn't find it. although highly unlikely. Any recommendations would be great.

 

Thanks. I actually had just made a copy of XP with Nlite and it worked well. I tested it in virtual machine and everything went smooth until trying to install it on my hard drive. Apparently the type of seagate harddrive I have is having lots of failures because of its firmware. Now I have to go buy a new hard drive. Oh well atleast I found out in time to save my data haha.

 

If you run a massive amount allready you really need to rest assured and when coming to recommendations look at the Samsung F1 series, very fast HD!

 

Well thats the thing I'm worried about rootkits that wouldn't be visible to any scanner. I'm sure I don't have standard form of rootkit that is detectable.

 

Mmm do you expect much help?
Was it clean, could you verify the checksum or was it added to...

Mostly theoretical, POC.

If you are that worried flash your BIOS with the latest release.

 

The chance of any firmware rootkit residing unnoticed on your system is almost infinitessimal.Even if such a thing were to infect your machine the most likely outcome would be total meltdown.

 

Why write a code which was useless

 

Or when it comes to HDD speed he may look at WD Black series with 32mb cache.

 

Or the holy mother of all HD's the Velocity Raptor

 

Not useless but there's a reason these things aren't widespread.This is just the type of stuff Joanne Rutkowska likes to blog about though the technical difficulties in implementing it flawlessly are great.The fact is specifically targeted malware attacks make little financial sense,not when there's $$$ to be earned targeting Adobe and the likes.

 

Indeed, I reverse code as a vocation - see my first post.

Why this is a topic is that rootkits in the BIOS would be a logical next step...

No longer on hard disk, reboot is not a problem and would survive reinstall of the OS, although practicalities are that different BIOS manufacturers, getting on in the first place and detection would make it arduous.

 

Velociraptor is good but in some test areas the WD Black with 32 mb Cache are obtainig good performance (very close to Velociraptor) with higher GB capacity and at a lower price (affordable).


So lets suppose a malware is inside a firmware, lets say into a HDD one ,what happens, will this generate a new series of Seagate 7200.11 drives ?

 

I don't deny that it may well be beneficial to the malware community to utilize this vector but there are so many variables which make it a lot more difficult than exploiting flaws in the likes of Adobe or using social engineering.The latter of these require nothing more than a willing user and there are plenty of those.The current explosion of these shows they're profitable.

It's only my personal opinion but I don't see BIOS rootkits becoming widespread,more likely they'd be used for specific industrial espionage and similar purposes.There's also quite a debate over how invisible they'd actually be,there are those of the opinion that they'd be rather easy to detect.

http://blogs.zdnet.com/security/?p=342

 

GES/POR ,here is one of the tests where its compared againsts F1 ,Velociraptor and more : http://techreport.com/articles.x/15363/1
There are black models from 500GB and up.
Sorry for the offtopic.

 

Indeed.

Yes, I posted this when Ryan laid down his challenge, much 'noise' to detect.

 

A challenge that was rather ludicrously avoided it has to be said.

 

If you want to read more about firmware and bios malware methods with links to how to's, Award Bios Code Injection, pay attention to Pincakko's posts. (How to's at his website) He has spent a lot of time to do just these things.

Basically he says it's not possible to get an entire rootkit into a bios, but you could fit a jump or starter code in the bios, which means a persistence somewhere else along with the bios. That means a Hidden Partition Area on the HDD or modification of the nic firmware, which would be a PXE boot situation.

If there is this type of infection it would most likely be Bios/HPA-HDD.
1. Average wiping doesn't remove the HPA from the HDD.
2. If you fix only one, the infection can return.

To fix you must wipe the HDD with a program capable of wiping all partitions including HPA/DCO. Then while the HDD is dorment and free of any code, flash the bios.