BIOS Rootkits - Detection / Prevention?

I heard somene saying on theses forums that such rootkits are already out from China. Who know?
Anyway what,s the harm of having a physical protection on motherbard, a jumper etc!?

 

Is the assumption that the hardware could come pre-infected? Or is it a case of a rootkit being installed on the system which then infects the hardware?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

2nd one I think.

 

Agreed!

Looking back through this thread which is about both detection/prevention, and most of the discussion is on how the exploit might work and subsequent detection (or non-detection) -- which, by the way, makes for very interesting reading -- nonetheless I thought I would review the matter to see about prevention, so I looked again at the long thread at DLSR:

Undetectable Trojan??
http://www.broadbandreports.com/forum/remark,13853178~days=9999

Amongst all of the technical babble-jabble -- also very interesting reading -- emerged a few note-worthy comments:

There was one scenario posted, with accompanying code. I stopped reading after the first line:

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

If the hardware were to come infected chances are you would have a very small chance of even knowing. I think the biggest issue here is becoming infected after getting your computer and never being able to get rid of the problem.

 

How do you think you might get infected?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hi Rmus, very nice points indeed but it,s only for those who control executables on their PC.

 

So what is the verdict ?
Do I need to be afraid of the numerous BIOS Rootkits and Hardware Viruses, when I reboot in a clean snapshot or not ?

 

Hello aigle,

I'm not sure what you mean: doesn't everyone control executables on their PC?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Not unless that "clean" snapshot somehow became "unclean."

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I mean in this case best protection can be only by some HIPS, policy restictions, safe surfing, common sense etc etc.
Average PC user doesn,t know about executables, what to speak of controlling them.

 

This is the crux of the whole problem of security: people don't know about executables.

Ask someone you know - neighbor, friend, relative - to explain how the computer knows to start MSWord when you double-click on a *.doc file. Or how their picture viewer knows to start when they d-click on a *.jpg file. Or the difference between a *.txt and *.exe file?

Ask them what a "file association" is.

This is why I've always insisted that security begins with understanding file types and file associations.

Now, how you accomplish that with the "average PC user" is the big question. It can be done, but they have to be willing to learn, and there has to be someone to teach.

Everyone here can teach someone what you know. So do it! That will be one more knowledgeable person!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

But Anti-Executable recognizes more than 80 executables, so it knows better than me what executables are and AE will stop them, if they aren't whitelisted.
It's impossible for me to learn more than 80 file extensions by heart, unless I have a photographic memory or an I.Q. of 180, which is not the case.

 

I use HIPS for the very same reason plus more...

 

Yes, but HIPS with multiple choice questions, like YES or NO are too dangerous for me, I have only 50% chance to guess it right and that was unacceptable for me. With Anti-Executable I don't have to guess, it's always RIGHT.
My last weapon is a frozen snapshot, which kills them all.

 

This is not necessary. All you need to know is the concept: most malware are executable files. So, the protection you need is a solution which deals with executables.

How do you apply that? Well, you have to know the various entry points that a malware executable can exploit,such as web-embedded code, aka remote code execution, drive-by download. What solution will block that?

Suppose you accidently open an infected email attachment? What solution will block that?

You don't have to know that *.ocx is an executable, but you know the concept of an executable, and that your solution will block any unauthorized executable, and you may discover that *.ocx is one.

Whether the product for your prevention solution is a full-blown HIPS program or a simple stand-alone execution protection program matters little: it is the concept you are working with.

For years I did not know that a screensaver was an executable file. I just thought it was a picture file. I never used them, so I had no acquaintance with them.

But when the Netsky worm showed up, it made use of the double-extension trick, and turned out to be a *.scr file. When it was blocked in the test, I was puzzled, and then learned that it is indeed an executable, and in this case, carried a bad payload:

http://www.urs2.net/rsj/computing/imgs/zip1.gif
______________________________________________________________

http://www.urs2.net/rsj/computing/imgs/zip3.gif
______________________________________________________________

http://www.urs2.net/rsj/computing/imgs/zip2.gif
______________________________________________________________

http://www.urs2.net/rsj/computing/imgs/netsky-scan.gif
______________________________________________________________

What if it were a rootkit? So what?

To enlarge on what I mentioned in my first post: once the concept of file types, file associations is learned, then you move to the attack points, and then you apply solutions.

To me, this is a much more effective way of developing a security strategy than just recommending a list of products. That may work for the experienced user, who already understands the concepts. But aigle mentioned the "average user" and this is the user that needs good instruction. Unfortunately, the person purchasing her/his first computer at a local store probably will purchase an AV program at the suggestion of the salesperson, "to protect your computer against the viruses out there."

They go home having no idea what an AV really does, probably won't know to keep it updated, and it's all downhill from there. Don't you think that the preponderance of people harvested for botnets fall into that category?


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Here's a short extract from a recent 3 page interview with Nitin & Vipin.

New school is back to the old school ! Very interesting, and alarming.

***********************

http://www.securityfocus.com/columnists/442/2


StevieO

 

Very interesting read but no real detils how to proterct against it.

 

Hi StevieO, I tried to download this POC rootkit( bootkit) but their site seems down.

 

@ aigle

BOOT KIT by Nitin Kumar and Vipin Kumar is downloadable from here if you're still having difficulties hxxp://www.rootkit.com/project.php?id=34

You might also like to check out the (eEye) BootRootkit whilst you're there.

I was able to DL the BK from here http://www.nvlabs.in/?q=node/11

I've heard it mentioned that enabling the BIOS boot virus checker might help ? But that wouldn't prevent it being loaded from USB devices etc.

Strange why they have had no official contact from MS on this, especially as Vista is "supposed" to be a lot more secure !


StevieO

 

Thanks Stevio, I tried again and this time I was able to download from their site.
I wish I could play with it. But I need to set up a VM and also I am not sure if it needs to be compiled or not( I can,t compile of course). I have requested some people to test it( but not sure if they will/ can do).

I uploaded both basic and advanced versions on VT,
Basic detected by Antivir, BD, Ewido, Ikarus, and WebWasher, plus Fortinet(possible threat).
Advanced version detected by KAV and F-secure.
I submitted to Avira, KAV and NOD.

What,s special with (eEye) BootRootkit?

 

I searched the site and found nothing. Can u ngive me a link?
Thanks

 

Ok, I googled and got it.

 

I downloaded eeye bootRootKit but it has password and no password mentioned on their site. Any help?

Thanks

 

I think again here the main defence is control of unauthorized/ unwanted/ unknown execution. If u can do it, nothing can harm ur system.