Super-Trojan Rootkit

Discussion in 'malware problems & news' started by Starrob, Oct 16, 2004.

Thread Status:
Not open for further replies.
  1. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Last edited: Oct 16, 2004
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Read the answers, specifically the first one. The user doesn't understand the issues with a rootkit and what IS and ISN'T possible. Rootkit security is about fighting something which can hide - it can hide files/processes/ports but cant hide in the BIOS etc and physically change drives or anything stupid like that. Just take the hard drive and slave it into a different machine and there is no possible way for a rootkit to hide files on that disk. Dont believe the mumbo jumbo about dynamically changing IDE to SCSI and things like that. Sure a very powerful driver could be written to change the way Windows sees things once its booted up, but this is POINTLESS for an attacker since the drive can be examined. Hiding files IS done, of course. Thats just about all they care about, hiding from process and port viewers, and not being removed.

    Rootkits are dangerous but not hard to stop. Choose between ProcessGuard or a healthy dose of common sense (and system security policies, user accounts etc). Which is easiest to you..? :)
     
  3. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    isnt there a trojan that can infect the bios aka backwash

    i heard rummors of a nasty that can survive a reformat

    but not a 0-1's eraser

    always wanted to know faq or fiction
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I would like to know that too.
    If it is able to lurk in the BIOS, it could reinfect the HD after a reformat or even a repartitioning.
     
  5. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    its a passed around cyber nyth it was either a trojan or wor,

    something like not even a reformat could get rid of it you had to wipe hd with 0's and 1's with eraser
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    If it has the Trojan Dropper within BIOS, then even wiping the drive with eraser wouldn't help, because it would just reinfect after you reformat, repartition, or wipe.
    If the BIOS merely tries to execute the actual trojan which is located on a hidden partition on the HD, then you could just delete all the partitions on the HD then create new partitions. If the trojan dropper is in BIOS then it might be able to interfere with the partitioning process somehow.
    This is complete speculation.
    Is there really a trojan that can run from BIOS?
    I've heard of viruses that can corrupt a BIOS, but run a program from it?
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    BIOSes are system-specific. While trashing a BIOS is relatively straight-forward, writing a piece of malware that can alter a BIOS to replicate itself while not affecting other BIOS functions would be a true masterpiece. It would either have to be very system-specific (e.g. targetting Dell Inspiron laptops only - greatly limiting its spread) or include the ability to perform a comprehensive analysis of BIOS code to identify a good insertion point.

    The example given is ridiculous - not only does this "super trojan" alter drive interfaces, but it also includes a copy of Linux, can overwrite read-only CD-ROMs and presumably fouls up the local coffee machine too. The only remotely plausible explanation is that this PC is being continually re-infected by another system on their LAN.

    Malware can survive a reformat by creating a hidden disk partition and installing itself there - but FDISK should detect it, and allow you to remove it.
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Paranoid2000,

    Thanks for clarifying several issues.
    You know if they are going to make that super trojan, the least they could do is make it clean the dust from my monitor.

    I always had a feeling that it was safer to delete all the partitions first, then reformat. Now you have confirmed it. Thank you. :)
     
  9. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    The last years there were some problems with virusses writing data to the BIOS/CMOS/NVRAM.
    One of them was:
    http://www.symantec.com/avcenter/venc/data/cih.html

    But this is destroying data there, not to allocate a trojan/rootkit or other program there.

    Another thing is that in newer CMOS/BIOS/NVRAM it is possible to 'swap'
    drives in there.
    If you have a (just an example) ASUS P4P800 motherboard and 2 IDE disks let's say one of 80GB and one of 120GB you can choose in which one to be your first 'physically' disk.
    And you can (ALSO) choose which of your disks will be the boot disk at the next startup.
    It is nothing new, back in the old days, we already wrote assembler programs with 'debug' to change your CMOS/BIOS/NVRAM settings.
    I Asume this is still possible, but again it is about changing data in there,
    not storing a program there.

    On SUN Microsystems (Solaris/Unix) hardware, i still (often) write programs that change (and store) DATA in NVRAM.

    Confused? i hope you're not ...
     
  10. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Sorry we were typing at the same moment, but I agree on what you wrote Paranoid ..

    But:
    Detect it perhaps, if there are no errors, and it depends on which VERSION of FDISK you use, it is one of the most changed programs that MS has ever released.

