Firmware infecting malware?How about it?

Discussion in 'malware problems & news' started by normishmael, Nov 18, 2008.

Thread Status:
Not open for further replies.
  1. normishmael

    normishmael Guest

    Are there real threats that are able to infect a machines hardware,
    so that eraseing partitians and re-instaling the operating system will
    not remove them?

    If not now,does anyone see them in the future?
     
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,121
    Location:
    Pennsylvania.
    Thats a scary idea. :blink:
     
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes, one example Rootkit Icelord for award bios generally.
    In some russian ug forums you find discussions about dvd firmware infectors.

    BTW one important question you should always ask yourself: Do I trust the vendors of my hardware?
     
    Last edited: Nov 19, 2008
  4. normishmael

    normishmael Guest

    SystemJunkie:

    Would something like IceLord be detected by normal root-kit scanners?
     
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    971
    Location:
    Paris
    Even if it did and could clean everything up Firmware worms are gifts that keep on giving.
     
  6. normishmael

    normishmael Guest

    I second cheater87...Thats some sinister scary crap.
    Even with normal ,"simple" software rootkits a re-instal is nessasary,
    correct?

    You know,on other forums you here remarks about "Paranoid Wilders Folk".
    It is hard for some to understand that some of us real LIKE this security stuff.
    It is no different than gamers,or P2P fans,or anything else.
    I tried Ubuntu for awhile,and I found I really
    missed Anti-virus,anti-spyware,firewalls,ect.
    The idea that Clam was enough just did not compute.
    Our passion ends up making the net a safer place for those who could care less about
    security,as long as "Warcraft" runs well.
     
    Last edited by a moderator: Nov 19, 2008
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Flash memory malware sllab skcus!

    Here is a bit of "sci-fi" potential that is extremely scary!

    Want to be scared? Click this!

    Laptops that have usb 2.0 host controllers can have 1mb serial nand flash or as much as 8mb nand flash for newer laptops. I wonder if the nand flash sizes will increase with the new usb 3.0 standard?
    I'm trying to locate the article I found this info on. If true then the usb host controllers may be an attack vector also.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    How about you all drop the paranoia by three notches and relax a little.
    Words like bios and firmware sound scary, but:

    1. Flashing them is not easy even with legit code.
    2. Even if flashing them with malware might succeed ...
    3. Re-flashing wthem with legit code would work equally well.

    No more malware ...

    The greatest problem with the concept is creating a file that would not actually render the device useless, but work and provide the "hacker" with the backdoor he needs. And all that inside a tiny device that contains the drivers for the hardware.

    Unlikely ...

    Besides, all these peripherals would require the operating system to work, so you could still block them nicely with firewall and such. And cleaning would be a piece of cake - just reflash the peripheral and Bob's your uncle.

    Relax.

    Oh, apropos flash in routers ... That flash is actually used by the device, don't you think? It's not there just lying around waiting for **** to happen.

    And removing it would be as easy as planting it.

    Of course, let's not forget that someone would have to download a file that miraculously fits his/her exact hardware and then execute this file. And the device should then continue working ... Ye right.

    Too many movies.

    Lastly, from this quote:

    "A Wi-Fi worm could exploit the standard firmware update process and add its own malicious code that turns the router into a little spy."

    Ye right, worms wait just around the corner for the firmware update, which most people never do ... and simple firewalls block worms easily. And this "worm" magically works with all "routers" ...

    Please ... you're more likely to die of ebola. Now, there's some serious malware.

    Mrk
     
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I agree this thread shows a high level of unjustified paranoia, but from a couple years now, we have been hearing about BIOS infecting rootkits.
    Since this has been around for some time, what do the experts think about it? how likely is it to happen? Are there samples in the wild?

    Quoted from http://www.securityfocus.com/news/11372
    (01-26-2006)
     
  10. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I think that this type of infection is a herders "holy grail" as well as any other types that would like to remain persistent.

    The ability to attack routers and remain persistent has already been News. The articles I've read (2), don't state how to recover from such an attack. There would be no better target than people who don't upgrade the firmware of their routers, if that's how you can recover from these types of attacks.

    As for John Heasmans statements, some of the later ones contradict earlier ones.
    Have you seen his Power Point of Hacking the Extensible Firmware Interface?
    How many of us cold boot regularly?

    Quoted below


    PC hardware can pose rootkit threat

    Science of all types change viewpoints as new methods and ideas make for a closer fit to reality. Look to Einstein and his Theory of Special Relativity vs. his Theory of General Relativity. Einstein did not include all possible influences when he developed Special Relativity, which was in wide circulation while he developed the Theory of General Relativity, which may not be complete either.


    What if there were a bios sandbox that allows reflashing but changes aren't permanent?
    or
    A bare metal embedded VM, designed to be small and doesn't require the OS, How would you detect a malicious install?
    Malware that alters the physical size of the hard drive to give itself 100kb of space. Who would notice in todays .5 terabyte drives?

    These types of discussions are the coolest ever. I am looking forward to reading more opinions.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,

    Stop using big words to mask the simple fact that most of the stuff mentioned is simply meaningless matrix-hype.

    Bios sandbox? Gimme a break. Where do you intend to put the code? Inside the keyboard? Does not require os? And how would it run? On magic?

    Do you want big words, here are a few: strace, ltrace, gdb, cscope, objdump, kdump, lsof, elf.

    Mrk
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Call it matrix`or watever, I believe it will evolve one day.... not sure though if in our lives. But i also believe that at the same time some other security measures will evolve too. Net result will be the same as of today.
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes very likely, it is damn interesting attack vector for malicious hackers.

    Probably 95-98% won´t detect it.

