Rootkits headed for BIOS

Discussion in 'malware problems & news' started by lotuseclat79, Jan 28, 2006.

Thread Status:
Not open for further replies.
  1. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hi,
    A question:
    Rootkits are a possibility, so is a meteor striking earth.
    What is the reality of such an implementation in a wide and effective scale? How real and tangible and near this threat is? This is a nice topic for a conversation, and this definitely piques the mind, but is it or is not a bit too sci-fi?
    Mrk
     
  3. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Personal opinion? Sci-fi. See here for a somewhat generalized discussion. Read the entire thread, both sides of the perspective are there.

    Blue
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hi,
    I read it. Quite long. And rather sci-fi.
    And like all infections, it still comes down to 'click here for free .... porn / smileys etc'. Or I need a crack for game x, windows, office etc.
    Mrk
     
  5. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    I have RD1 BIOS Saviors on all my mobos. If infected, hit the switch and reflash the infected BIOS.:D
     
  6. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi all, I am afraid that this discussion is way over my head technicaly, but could someone explain please, flashing the BIOS, is this some thing a user would voluntarily do? or is it done like some malware programs without the users knowledge? Is it something we should be wary of? Thanks in advance.
     
  7. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    Hi,

    Snook

    I really was interested in what you said about 'RD1 BIOS Saviors', as I like the idea of quickly being able to flash the bios.

    Due to not having any idea of what it was i had a look around and found this really cool Link

    That explains what it is and how to install it on your system.
     
    Last edited: Feb 8, 2006
  8. R2D2

    R2D2 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    70
    Location:
    Tatooine
    Would current methods of protection be helpful against a BIOS rootkit attack such as:

    Virtualization
    Proactive Intrusion Detection/Prevention (HIPS, IPS)

    Would a prog. like ProcessGuard detect such an attack since it operates at kernel level?
     
    Last edited: Feb 7, 2006
  9. controler

    controler Guest

    Nice link Snook


    nother thing, alot of desktop mobos have two BIOS chips. The main one and the recovery backup one just like the hardware you linked to. My older Intel mobo
    has two. If your default BIOS becomes corrupt or you get a bad flash, you simply move a jumper to recover from the backup BIOS.
    I haven't checked on laptops. I would guess if it were incorporated there, you would have to tear your laptop apart to do it. Best to download your mobo
    manual to see for sure.

    ALSO: do a google search for BIOS backup for more reading.

    controler
     
  10. controler

    controler Guest

  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Hm, I actually spend a lot of time in researching about these bios stuff,
    tested a lot of protection programs, the meanest of all was deep freeze, I uninstalled it manually and then nothing was like before, this program is very dangerous it could corrupt your whole pc, I don´t know how it is able to modify the cmos or bios, but before I installed it I already thought I had a acpi or bios virus on WIn XP. Look at that screen, actually I am unable to boot from floppy disk (corrupt), unable to boot a nero dos image to flash a new bios. Look what happens:

    http://www.tinypic.com/view/?pic=qnofbs

    any idea? Was it the effect of deep freeze or is it a bios rootkit?

    Then I try to press any key but no key works everything just freezed, I tested the boot cd on this pc and it works fine. Another thing that happened to my new PC (the freezed one)
    Since I bought it in Mar. 2005 I never managed to made a Win XP Install without starting in safe mode. I always was forced to install all my stuff in safe mode, otherwise I had a black screen, but before the black screen this was showed from the bios, a green wall or green plate:

    http://www.tinypic.com/view/?pic=qnp57c

    (System Neo4 Board with AMD 64 CPU)
     
    Last edited: Mar 3, 2006
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Concerning ACPI, I also checked the PC with LinuX DVD, look at this!

    http://i1.tinypic.com/op93t3.png

    Add what the hell is this? A second Disk with unknown, showed Linux,
    this isn´t the DVD Rom isn´t it? If not it seems to be a damn Hidden Thing!

    Could a virus/rootkit hide in DMA Controller or SMBus?

    http://i1.tinypic.com/ofwuhg.jpg

    And why VICE does not work?

    http://i1.tinypic.com/ogxbg8.png

    And why are there unknown components in TCP/UDP no matter how often I reiinstall WIndows XP Pro

    http://i1.tinypic.com/oieqmc.png
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi SystemJunkie,

    What tool did you use to get the information in the last displayed image - i.e. not what tool you used to capture the image, but what tool did you use to get the output for tcp/udp that is displayed in the image?

    -- Tom
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Hello Tom,

    I use my special netstat: go to Dos console then enter: netstat -anobv
     
  15. controler

    controler Guest

    System junkie

    The unknown components are normal when running those netstat switches.

    I would not worry about those.

    Are you usung a laptop or desktop machine? I have seen some recent Windows Xp installs with updates causing the same type problem.
    I went into power saving in control panel and set all to never. This way when laptop freezes and you hit the shutoff button, the laptop does not go into stand by.
     
