What about ring-0 and BIOS Trojans?

Discussion in 'ProcessGuard' started by Tortle, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. Tortle

    Tortle Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    What about super low-level trojans like ring-0, or ones that flash themselves into your BIOS (cmos)? They are below the kernel level.

    Do they exist?
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    There's user-mode and kernel-mode, but nothing 'above' or 'below'. The x86 architecture has four privilege levels (ring 0, 1, 2 and 3), but only rings 0 (kernel mode) and 3 (user mode) are used by Windows.

    Process Guard uses a kernel-mode driver, so it operates at the lowest possible level - ring 0, although the user interface naturally rings in ring 3, like all other applications. There are very, very few kernel-mode trojans (the only ones so far are rootkits), but yes, Process Guard does protect against kernel-mode trojans. However, one thing to be aware of with kernel-mode trojans is that as they're kernel-mode they can essentially modify any part of the system, so although Process Guard will still protect you against such trojans,
    it's important to prevent such trojans from installing in the first place. Process Guard makes this easy by allowing you to block the installation of new drivers.

    Regards,
    Wayne
     
  3. Tortle

    Tortle Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    Thanks for the quick response.

    What about BIOS Trojans? It sounds rediculous, but things can be run in the BIOS. For example some systems have an intergrated debugger in the BIOS, like these: http://www.embeddedx86.com/epc/index.php

    If they can have a debugger in the BIOS, what's to stop a Trojan from flashing itself into the BIOS? The BIOS is lower than any rings.


    Anyway I think it's great that you have a kernel-mode process guard, security shoudln't take place at the application-level, too rrisky. My only complaint is that all your products aren't kernel-mode.
     
  4. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Wayne - DiamondCS

    The thing is how do I [us] know I a driver as the said Rootkits? o_O

    As Process Guard ask if you what to allow, but as above.[? :doubt: ]

    Do you know of a program that you could please recommend that finds Rootkits?

    Thank you for your attention and any help.

    With Regards,
    Take Care,
    TheeQuest :cool:
     
  5. Tortle

    Tortle Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    I heard that some Trojans can survive a HDD format by creating a secret partition for themselves. They hibernate there until an OS is reinstalled, and then hijacking the new system drivers.

    Please tell me this isn't true. It's getting me paranoid.
     
  6. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Tortle

    Possibly true, formatting a HDD only changes the MBR .

    Does not delete the Data.

    But there is no way they [it or anything] would survive a low level format. [overwritten with zero's]

    Take Care,
    TheQuest :cool:
     
  7. Tortle

    Tortle Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    Just make sure that every bit is accounted for on the format. The trojan would only need a 100KB secret partition.

    Formatting only does one partition.
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    TheQuest,
    When you install a program that uses kernel-mode components (ie. firewall), the actual kernel-mode driver(s) will be installed during the installation. Some programs such as Process Explorer from SysInternals 'dynamically' drop/install/use drivers when you run them. So the general rule of thumb is if you run or install a system-related program then it may install a driver. No other programs should install drivers, so for example if you get emailed a small game from a friend and run it and Process Guard alerts you that it blocked the installation of a driver then you'd have reason to be very suspicious of that game, as it's not system-related. (Some large/complex games sometimes install video or sound drivers, but not small/simple games).

    Tortle,
    If your motherboard isnt too old then you should have a BIOS setting that will prevent BIOS from being updated/modified. Keep this option enabled - you only really need to disable it when/if updating your BIOS.
     
  9. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Wayne - DiamondCS

    Once again thank you for your reply.

    One of reasons I asked was because I have just been updating my backup programs, from one DVD to HDD.

    Getting rid of all the old programs and burning back to DVD.

    The thing I was thinking [worried about] was if a Rootkit was hiding and then got itself copied to the programs in some way.

    Or is that not possible. [Excuse my Ignorants! :doubt: ]

    Thanks once again for your time,
    Take Care,
    TheQuest :cool:
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just note that detecting a rootkit will probably never be impossible, but detection by standard methods first requires a sample. Since its invisible, who will submit it ? Rootkits are the most dangerous trojans, hence the release of ProcessGuard with a "block drivers" option to STOP them ever getting there.

    If you ever see ProcessGuard block a driver and the software is of unknown origin - by that I mean if you dont know whether to trust it or not, send the file to submit@diamondcs.com.au, its that simple :) If you buy an antivirus in a box then you can trust it. If someone you talk to on MSN or email sends you something how can you trust it ? Never blindly trust this sort of program..
     
  11. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Gavin - DiamondCS

    Thank you for you response.

    I never ever use anything from an email other than key files.

    In fact the only time I use my email is rare.

    The only people who know it are IP provider, vender's of my software and forums I belong to,
    and very close friends which I insist do not have it in their address books.

    So all other mail is deleted, without a second thought.

    Thanks again for your help,
    Take Care,
    TheQuest :cool:
     
  12. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Tortle

    Sorry just seen your reply post 7 to post 6 in answer your post 5.

