New rootkit uses old trick to hide itself

Discussion in 'other security issues & news' started by tgell, Jan 9, 2008.

Thread Status:
Not open for further replies.
  1. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,073
    Article
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Boot sector rootkit.

    lmao.
     
  3. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    If concerned you could go into your BIOS and turn on BIOS Antivirus Protection (or whatever it's called in your BIOS). This should stop the Boot Sector being written to.

    Phasechange
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    are you joking? Lool... do you really believe that?

    Beside: You should include in your thoughts that real evil malware will mod your bios too.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Before Matrix fans scare the living daylights out of you:

    - There is no malware that writes to your BIOS, with or without protection, except PoC that made some people famous and gave them good salaries

    - The mentioned MBR has nothing to do with mobo BIOS. Some hard disks have their own BIOS btw, which could be used for this purpose. But this is completely unnecessary. Just reinstall the bootloader or use non-MS bootloader like GRUB and problem solved.

    - The boot sector is nothing magical.

    Mrk
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Think so. But explain this:

    http://i17.tinypic.com/67mxd1d.jpg
    The password in bios can´t accessed in first chars, you can enter with your password, but something is set before. Probably many don´t understand this image, it shows a empty space that can´t be resetted if you use the <---- BackKey. I did not make spaces and then started with password it is by default locked. You can only start typing where the "*" begins.

    That is roughly translated via translator from a german security side: Subverting Vista Kernel for Fun and Profit
     
    Last edited: Jan 10, 2008
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Vbootkit is regarded as a successor of Blue pill.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Explanation: bad hardware, non-english charset ...
    And EVEN if this is something really malicious whatever - reflash your bios, case closed.
    Mrk
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Not possible. Cmos bootblock lock. Floppy recognition disabled. Case very open. Beside I await your comments about vbootkit.. do you still believe Bios is untouchable? You have nearly 4000 Posts and are that stubborn to close your eyes for reality. Not understandable.
     
    Last edited: Jan 10, 2008
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    CMOS locked? Replace the battery. Remove BIOS from its seat. Are you telling me the magical rootkit also fuses the pins onto the mobo?

    The post count means nothing in the context of this.

    As much as you admire science fiction, I don't. I stick to reality - which is different from yours, obviously.

    I never said BIOS is untouchable. It is touchable indeed. It's called BIOS flash. But it's written by people who have spend 8-10 hours a day trying to make sure their little thingie works well with hardware. And still, the reflashing is a dangerous procedure.

    How many hardware combinations exist? 100,000 at the very least.

    And you're telling me someone writes generic rootkit that flawlessly patches any BIOS on any hardware, with code small enough to not only fit into the tiny storage but also subvert operating system (which OS, btw? - BSD, OS/2) and control it.

    This is called science fiction.

    Mrk
     
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Doesn´t help because the lock procedure seems to be flashed on chip.

    I also find it hard to believe but there is a whole mafia making money with this, if someone blows thousands of $$$ into someones asses anything could be possible. But flawlessly surely not, this is not possible, but even with flaws it could be effective.
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Here is something fresh and unknown:
    http://i18.tinypic.com/6sip7bs.png

    The only file on the system with this size is the registry, registry cheating beast.

    Looks like unknown Rustock variant.
     
    Last edited: Jan 13, 2008
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Microsoft: Vista Can Handle MS-DOS Era, 10-Year-Old Master Boot Record Threats - Well, there's a relief!

     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Does that include bluepill+Stealth MBR?
    Because news announced this as future trend.
     
  15. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
  16. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Last edited: Jan 13, 2008
  17. controler

    controler Guest

    Hello

    Both MBR & BIOS virus has been around since the early 80's. The first American DOS antivirus that I remember detecting them was Norton.
    I think CIH was a BIOS viri but didn't work with NT systems.
    It also fried the BIOS.

    I don't see the point in that type visus now days when it's mosly all about the money and what money do you get by frying a BIOS?
    The only thing frying the BIOS would be good for is military warfare.

    I still say if there is a POC. Usualy ITW follows.

    I am sure most of you have used our friend Google to input ACPI BIOS rootkit.

    It always brings up a PDF that we are all so found of called.
    Implementing and Detecting an ACPI BIOS Rootkit by John Heasman
    If I remember correct with my last brain cell, his POC is OS independent and BIOS independent.

    As we see today it isn't only white hats creating POC and moving on up, the last two were regular members of root kit dot com but I guess that is not saying they were black hats. Just my speculation.

    Do they still make MOBO's that have BIOS virus protection?
    I have not seen any in a while. Am just curious.

    There was at one time with 486's one jumper that was for reflashing BIOS and another one for resetting the BIOS password.

    One thing I hated was the way Compaq used the first part of the hard drive for your BIOS access. How crazy was that?

    BUT yes it is funny to see old hat stuff revisited and modified with rootkits.

    con
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I used to believe they were deliberately designed as some others to force a user to have to wind up buying a new PC. Some still will instead of turning to repair shops. Depends on how profitable that market is too
     
  19. controler

    controler Guest

    Anytime an economy slides towards a recession, service becomes more popular because people are not going out a buying new stuff, they try to get it repaired unless it is more cost effective to buy new over repairing the old.

    Just two days ago the cupacoffee virus took out my new laptop keyboard.
    I still can't believe after all these years, I haven't done that one before LOL
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Exactly. Very good summary, this military warfare idea is a little bit scary.
    The last annotation is especially for mrkvonic important to know, because he is the main denyer of this truth.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Proof of concept is one thing. Practical OS zombie god embedded in your bios is something else. Let's not forget its removability - replace bios / flash bios, game over.

    Read the paper - assumes i386 architecture... not OS independent.

    Some prevention methods mentioned - modern bios locking / preventing reflashing, booting off alternative media, disable acpi, using diagnostic tools to inspect hardware - like dmesg, /proc/acpi ...

    And still very proof of concept by good people trying to make a statement ...

    Implementation is possible. Likely? No. Existing as described by SystemJunkie? No. That's science fiction. Sentient code does not exist. We don't have Mr. Data around. Yet.

    Cheers,
    Mrk
     
  22. controler

    controler Guest

    yes it is i386 but the paper I read deals with linux also. So yes you are correct in doesn't support Mac but does support linux & Windows.

    And you know I agree on reflashing BIOS ect. I do before I reformat my systems. I am probably one of the first if not the first here at Wilders that suggested reflashing your BIOS before reformat. I know there can be problems with flashing the BIOS but in all my years i have never seen it.

    Not saying it is ITW but am not saying it isn't by this time either.

    The technology for writing to the BIOS is old and all they have to do is implement a rootkit or download the rootkit once owned.
     
  23. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    That is the problem, something that is so old can still be such a threat. I still think a DIP switch to lock up everything on board would be the best or a master switch for Bios, Gracard and all flashable devices.
     
Loading...
Thread Status:
Not open for further replies.