Totally undetectable trojan?????

Discussion in 'malware problems & news' started by Starrob, Jul 10, 2005.

Thread Status:
Not open for further replies.
  1. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I was just reading this thread at DSLreports.com http://www.dslreports.com/forum/remark,13853178~mode=flat~days=9999~start=20

    and I was wondering if this type of thing really possible? If trojans like the one described are starting to be built then is their any defense against them (with the exception of common sense of course because I am thinking of the times when common sense might fail i.e. letting a family member use your computer)

    Could such a trojan even bypass things such as Deepfreeze and Shadowuser? Interesting questions......o_O??




    Starrob
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    1) follow that thread closely, and it's becoming evident that something doesn't smell right about the entire scenario.

    2) Tools for that exploit have been available for awhile. Kareldjag is one who has attempted to alert people in this forum. Another thread from last year -starting with post #30- talks about this:

    https://www.wilderssecurity.com/showthread.php?t=37250&page=2



    Eventually companies will find a way to prevent writing to flash memory on hardware, eeprom, for example. A few suggestions appear in the DSLR thread.

    Technically, anything stored "off disk" would be re-written to disk for each session. But that question needs further thought by the tech people at those two companies.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Starrob,

    I'm surely not a hardware guru, and it's been a very long time since I've fiddled with firmware programming myself, but in assessing this item, I believe you have to consider a number of things:
    • First, there is context. How likely is it that a jump in the state of the art of trojan penetration code will be casually posted to a gaming forum describing it as such? I'd rate this likelihood as extremely low.
    • Think of the hoops you have to jump through to reflash the BIOS or other firmware components on your PC using software provided by the designer and/or hardware vendor. And now there is someone out there who can do it on the fly, without mucking up the works, in a completely generic way? I find this unlikely.
    • In principle, virtually anything is possible. Flash memory is designed to be written to, so of course one can write to it. But for this to work, the current function of the device does need to be retained. That alone means for it to work it has be to targeted for specific hardware implimentations.
    • As mentioned already in the link, I suppose one could simply place a package of code at the end of the existing contents of the flash memory, occupying unused memory, and somehow grab that code segment when desired. Of course, the grab would necessitate a rewrite or extension of other code elsewhere. I hope you see that it is getting complicated in a hurry for the generic case. Even the specific case is complicated since existing functionality does need to be retained.
    Since a user generally can update firmware, in principle the basic scheme can be done. However, the detail work that must be accomplished between concept and execution is rather formidable. I really can't see this as being a viable shotgun approach to compromising a system. For selected access where the physical devices are all well known, it may be workable, but that's a completely different problem. For a home user I view this as completely unnecessary worry - particularly when there's plenty of other stuff out there that should be worried about.

    As for you last question regarding Deepfreeze and Shadowuser, since we are not discussing a physical mass storage device, the technique is, in principle, beyond the current scope of these programs and they would be bypassed.

    Finally, lots and lots of things are possible "in principle". But the road from "in principle" to working reality is often a long difficult one. I'd expect the same to be true here. Personally, I'm not concerned at this time.

    Blue
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Starrob,

    The way I see it, there is a substantial difference between writing a malicious program that can exploit known Windows XP vulnerabilities (XP being ubiquitous and relatively similar on millions of machines around the world), and writing a program that can update BIOS and firmware of which there are probably millions of different permutations. I strongly doubt there is a generic way to do it, and someone were try to write for a particular set of firmware, they would probably want to target servers (e.g. SUN, HP, IBM) where they might have at least a chance of getting the target they are shooting for. Even then, I think the chances are quite remote.


    In my estimatation, it would be difficult enough to write such a program if someone knew for sure what their target was. In the world of PCs, where there is just way too many variables, I think it going to remain a theoretical discussion - sort of like jumping through space/time via wormholes. I think that for the time being XP and IE are probably going to remain the most likely targets.

    Rich
     
  5. controler

    controler Guest

    I wonder why people come to these forums and start threads such as:
    What kind of video card are you using?
    What kind of router are you using?
    ECT.

    With this demographic info, someone would know what the biggest percentage of ATI video card user there are. They might even find out the highest percentage of ROUTERS being used. They may see gurus recommending a certian router such as linksys since other members have written a program for that certian router to view traffic.
    Then someone might say, ok loaded with this info, I think I will target Linksys today LOL.
    Most would say, Well gollie, I still have my software firewall :D
    and sure hope that code didn't dissable it also.
    We could have all kinds of fun with this speculation.


    controler
     
  6. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    It might be because I am slightly paranoid but that is among the reasons I don't give my exact set-up and/or may throw a few things in that are the opposite of my set-up.

    I am not certain that this type of trojan is a threat at this time to home users BUT the way to do a true zero day attack is to do something that people don't expect. That being said...if someone built a trojan like this that could work it would most likely target big targets such as governments or corporations.

    Maybe this is just something to keep a sleepy eye on......


    Starrob
     
  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I think there are much easier ways to determine popular products (e.g. look at sales statistics of comanies, which are readily available). The problem is that even within a product line, there are endless (unannounced) variations since the product manufacturers are forever tweeking the firmware. To hook into firmware with that many possible variations is quite a feat. XP, IE, SQL Server (which came up in the Buffer Overflow vulnerability thread), and their known vulnerabilities, are a much fatter targets.

    OF course, there is the off-chance that someone will spend quite a bit of time in their life in the off-chance that some piece of malware that they publish may actually infect a single poor soul in Oshkosh. There are all kinds of people in this world.

    Rich
     
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    I have been following that thread for the past day or so. Right now, this threat appears to be no more than just a "smoke & mirrors" threat to me.

    Even if it is possible, I don't see how in the near future it could be used on a massive scale to effect a home user. Someone that develops something like this would be targetting something like a military computer or corporation, it seems to me.

    It would also appear to my untrained eyes that the intended targets of something like this (especially government agencies due to increased vigilance in looking for terrorist threats) would be investigating all possibilities and would be developing some type of counter-measure to the possibility.

    If something like this did exist, I guess it would surprise all the "Experts"...LOL but be aware that my definition of a "Expert" is a "FOOL" because a "Expert" usually thinks that there is nothing more to learn in a given topic.....that all the knowledge that ever was or will ever be is contained in their head....in other words usually labelling one's self as a "expert" turns off the ability of the brain to learn new things about a given topic or topics.

    Myself...I try to stay away from experts and try to gain knowledge from those that claim not to be a expert....those that claim that they are in continual learning mode. Those that are in continual learning modes are the Einstein's or the Thomas Alva Edison that have brilliant ideas in their head light up like a light bulb....or how about the guy that i think might have been one of the greatest learners in his day or maybe even these days...someone that had ideas that even were more brilliant than Edisons but didn't get as much recognition.....Nikola Tesla http://www.neuronet.pitt.edu/~bogdan/tesla/

    So this subject of the undetectable trojan is not closed for me even though it might seem unlikely. I just give it a low likelihood of possibility but not the label of impossible because I could always be wrong. For to be totally right....totally 100% right implies infallibility and I thought only the entity that some choose to call "god" was/is infallible?


    Starrob
     
Loading...
Thread Status:
Not open for further replies.