  16. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I use desktop pc, good to know that it is normal with those unknown components.
    But what about this:

    http://i2.tinypic.com/qq500h.png

    UDP Unknown thing.

    http://i2.tinypic.com/qq5ly8.png

    This happened after I stopped the internet connection and turned off the LAN.
    I tried to stop most tasks, even devices, but the ports remained until next reboot,
    then they disappeared again.
     
    Last edited: Mar 4, 2006
  17. controler

    controler Guest

    I am sorry i do not know German.

    The CMD is common along with find.exe when using Microsofts Shared computer Toolkit.
     
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    you don´t have to know german, I think if you turn on Port Explorer, you can easily see the translation, there are 3 unknown udp channels listening.

    unknown component = unbekannte Komponente

    listening/open= horchend

    active connections = aktive Verbindungen

    I don´t see any problem concerning the language, you have the pics and the procedures.

    Look at the cat and mouse game of my bios here, once the Memory is shown, once it disappeared:

    http://i2.tinypic.com/qs9zxh.jpg

    http://i2.tinypic.com/qs9zs1.jpg

    And always the A20 line of memory cannot be controlled, in another Program my bios showed 20 MB of L2 Cache,
    crazy isn´t it? Sometimes when I enter the bios, the keys are freezed, another time everything works fine.

    http://i2.tinypic.com/qsa6if.jpg

    Look what McAfee says, FProt worked, but McAfee says insufficient memory

    http://i2.tinypic.com/qsa7a1.jpg
     
    Last edited: Mar 6, 2006
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    SystemJunkie, what are you trying to say?
    Mrk
     
  20. controler

    controler Guest

    System Junkie

    I think your problem might be with Deepfreeze. I never used it but do rememeber
    a poster once saying it had a fix applied because kids on school computer could bypass deepfreeze by using a floppy. I would guess the only way to do this would be to not allow booting from floppy in BIOS. I don't know for sure. Did all the expert Deepfreeze users leave this forum?

    Have you wirtten to Deepfreeze support? I am guessing there is something you didn't get right during uninstall.
    Some Motherboard manufactures actualy allow you to click on a file while booted to Windows to flash the BIOS. Did you peek at your mobo manufacturer site for any new updates to BIOS?
     
  21. controler

    controler Guest

    http://www.msicomputer.com/product/p_spec.asp?model=K8N_Neo4-F&class=mb



    BIOS

    • The mainboard BIOS provides "Plug & Play" BIOS which detects the peripheral devices and expansion cards of the board automatically.
    • The mainboard provides a Desktop Management Interface (DMI) function which records your mainboard specifications.
    • Supports boot from LAN, USB Device 1.1 & 2.0 and SATA HDD

    Can you boot to USB to reflash?

    Is your BIOS Award or AMI?

    http://www.msicomputer.com/support/TechSupport.asp
     
  22. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Thanks Controler for your efforts,

    I reflashed the bios this way, using a boot cd rom with freedos, was the only one which worked without problems.

    http://i2.tinypic.com/qs9u90.jpg

    But the first part of it stay, I guess this is the booloader area of the floppy, right?

    I also re-installed and uninstalled deep freeze correctly but that did not change anything. The floppy doesn´t work anymore, would it be useful to make a cmos clear and then reflash? But I think this wouldn´t change anything.

    Another question that many people asked: would a rootkit be able to survive a bios flash?
    Could a rootkit use flash areas of unknown controllers/vga cards?

    I ask this because the PC nearly never manages to control the himem (dos) area of this computer, no matter what I do.

    In my opinion it is also the motherboard which is suspect, the PC works fine except these mysterious phenomenons. But something was strange too, the windows update crashed, regsvr32 had a B.O. and Blacklight from F-Secure tells me that the beta-test period is over, also on another fresh win xp backup, I reinstalled.
    RkRevealer reveals nothing and even if it would, it only has 50:50 chances, that the results are not false positives.

    I noticed the same behaviour on the other PC, my old PC has also the problem not to be able to control A20 line in Dos and also Blacklight Beta said: test period is over; and the thing which is really insane is with Port Explorer Demo on the old PC, there were still 28 Days left or 38 Executions, I restart and the old PC displayed: Test period of Port Explorer is over! Crazy isn´t it?
     
    Last edited: Mar 6, 2006
  23. controler

    controler Guest

    If you pull the battery on your mobo no rootkit can survive period!!!
    If you think something survived via video card, try a new or doffernt one.



    con
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Pray tell, how/why would you do that? Was it in a Thawed state?

    Your manual uninstall most likely was not successful.

    "All existing Deep Freeze versions must be uninstalled prior to performing any new Deep Freeze installation."

    "Deep Freeze also fully protects the BIOS."

    Not if it is used properly.


    ---
     
  25. controler

    controler Guest

    Hello RMUS

    I was wondering if you saw this thread. Do you also think the BIOS is being held by Deepfreeze? He appears to want to reflash his BIOS at this point. I would also think if he was succesful at flashing, he would want to reload windows.
    Will A poor uninstall keep him from doing this?

    controler
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.