New rootkit uses old trick to hide itself

Article

 

Boot sector rootkit.

lmao.

 

If concerned you could go into your BIOS and turn on BIOS Antivirus Protection (or whatever it's called in your BIOS). This should stop the Boot Sector being written to.

Phasechange

 

are you joking? Lool... do you really believe that?

Beside: You should include in your thoughts that real evil malware will mod your bios too.

 

Hello,

Before Matrix fans scare the living daylights out of you:

- There is no malware that writes to your BIOS, with or without protection, except PoC that made some people famous and gave them good salaries

- The mentioned MBR has nothing to do with mobo BIOS. Some hard disks have their own BIOS btw, which could be used for this purpose. But this is completely unnecessary. Just reinstall the bootloader or use non-MS bootloader like GRUB and problem solved.

- The boot sector is nothing magical.

Mrk

 

Think so. But explain this:

http://i17.tinypic.com/67mxd1d.jpg
The password in bios can´t accessed in first chars, you can enter with your password, but something is set before. Probably many don´t understand this image, it shows a empty space that can´t be resetted if you use the <---- BackKey. I did not make spaces and then started with password it is by default locked. You can only start typing where the "*" begins.

That is roughly translated via translator from a german security side: Subverting Vista Kernel for Fun and Profit

 

Vbootkit is regarded as a successor of Blue pill.

 

Hello,
Explanation: bad hardware, non-english charset ...
And EVEN if this is something really malicious whatever - reflash your bios, case closed.
Mrk

 

Not possible. Cmos bootblock lock. Floppy recognition disabled. Case very open. Beside I await your comments about vbootkit.. do you still believe Bios is untouchable? You have nearly 4000 Posts and are that stubborn to close your eyes for reality. Not understandable.

 

Hello,

CMOS locked? Replace the battery. Remove BIOS from its seat. Are you telling me the magical rootkit also fuses the pins onto the mobo?

The post count means nothing in the context of this.

As much as you admire science fiction, I don't. I stick to reality - which is different from yours, obviously.

I never said BIOS is untouchable. It is touchable indeed. It's called BIOS flash. But it's written by people who have spend 8-10 hours a day trying to make sure their little thingie works well with hardware. And still, the reflashing is a dangerous procedure.

How many hardware combinations exist? 100,000 at the very least.

And you're telling me someone writes generic rootkit that flawlessly patches any BIOS on any hardware, with code small enough to not only fit into the tiny storage but also subvert operating system (which OS, btw? - BSD, OS/2) and control it.

This is called science fiction.

Mrk

 

Doesn´t help because the lock procedure seems to be flashed on chip.

I also find it hard to believe but there is a whole mafia making money with this, if someone blows thousands of $$$ into someones asses anything could be possible. But flawlessly surely not, this is not possible, but even with flaws it could be effective.

 

Here is something fresh and unknown:
http://i18.tinypic.com/6sip7bs.png

The only file on the system with this size is the registry, registry cheating beast.

Looks like unknown Rustock variant.

 

Microsoft: Vista Can Handle MS-DOS Era, 10-Year-Old Master Boot Record Threats - Well, there's a relief!

 

Does that include bluepill+Stealth MBR?
Because news announced this as future trend.

 

Heh!

 

It is no comodo problem, it is unknown rootkit.

http://i8.tinypic.com/8716pvp.png

 

Hello

Both MBR & BIOS virus has been around since the early 80's. The first American DOS antivirus that I remember detecting them was Norton.
I think CIH was a BIOS viri but didn't work with NT systems.
It also fried the BIOS.

I don't see the point in that type visus now days when it's mosly all about the money and what money do you get by frying a BIOS?
The only thing frying the BIOS would be good for is military warfare.

I still say if there is a POC. Usualy ITW follows.

I am sure most of you have used our friend Google to input ACPI BIOS rootkit.

It always brings up a PDF that we are all so found of called.
Implementing and Detecting an ACPI BIOS Rootkit by John Heasman
If I remember correct with my last brain cell, his POC is OS independent and BIOS independent.

As we see today it isn't only white hats creating POC and moving on up, the last two were regular members of root kit dot com but I guess that is not saying they were black hats. Just my speculation.

Do they still make MOBO's that have BIOS virus protection?
I have not seen any in a while. Am just curious.

There was at one time with 486's one jumper that was for reflashing BIOS and another one for resetting the BIOS password.

One thing I hated was the way Compaq used the first part of the hard drive for your BIOS access. How crazy was that?

BUT yes it is funny to see old hat stuff revisited and modified with rootkits.

con

 

I used to believe they were deliberately designed as some others to force a user to have to wind up buying a new PC. Some still will instead of turning to repair shops. Depends on how profitable that market is too

 

Anytime an economy slides towards a recession, service becomes more popular because people are not going out a buying new stuff, they try to get it repaired unless it is more cost effective to buy new over repairing the old.

Just two days ago the cupacoffee virus took out my new laptop keyboard.
I still can't believe after all these years, I haven't done that one before LOL

 

Exactly. Very good summary, this military warfare idea is a little bit scary.
The last annotation is especially for mrkvonic important to know, because he is the main denyer of this truth.

 

Hello,

Proof of concept is one thing. Practical OS zombie god embedded in your bios is something else. Let's not forget its removability - replace bios / flash bios, game over.

Read the paper - assumes i386 architecture... not OS independent.

Some prevention methods mentioned - modern bios locking / preventing reflashing, booting off alternative media, disable acpi, using diagnostic tools to inspect hardware - like dmesg, /proc/acpi ...

And still very proof of concept by good people trying to make a statement ...

Implementation is possible. Likely? No. Existing as described by SystemJunkie? No. That's science fiction. Sentient code does not exist. We don't have Mr. Data around. Yet.

Cheers,
Mrk

 

yes it is i386 but the paper I read deals with linux also. So yes you are correct in doesn't support Mac but does support linux & Windows.

And you know I agree on reflashing BIOS ect. I do before I reformat my systems. I am probably one of the first if not the first here at Wilders that suggested reflashing your BIOS before reformat. I know there can be problems with flashing the BIOS but in all my years i have never seen it.

Not saying it is ITW but am not saying it isn't by this time either.

The technology for writing to the BIOS is old and all they have to do is implement a rootkit or download the rootkit once owned.

 

That is the problem, something that is so old can still be such a threat. I still think a DIP switch to lock up everything on board would be the best or a master switch for Bios, Gracard and all flashable devices.