Can sophos detect firmware rootkits?

Discussion in 'other anti-trojan software' started by famouspogs, Feb 23, 2009.

Thread Status:
Not open for further replies.
  1. famouspogs

    famouspogs Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    8
    I've been wondering about this lately as I used a copy of windows XP slip streamed with SP3 that I didn't make and I'm wondering if someone put a rootkit on it that could have gotten into any firmware. I know its not likely but I'm just wondering if sophos would have picked it up at all. Thanks.
     
  2. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
  3. famouspogs

    famouspogs Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    8
    But could this stuff detect a rootkit in the bios is what im wondering?
     
  4. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    This person who provided you is a blackhat? If no then dont worry
     
  5. famouspogs

    famouspogs Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    8
    Probably not someone who was. It was from a torrenting site however. I did it because I couldn't make a slip streamed version myself. I do have a copy of windows and did authenticate it with my CD key aswell. I'm just wondering if there could have been something really nasty on it as I think that would be the perfect way for any kind of firmware/bios rootkit to get on. But then I think it would be crazy to implement that method because it has to be too specific to the motherboard and parts used. You could get like one guy out of 500,0000. Seems software rootkits and trojans would be a lot easier to make and implement. At least thats what I think. But I still worry about this kind of thing.
     
  6. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  7. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    You could always run as much scanners as you can, if they dont turn op any true positives then you set your mind at rest - if you need some recommendations holla
     
  8. famouspogs

    famouspogs Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    8
    I ran massive ammounts of scanners and found nothing. But I'm still worried about some rootkit that could be hiding somewhere I couldn't find it. although highly unlikely. Any recommendations would be great.
     
  9. famouspogs

    famouspogs Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    8
    Thanks. I actually had just made a copy of XP with Nlite and it worked well. I tested it in virtual machine and everything went smooth until trying to install it on my hard drive. Apparently the type of seagate harddrive I have is having lots of failures because of its firmware. Now I have to go buy a new hard drive. Oh well atleast I found out in time to save my data haha.
     
  10. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    If you run a massive amount allready you really need to rest assured and when coming to recommendations look at the Samsung F1 series, very fast HD! :D
     
  11. famouspogs

    famouspogs Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    8
    Well thats the thing I'm worried about rootkits that wouldn't be visible to any scanner. I'm sure I don't have standard form of rootkit that is detectable.
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Mmm do you expect much help? :doubt:
    Was it clean, could you verify the checksum or was it added to...

    Mostly theoretical, POC.

    If you are that worried flash your BIOS with the latest release.
     
  13. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    The chance of any firmware rootkit residing unnoticed on your system is almost infinitessimal.Even if such a thing were to infect your machine the most likely outcome would be total meltdown.
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Why write a code which was useless o_O
     
  15. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Or when it comes to HDD speed he may look at WD Black series with 32mb cache.
     
  16. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Or the holy mother of all HD's the Velocity Raptor :eek:
     
  17. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Not useless but there's a reason these things aren't widespread.This is just the type of stuff Joanne Rutkowska likes to blog about though the technical difficulties in implementing it flawlessly are great.The fact is specifically targeted malware attacks make little financial sense,not when there's $$$ to be earned targeting Adobe and the likes.
     
    Last edited: Feb 25, 2009
  18. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Indeed, I reverse code as a vocation - see my first post.
    Why this is a topic is that rootkits in the BIOS would be a logical next step...

    No longer on hard disk, reboot is not a problem and would survive reinstall of the OS, although practicalities are that different BIOS manufacturers, getting on in the first place and detection would make it arduous.
     
    Last edited: Feb 25, 2009
  19. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Velociraptor is good but in some test areas the WD Black with 32 mb Cache are obtainig good performance (very close to Velociraptor) with higher GB capacity and at a lower price (affordable).


    So lets suppose a malware is inside a firmware, lets say into a HDD one ,what happens, will this generate a new series of Seagate 7200.11 drives ?:eek:
     
  20. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
     
  21. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I don't deny that it may well be beneficial to the malware community to utilize this vector but there are so many variables which make it a lot more difficult than exploiting flaws in the likes of Adobe or using social engineering.The latter of these require nothing more than a willing user and there are plenty of those.The current explosion of these shows they're profitable.

    It's only my personal opinion but I don't see BIOS rootkits becoming widespread,more likely they'd be used for specific industrial espionage and similar purposes.There's also quite a debate over how invisible they'd actually be,there are those of the opinion that they'd be rather easy to detect.

    http://blogs.zdnet.com/security/?p=342
     
  22. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    GES/POR ,here is one of the tests where its compared againsts F1 ,Velociraptor and more : http://techreport.com/articles.x/15363/1
    There are black models from 500GB and up.
    Sorry for the offtopic.
     
  23. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Indeed.

    Yes, I posted this when Ryan laid down his challenge, much 'noise' to detect.
     
  24. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    A challenge that was rather ludicrously avoided it has to be said.;)
     
  25. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    If you want to read more about firmware and bios malware methods with links to how to's, Award Bios Code Injection, pay attention to Pincakko's posts. (How to's at his website) He has spent a lot of time to do just these things.

    Basically he says it's not possible to get an entire rootkit into a bios, but you could fit a jump or starter code in the bios, which means a persistence somewhere else along with the bios. That means a Hidden Partition Area on the HDD or modification of the nic firmware, which would be a PXE boot situation.

    If there is this type of infection it would most likely be Bios/HPA-HDD.
    1. Average wiping doesn't remove the HPA from the HDD.
    2. If you fix only one, the infection can return.

    To fix you must wipe the HDD with a program capable of wiping all partitions including HPA/DCO. Then while the HDD is dorment and free of any code, flash the bios.
     
Thread Status:
Not open for further replies.