    I've seen quitte often a Partition Table that was 'corrupted' according FDISK
    could not be fixed or was a 'broken disk' that only could be repaired with a
    Physical diskedit and manually rebuild the Partition Table.

    After that you have proof that the 'broken harddisk' was only having a SW problem.
     
  11. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    But now i re-read his story i think the only problem he really has on his pc
    is with GRUB, as you know this multi-boot loader can give very complicated
    problems , especially if you use SW diskmirroring as well.
    If he has installed this, it can be very hard to install XP after that.

    And YES MS FDISK DOES NOT DETECT GRUB in some cases and CANNOT remove
    the partitions, trying that may corrupt it, and then you really have a problem.

    Normally you can solve this with Linux Partition tools.

    I had a client with Redhat 9 and GRUB and SW mirroring and a corrupted partitionTable.
    It took me almost 2 days to get all his data back.
    (same thing with Solstice Disksuite or Veritas Volume Manager and Solaris X86)
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi tuatara,

    What if you use something like Partition Magic 8 to delete the partitions?
    It can be booted and run from the CD.
    Would that take care of GRUB?
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Ooh - sounds like Uncle Bill is slipping up here - "the job ain't done till Linux won't run". Doubtless MS will update FDISK to nuke GRUB just like it does LILO. :D IIRC GRUB sits in a separate partition and just modifies the MBR to point to this - I presume that you are talking about RAID setups giving MS FDISK a problem here?

    I would agree that Linux's tools seem, well, more grown-up than Microsoft's here - being able to handle more complex setups and coexisting better.
     
  14. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    so myth is true and and only sure thing is eraser goverment delet wipe hd with 0's and ones then f-disk reformat? eh
     
  15. controler

    controler Guest

    Greeting all

    I think if you look back on my old posting you will see me almost always mentioning for you to reflash your BIOS, FDISK, then reformat.
    Some paople can't just wipe their hard drives for critical info but they can still reflash their BIOS.
    I have seen a few hard drives that would not work unless they were low level
    formated first, then formated normaly.
    The newest thing lingering on the net Blaze is the ability of nasties to hide on the Video card memory I believe.

    On a side note after reading the post at the link Starob posted. I wonder why the dude didn't just pull the little itty bitty MOBO battery out for a while.
    Then the only data left in his BIOS should have been factory non reflashable data not including any rootkit. Yes he would have to reset all his BIOS settings again but that is far cheaper thejn buying a new PC.

    Bruce
     
    Last edited by a moderator: Oct 18, 2004
  16. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Sometimes YES this can solve the problem, but if the table is really corrupted,
    then PM8 doesn't know what kind of partition it is, it knows that it is not FAT FAT32 FAT64 NTFS,JFS, VFS , EXT FS, EXT2 FS, EXT3 FS, and if it is BEOS MAC-OS,QNX reisser etc. etc.
    It can not.


    Of course.. but for a novice this can be dangerous, if the 'reflash' is stopped
    halfway it can be the end of a motherboard's life.


    That is true, if the partitiontable is corrupted this can solve the problem,
    but with low-level format there is another problem, and that is that a low-level format has to be done with a tool that belongs to the disk
    (BRAND and disk model must be correct).

    If you are performing a low-level format with a wrong tool,
    f.i. the tool from old BIOS-es NVRAM's or freeware tools, this can mean
    that your harddisk will be broken after this.
    (In the worst case ...)

    If you know what you are doing this isn't a problem,
    we even open broken disks here in our lab ...
    That is also something i would NOT recommend for a novice
    unless want to trow it in the bin anyway.

    :D
     
  17. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Tuatara.
     
  18. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi Tuatara

    Are you saying that using a hard drive and partition eraser utility like Killdisk can (In the worst case) brake my HD? :)
     
  19. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    No, because i have never seen that product, so i don't know ..
    What i was refering to is, that if you have a low-level format program for
    a wrong disk it can (worst case) brake your disk.

    This is why:
    In the early days, your computer 'knew' how many heads,cylinders and tracks and sectors etc. your harddisk had.
    Because otherwise it couldn't find its data.

    In those days, a systemadmin could write data on the platter and location he
    would like to use.
    B.t.w. # platters = ( # heads / 2) .
    This (writing to a precise location on the disk) was done for performance issues.

    But later on, the growing disks sizes became a problem,
    for lots of BIOS/CMOS/NVRAM's (on the mainboards).
    They did not support those.
    There was a maximum number of Cylinders of 520 for example.

