Starwars malware from pcworld

Discussion in 'malware problems & news' started by aigle, May 28, 2011.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Pretty crazy. Malware has to keep adapting... malicious programmers need to become more and more vicious and clever to keep up with new security methods.

    This is just proof that even a fully patched windows with an antivirus is not sufficient security as most people believe.

    edit: Lol@ comments. Apparently this virus is easily removed...
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Seems like an under-qualified security manager to me.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So... a security manager o_O got hit by malware... that arrived via drive-by download? :blink:

    This world is full of experts... they just lack the expertise... :ouch:
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks aigle, I lol'd.


    He was doing okay until fantasy took over.
     
  6. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    Wow...just wow. :blink:
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Upon reading it again I have to conclude that this "security manager" is actually something akin to a "mac genius."

    He clearly doesn't understand a lot of things and I'd bet that 99% of the users on this site have a better security setup than he does.
     
  8. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    A; The PCworld site has been hacked by someone who posted a BS article.
    B; The PCworld site will publish anything in order to have folks sign up so they can comment on a BS article.
    C; The PCworld site has mixed up 28th of May with April's foolsday.
    D; The PCworld site staff has gone bonkers and indeed believes in Starwars"Pigs in space" malware...:p

    Not sure what's the most likely answer.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think it is important to note that (even though this article is a bit silly) there are viruses that can infect your BIOS.

    Restarting your computer to get into safe mode is a stupid first step for virus removal and it gets offered up by newbies far too often.
     
  10. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    It might mess with the CMOS, like date and time, but talking with the peeps here convinced me that other hardware items would make better first targets than the BIOS. That includes Graphics, ACPI, and Network card. Thanks, Pinczakko. :thumb:

    If he had been using Linux, the website wouldn't have infected him at all. Thanks, Linux community. :thumb:

    He didn't even try MBAM? :eek:
    How about a Linux Live CD? :doubt:

    dd for flash and Secure Erase for HDD's cures all malware problems, unless his backups were infected also. :D

    Cheeky malware. Tsk, tsk. Wormed it's way around for months before becoming active.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If he'd had UAC it wouldn't have been able to do nearly as much damage. Unless it made use of a 0-day exploit, which exist in Linux as well and would have been able to do the same thing.

    There's no reason for it to attack the CMOS as you can not execute from the CMOS and you're only able to store information there. Infecting the BIOS is possible... but I don't think that was the case here. It sounds a lot more like it was able to infect the boot sector...

    I honestly do not believe that the person who wrote that could be a security administrator.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Care to share the names?
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, thanks. It,s interesting, I just forgot the notorious chernobyl virus.
     
  15. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    From that F-Secure webpage;

    "The virus has an extremely dangerous payload, and depending on different conditions it erases hard drive data, CMOS memory and Flash Bios contents in the same way the Win95.CIH (aka Chernobyl) virus does."

    From Symantec (just as an example);
    "Win95.CIH; Systems Affected: Windows 95, Windows 98, Windows Me". link.

    If the BIOS wrecking payload from 'magistr' works like CIH, I wonder if it's also aimed at (fairly old; 1997) 430TX chipsets, that's pre-'Pentium Pro' age and pre XP.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Does it matter? It's proof of concept. Toms Hardware did an article about it last year. I just don't think that

    a) They're practical
    b) The first post link has anything to do with the BIOS. I think he had an infected boot sector.
     
  17. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Lately i ve seen some motherboards dieing from something that looks like BIOS corruption ,after the computers were heavy infected.Maybe there is no relation to the actual infections though.
    There may be some BIOS virus out there ,but i doubt you can still use your PC after such infection.You need to recover the BIOS the hard way.
    Everything is possible ! :)
     
  18. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Could you post a link to the article?
    My Google-fu is weak apparantly, I can only find the extensive 2009 interview with Joanna Rutkowska.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If he knew how to security his operating system and web browser, he wouldn't had been infected either. So, what's really the point?

    If he was using Linux, he still would have no damn clue about an operating system security, at all.

    The problem in 99% of situations is placed between the chair and keyboard.
     
  20. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    So this "security manager" trusted his IE 8 and "fully updated antivirus solution" and happily clicked unfamiliar links. Great going there. I am also not convinced of it infecting BIOS - maybe it is said already, but you don't need that kind of viruses for invading safe mode. Did this guy even try things like AV boot CDs?
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  22. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Ah, right. Thanks for posting!
    BIOS password lock/protection is easy enough mitigation indeed.
    This is what mrs. Rutkowska had to say about the presentation of the two 'Core Security Technologies' researchers though;

    "...
    Also, there was a bit unfortunate presentation at CanSecWest earlier this year by two researchers from Core, who presented on "Persistent BIOS Infection." I saw their slides and they made it look like if they found a generic way of re-flashing any BIOS and that there is hardly any way to protect against their attacks. Nothing could have been further from the truth, in fact.

    First, they chose to attack two low-end, dated BIOSes: an Award BIOS and also VMWare's BIOS (that itself doesn't even count, as it's not a real BIOS). Those two BIOSes didn't require firmware updates to be digitally signed by the vendors. So, no big deal that it was possible to inject some malicious code there. On the other hand, most of the currently used BIOSes (Intel or Phoenix BIOSes) allow only signed firmware updates to be re-flashed. This mechanism has been used for years, and it has nothing to do with TPM or any of the Trusted Computing technologies.
    ...
    " link
     
  23. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
Loading...
Thread Status:
Not open for further replies.