Starwars malware from pcworld

I can,t believe such a non-sense on a pc related magazine. Believe me once I thought it,s some funny article.

http://www.pcworld.com/article/2288...ers_immune_to_fakeav_infection.html#tk.hp_new

 

Pretty crazy. Malware has to keep adapting... malicious programmers need to become more and more vicious and clever to keep up with new security methods.

This is just proof that even a fully patched windows with an antivirus is not sufficient security as most people believe.

edit: Lol@ comments. Apparently this virus is easily removed...

 

Seems like an under-qualified security manager to me.

 

So... a security manager got hit by malware... that arrived via drive-by download?

This world is full of experts... they just lack the expertise...

 

Thanks aigle, I lol'd.


He was doing okay until fantasy took over.

 

Wow...just wow.

 

Upon reading it again I have to conclude that this "security manager" is actually something akin to a "mac genius."

He clearly doesn't understand a lot of things and I'd bet that 99% of the users on this site have a better security setup than he does.

 

A; The PCworld site has been hacked by someone who posted a BS article.
B; The PCworld site will publish anything in order to have folks sign up so they can comment on a BS article.
C; The PCworld site has mixed up 28th of May with April's foolsday.
D; The PCworld site staff has gone bonkers and indeed believes in Starwars"Pigs in space" malware...

Not sure what's the most likely answer.

 

I think it is important to note that (even though this article is a bit silly) there are viruses that can infect your BIOS.

Restarting your computer to get into safe mode is a stupid first step for virus removal and it gets offered up by newbies far too often.

 

It might mess with the CMOS, like date and time, but talking with the peeps here convinced me that other hardware items would make better first targets than the BIOS. That includes Graphics, ACPI, and Network card. Thanks, Pinczakko.

If he had been using Linux, the website wouldn't have infected him at all. Thanks, Linux community.

He didn't even try MBAM?
How about a Linux Live CD?

dd for flash and Secure Erase for HDD's cures all malware problems, unless his backups were infected also.

Cheeky malware. Tsk, tsk. Wormed it's way around for months before becoming active.

 

If he'd had UAC it wouldn't have been able to do nearly as much damage. Unless it made use of a 0-day exploit, which exist in Linux as well and would have been able to do the same thing.

There's no reason for it to attack the CMOS as you can not execute from the CMOS and you're only able to store information there. Infecting the BIOS is possible... but I don't think that was the case here. It sounds a lot more like it was able to infect the boot sector...

I honestly do not believe that the person who wrote that could be a security administrator.

 

Care to share the names?

 

http://www.f-secure.com/v-descs/magistr.shtml

Among quite a few others.

 

Ok, thanks. It,s interesting, I just forgot the notorious chernobyl virus.

 

From that F-Secure webpage;

"The virus has an extremely dangerous payload, and depending on different conditions it erases hard drive data, CMOS memory and Flash Bios contents in the same way the Win95.CIH (aka Chernobyl) virus does."

From Symantec (just as an example);
"Win95.CIH; Systems Affected: Windows 95, Windows 98, Windows Me". link.

If the BIOS wrecking payload from 'magistr' works like CIH, I wonder if it's also aimed at (fairly old; 1997) 430TX chipsets, that's pre-'Pentium Pro' age and pre XP.

 

Does it matter? It's proof of concept. Toms Hardware did an article about it last year. I just don't think that

a) They're practical
b) The first post link has anything to do with the BIOS. I think he had an infected boot sector.

 

Lately i ve seen some motherboards dieing from something that looks like BIOS corruption ,after the computers were heavy infected.Maybe there is no relation to the actual infections though.
There may be some BIOS virus out there ,but i doubt you can still use your PC after such infection.You need to recover the BIOS the hard way.
Everything is possible !

 

Could you post a link to the article?
My Google-fu is weak apparantly, I can only find the extensive 2009 interview with Joanna Rutkowska.

 

If he knew how to security his operating system and web browser, he wouldn't had been infected either. So, what's really the point?

If he was using Linux, he still would have no damn clue about an operating system security, at all.

The problem in 99% of situations is placed between the chair and keyboard.

 

So this "security manager" trusted his IE 8 and "fully updated antivirus solution" and happily clicked unfamiliar links. Great going there. I am also not convinced of it infecting BIOS - maybe it is said already, but you don't need that kind of viruses for invading safe mode. Did this guy even try things like AV boot CDs?

 

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

Interesting that the BiOS being locked can prevent this. I have mine password protected with boot devices disabled.

 

Ah, right. Thanks for posting!
BIOS password lock/protection is easy enough mitigation indeed.
This is what mrs. Rutkowska had to say about the presentation of the two 'Core Security Technologies' researchers though;

"...
Also, there was a bit unfortunate presentation at CanSecWest earlier this year by two researchers from Core, who presented on "Persistent BIOS Infection." I saw their slides and they made it look like if they found a generic way of re-flashing any BIOS and that there is hardly any way to protect against their attacks. Nothing could have been further from the truth, in fact.

First, they chose to attack two low-end, dated BIOSes: an Award BIOS and also VMWare's BIOS (that itself doesn't even count, as it's not a real BIOS). Those two BIOSes didn't require firmware updates to be digitally signed by the vendors. So, no big deal that it was possible to inject some malicious code there. On the other hand, most of the currently used BIOSes (Intel or Phoenix BIOSes) allow only signed firmware updates to be re-flashed. This mechanism has been used for years, and it has nothing to do with TPM or any of the Trusted Computing technologies.
..." link

 

Thanks for that info