    So, disk makers started making disks wich 'fooled' the NVRAM/CMOS/BIOS and OS.
    It informed the OS etc. that it had more heads then the disk really had.
    Well known example, on a disklabel was written:
    "520 Cylinders 64 Heads 63 Sectors" but it really (physically) had 16 heads! and much more Cylinders then supported.
    This way you could have a disk with more MB's in your system.

    The only problem was/is, that the disk ITSELF must translate this.
    Under the hood it works with other number of heads etc. then your PC thinks.

    So,the physical number of heads, the organization of sectors on the medium is not of concern to the high level of the operating system. The OS doesn't have to know.

    Now if you low-level a disk , it wants to physically write to your disk,
    just the sysadmin did, to make this possible the diskmaker has to create a program, that works around this translation, if not the heads can be moved to a position that in some cases ( i have seen this lots of times with older disks)
    physically crashed the disk.

    I suspect that most modern disks, don't physically crash anymore,
    but it still is not a good idea to low-level format a Seagate disk with
    a low-level format tool of Fujitsu or so.

    BTW a normal format (and partition remove) on most OS-es WIN95/98/ME (rm -fr / filesystem remove etc). doesn't remove any USER-data (it is just like removing the index of a book).
    If you look directly to the data it is still there.
    (For the insiders, yes ... there are still people that don't know this).
    Even if you write a 1 on each bit, and a zero after that, most data
    can still be restored in a lab.

    said the oldtimer ....
     
  20. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    I've heard of Viruses that change the voltage settings on various hardware, causing malfunction.

    One example was on a Graphics card and another on a Sony LCD.

    I know a guy that had his MOBO killed, but i think that his system was hacked, he had very low security running WIN 98 1st edt & no firewall.
     
  21. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    The very first time I read about the "Super Trojan" several months ago with my limited knowledge about such things, I thought such a thing was possible but after reading on a lot security websites including blackhat websites, I have come to conclusion that the story is more of a myth than anything else.

    If this thing was possible, I am quite sure that it would be talked about a lot more on the blackhat sites but it appears the script kiddies have more mundane concerns like how to keep their trojans hidden from existing scanners and how to keep from being detected by firewalls.

    I am quite certain that there are extremely bright people out there that might have built a super-trojan (possibly different governmens?) but I am relatively sure that those trojans capabilities are far less than the "super-trojan" in the article.

    Anyway...I doubt the super-trojan could defeat PG v3 as it stands right now. I think PG is a BIG problem for those trying to install trojans on a computer. Nothing is 100% but I believe PG would be extremely difficult for a large percentage of the computer gurus to beat.


    Starrob
     
  22. _Jimbo_

    _Jimbo_ Guest

    Doubt even DiamondCS can keep every hole in Windows covered, although i must admit they are having a good stab at it :)
     
  23. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    Hey Folks-

    I may not be as learned about all of this as you folks, but I'll tell ya, I believe these super badass trojans DO exist because I am dealing with one right now. Thinking that I may have to give up and bag the damn PC altogether at this point. My tale is over in Other Sec. Issues, because I am new and didn't know where to post it really. "Hacker still getting..."
    Gal in a Pall :(
     
  24. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    If there really is a "SUPER-TROJAN" then I suggest contacting DCS, Ewido, Trojanhunter, KAV, NOD, A2 and other security vendors. I am sure they would all be very interested in discovering what it is.

    If you really do have something that complex then I doubt you will find answers in these forums as intelligent as many of the posters are. You are more likely to find answers from those making a living building security products to counter the threat.

    After the different vendors find a solution to your problem then post back because I am sure others are interested in the solution to your problem.

    I still doubt the existence of a "Super-Trojan" until I start seeing people in the security industry sayiong this thing exists. The few times that I have seen vendors respond to this they infer that more likely than not there is no "Super-Trojan".

    In most "super-Trojan" threads the vendors don't even respond at all, which leads me to believe that they really don't believe in such things.


    Starrob


     
  25. scott lang

    scott lang Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    211
    Location:
    claremore,ok
    quick question. if there was a bios trojan, like whats been talked about here, and it would come back upon reformat and install of os, then could you not remove the battery from cmos and let it clear. then replace it and then format and install? jus wondered if this would solve it.
     
Loading...
Thread Status:
Not open for further replies.