    These things are ITW that is proven don´t listen to critics it is much easier
    then MrKvonic thinks. Warm-Reboot-Attack e.g.

    But the most vicious thing is likely by default on all motherboards, chinese PLA backdoor according to
    ex-worker for US secret service.
     
    Last edited: Nov 25, 2008
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Malicious code that infects firmware may be possible to some extent. This would be easier with external devices like routers than it would with firmware on the PCs motherboard. There's a lot of obstacles that would have to be overcome, starting with the wide range of vendors and versions for each type of firmware. The more standardized these become, the more possible it becomes to infect them.

    With most external devices like routers, auto-updating or remote updating can be disabled. Even with ISP supplied equipment, shutting down remote administration and updating is the first thing I do after changing the password.

    With firmware on the PC itself, updating, flashing, or infecting it still requires some form of an installer. Most of the time, this is not done from Windows. When Windows is running, most firmware is in use. Usually this is done from bootable media. Even if the malware writer finds a way to infect firmware with Windows running, it still requires a running process. Any security package or policy that doesn't allow unknown processes to run can prevent such code from being run from within Windows.
     
  15. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Probably you never heard something about buffer overflow attacks in restricted user mode.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Even if that was possible, the attacker would have to know the brand and version of the firmware, the motherboard being used, and the OS being run on it ahead of time, then write the code specific for that system. That would be very hard to do without having physical access to the PC.
     
  17. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I heard some hackers said:"Infecting firmware is out-of-date technique."
     
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    You are definitely not up-to-date. Read John Heasman, it is very simple, browser exploit, browser crashed, bo, bios reflashed.
    Specific knowledge about hardware can be gained easily through boards e.g. But this is only one of many issues related to hardware. Read this (thanks to K. for the informations)
     
    Last edited: Nov 23, 2008
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Pre-infected chips from China? That would be about the only way it would be possible. If that's true, there still has to be some form of incoming traffic to trigger it.
    I doubt that I'd have that problem as my hardware is definitely not up to date. Probably predates such activities.
    Do you have a link to more on that browser exploit?
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    The traffic is tunneled through your browser so you will notice it only if you start in depth analysis of your http traffic but you need a good sniffer. It is a passive static tunnel, you surf it transmits you do nothing it does nothing.
    But the encapsulated virus can become active by remote supervisor at least I noticed it in some situations.

    PCI Rootkits, Bios Rootkits.These 2 examples are already 2 years old that is by far not all but good to get an impression.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Uh-oh,
    What is passive static tunnel exactly? What network protocol would that be?
    Encapsulated virus? Show me proof. In fact, show me proof for everything.
    Mrk
     
  22. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Are you part of MR team?

    What protocol do you use to surf the net? I assume a very old one dated back to approx. 1970.
    Yes sophisticated things use to have a hull, a cover.
     
    Last edited: Nov 23, 2008
  23. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    1. Where do I get a USB host controler flashing program?
    2. Where do I get the legit code for question 1
    3. Where do I get the flashing programs for any of the following devices;
    DVD; Network card; Video card; Power management; Sound card; Router?
    4. Where do I get the legit code for each device in question 3
    5. Bios; Does the flashing procedure write only over the 1024kb of data or the entire 4mb of space available in the bios?
    6. How does Laptop Lojack work?
    If I am not mistaken it adds code to the bios of laptops, which is not erased even when re-flashed.
    7. How can Laptop Lojack accomplish this and malware authors can't?

    The bios sandbox is a DOSAPP. It exists on the UBCD in one of the tools.
    VM's are not classified as OS's, am I wrong?

    Is bare metal VM softeware installed to the hard drive?

    Are there VMs designed to be small and run from portable devices like cell phones, pda's and the like?
     
    Last edited: Nov 23, 2008
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    When this article appeared several years ago, it identified the exploit as a rootkit attack.

    From a link in the article:

    Heasman mentions attack methods used to sneak in the rootkit:

    Firmware: hacking the chip
    http://www.scmagazineus.com/Firmware-hacking-the-chip/article/105000/
    PC hardware can pose rootkit threat
    http://news.cnet.com/PC-hardware-can-pose-rootkit-threat/2100-7349_3-6162924.html
    Implementing and Detecting a PCI Rootkit (Heasman paper, cited by SystemJunkie)
    http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf

    Pretty standard stuff.

    So, is this BIOS exploit any more difficult to prevent from running than the MBR exploit (Mebroot/Sinowal)? I think not.

    One final quote from the above paper:

    As with firewall leaktests, a user would have to permit the rootkit PoC to run in order to test what the exploit does when installed.

    A better test would be to put the test rootkit into some type of browser or plug-in exploit, place it on a web site site, and let users test their preventative measures against the attack vector.

    ----
    rich
     
    Last edited: Nov 24, 2008
  25. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    That should read everyone who still believes that reinstalling os could solve the problem.

    BTW, big new Vista hole: I/O subsystem iphlpapi exploit also works in non-administrative accounts For all who still believe that restrictive accounts could help.:D :D Time for disillusionment.

    @Rmus: Very good infos, worth to quote:
    Maybe that was the reason why I had to throw away one keyboard some months ago, several specific keys
    were no more able to transmit data to the computer despite the keyboard still worked except some keys.
    If a keyboard has a firmware then it explains several things, didn´t know about a keyboard firmware, sounds incredible. That would likely intercept keyscrambling protections too.

    If we sum up the possibilities of attack vectors on computers nowadays we have to conclude that the old structures of the internet together with a reckless computer industry seem to have opened wide pandoras box.
     
    Last edited: Nov 23, 2008
Loading...
Thread Status:
Not open for further replies.