BIOS rootkits- reality or fiction?

Discussion in 'other security issues & news' started by aigle, Oct 23, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    The topic has been discussed many times and I am realy much interested in it. I have read many posts on sysinternals forums that look like fiction. The story even goes far to other harware components like network card, CD rom etc.:rolleyes:

    Here I have two Qs? Has anyone proof that they are really in the wild? if so, what is that proof?
    Has anyone a working sample of such a malware?

    I just need answers to these Qs rather than a long discussion( don,t mind a short one though:D ) with no result. If some bady has any evidence, please let us know. It,s the best, quick and easiest way to decide.

    Please join the discussion!

    Thanks
     
  2. controler

    controler Guest

  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the response. I will read it later.
    That,s why I asked specifically if any body has a working sample? Or even seen it?
     
  4. Nubiatech

    Nubiatech Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    50
    Location:
    IL, USA
    I don't have neither a proof nor a sample, but ...
    I am just joining the discussion. :)
    The only proof of concept I know of, was the ACPI rootkit.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. Welcome to the discussion.:)
     
  6. controler

    controler Guest

    The CIH virus targeted the BIOS also
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes I have got a copy of it :D . I wish to try it against HIPS and Sandboxes but I know I can,t.

    I Think it was not a BIOS rootkit, just damaging the CMOS etc if I remember well.
     
  8. controler

    controler Guest

  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have a slow DSL, difficult to watch it ATM atleast.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Have not see the movie yet but I found this information.

    http://www.bit-tech.net/news/2007/04/17/uefi_will_kill_the_bios/

    I have got a feeling that if writing a good BIOS is difficult, then writing a good BIOS rootkit will be difficult too. If writing UEFI is easier, writing a UEFI rootkit might be easier too unless there is some fool proof method to protect it.:eek:
     
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    ACPI RK is proven otherwise the guys wouldn´t have written papers about how to implement, once I showed a link to source code from a chinese webside, use search function on board, maybe it is still there.

    http://www.ngssoftware.com/research/papers/BH-VEGAS-07-Heasman.pdf
     
    Last edited: Oct 24, 2007
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    No fiction:
    It is a disaster, why pci cards are not designed by default to block any unsigned firmware update, the same with dvd burners.

     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    All this is not a proof to be in the wild.
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I got my prove when once partition D was erased in raw mode
    I could follow this action live. But maybe it was Rustock.C or D,
    they claim to be in the wild and totally undetectable, according EP
    or a supernatural hardware error that only killed partition D.
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello

    From above:

    totally undetectable < live CD (Linux, Windows take your pick).

    Cheers,
    Mrk
     
  16. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Do you think your dvd burner firmware is secure?
    I once owned a plextor dvd writer he crashed due to unknown reasons, not often in use, normally this shouldn´t happen.
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    Yes I do.
    BTW, my DVD burner died yesterday ... so?
    Does that mean something is fishy in the Kingdom of Abhazia? No.
    Just bad hardware - it pisses me off all right, but I'm gonna replace it.
    Mrk
     
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    In maybe 90% yes, but we surely don't want to know the remaining 10%...
    Beside I wrote Plextor, because they are the most expensive.. so what?
     
  19. jfd15

    jfd15 Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    234
    Location:
    Sacramento, CA
    i dont know much about this stuff but rootkit.com had an article on
    this stuff...
    said cd/dvd was vulnerable, bios, and a few other things also...

    at this point i just assume that something is on my computer, so i wont
    bank online anymore...i had an older computer 7-8 months ago on DSL line
    and knew even less then, but my free AVG found about 50 "zlob unloaders"
    and other stuff, when i finally got around to scanning...i use firefox now on my laptop, but all the security stuff grinds it down to a halt, so i think i may just
    give up on doing anything securely online....
     
  20. Dogbiscuit

    Dogbiscuit Guest

    Is it possible, sure. Is it likely ITW, today or in the near future, probably not - considering all the different drives, firmware, BIOSs, etc., out there. A stalker/hacker targeting your specific computer might be able to make use of such devices. But seriously, how likely is that?

    You could try running under limited accounts (no slowdown). They prevent the installation of rootkits, as no driver can load unless you're running as admin. Do all your online banking in a separate limited account. Browse in another. I find this to be the safest, easiest way to setup up a system. Start out clean, and use the admin account only when you must. Add security software if you need it, or just delete the one limited account and its files if it were to become infected.

    The point is, I think there are ways to prevent most any kind of rootkit installation, BIOS or otherwise.
     
  21. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    In my case it was likely I could show you plenty of stalker emails from a total psychopathic mind, kind of schizoid individual living in his self created world-war.

    Not really, restricted account exploits will kill your dreams of online security, as well a test showed that keyloggers work also in this mode.
     
  22. Dogbiscuit

    Dogbiscuit Guest

    This really is OT, but thanks for sharing.

    You've pointed out an assumption that might not have been clear. Yes, some malware does function while running in a limited account, as this developer pointed out in another forum thread:
    However, I did not assume that using a limited account prevented malware (e.g., keyloggers) from functioning within that limited account. But that under an LUA, rootkits would need admin rights to install their driver(s), thus preventing nearly all attempts to critically impair the rest of your system.
     
    Last edited by a moderator: Nov 2, 2007
  23. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I guess OT stands for open theory.

    Make the test yourself... most keyloggers work with ease in restricted mode.. LoL. NO assumption, you can test it anytime, anywhere.. and the prove will follow.. LooL

    Do you think modern rootkits need driver? Ask EP he may explain that there shall exist a phantom that even doesn´t need a file. I can´t hardly believe that too but I don´t exclude any idea and consider it as real threat.

    Here is original quotation from one of the most funny thread-battles ever @ wilders:
     
    Last edited: Nov 2, 2007
  24. Dogbiscuit

    Dogbiscuit Guest

    These types of questions always seem to bring out the paranoids and trolls.

    Aigle, have you ever questioned any AV professionals, or developers here if they've ever come across anything even like a BIOS rootkit?
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    Junkie, I explained this to you. Anything running on the computer is a file.
    Even your phantom has little bits wrapped into something. Please don't turn this into sci-fi.
    Mrk
     
Loading...
Thread Status:
Not open for further replies.