    A low level format destroys all partitions and data.

    You can get a program that write start to finish of a disk and then writes the other way.

    And if that not safe enough for you get a program that as Peter Gutmann's algorithm.

    Take Care,
    TheQuest :cool:
     
  13. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Wayne - DiamondCS and Gavin - DiamondCS and Jason - DiamondCS


    Thanks very much to the three of you for your time,
    Take Care,
    TheQuest :cool:
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Seems dubious - trojans, like any other software, do need to be executed to be effective and sitting on an unused partition will not allow this. However, it is possible for a trojan to install on the Master Boot Record (MBR - where boot managers allowing you to select partitions or OSes on a multiboot system live) and then pretend to do a normal Windows startup while copying itself to the Windows partition.

    This would survive a format but should be removed by running FIXMBR from the Recovery Console (note that this will overwrite any third-party boot managers including, if you use Linux, LILO or GRUB). See MS KB 229716 - Description of the Windows 2000 Recovery Console or MS KB 314058 - Description of the Windows XP Recovery Console for more details.

    Any half-decent anti-virus software should scream blue murder at an attempt to modify the MBR however.
     
  15. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Paranoid2000

    Thanks for the reply to Tortle's question.

    Your answer his seems to answer my question too is that right?

    Thanks in advance for any help.
    Take Care,
    TheQuest :cool:
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Not too sure - your question was about rootkits and backing up to DVD, correct?

    If so, then this is a very different issue. Running the Recovery Console requires you to boot your system from a setup floppy or the Windows CD-ROM (unless you have installed the Console separately on your system). Starting your system in this fashion would mean not running any code on your hard disk so no rootkit or trojan there could be executed.

    However, if you have started Windows normally and have a rootkit present then it would be executed and could hide itself, copy itself to any other volume (i.e. other disk partitions) and thereby affect any backups you make. DVD and CD volumes would be a slightly more difficult situation since these cannot be written to at will (a session needs to be opened first), but a rootkit could certainly attach itself to any files you choose to copy across.

    In essence, to guarantee avoiding a rootkit you need to start your system using read-only media (a write-protected boot floppy created on a known clean system or a CD/DVD-ROM). If you suspect a rootkit on your system, you need to start it in this fashion before running any anti-virus/anti-trojan scanners.
     
  17. Tortle

    Tortle Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    Most rootkits are for setting up XDCC bots.

    I wonder if the XDCC transfers takes place at the kernel-level also, ...this would make them invisible to port explorer.

    I was told that there is something called a 'device-level' also.
     
  18. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Paranoid2000

    Thank you for your reply, I sorry to be late getting back.

    Yes.


    It seem there is not much defense against Rootkits.

    As one has to backup data some were, and they are invisible.

    Never truly sure if you have one.

    They can just jump out. :rolleyes: :eek: :mad:

    hundreds of pounds still never sure.

    In the bin with all security software now. [joking ;) ]

    Wished I never read about them, be having nightmares soon. :D :D

    Thanks once again to you for your help.
    Take care,
    TheQuest :cool:
     
  19. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Paranoid2000

    Me again.

    These programs I have burned to DVD have never been run from the HDD.

    By that I mean they were downloaded [safe sites] to HDD then burned to disk.
    The only exception being The sound and graphic which were decompressed. [not run]
    So I could erase [CryptoSuite secure clean] the parts I do not use.

    So is that safer pease excuse my ignorants on this.

    Thanks once again.
    Take Care,
    TheQuest :cool:
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    TheQuest,

    If a rootkit gets installed on your system then you cannot trust anything about it - it may modify parts of the OS so it does not report running processes, utilisation or even available files properly. Hence the proper advice is to format and reinstall - as mentioned in the Help: I Got Hacked. Now What Do I Do? article.
    This does not make them guaranteed malware-free - if you had a virus on your system (or a rootkit with virus-like properties) then it could have attached itself to any files you accessed or created (executable files would be targetted by such viruses rather than sound/video/data files though). And such a rootkit could cause Windows to misreport file details (size, contents) in order to hide its presence in such files (this is not likely, but possible in a nightmare scenario). So ultimately, only a fresh installation where no downloaded files have ever been executed can be considered completely safe (though installing anti-virus/anti-trojan scanners as a first step along with the likes of Process Guard and a firewall can greatly improve your odds of staying safe - a firewall should be installed before connecting to the Internet in any case).

    Please see the Outpost "Open Ports" blank - wierd connectivity thread for an example of someone who got hit by a rootkit.

    Tortle,

    If malware gets installed at kernel-level then it can modify Windows itself so that no other program can be trusted to give reliable results. An anti-virus scanner for instance has to rely on Windows to tell it what files are present - so yes, it could certainly hide network communications from user-level programs - and also possibly from other kernel-level programs if it got to run first at Windows startup.
     
  21. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Paranoid2000

    Thanks once more for the doom and gloom of it. :D

    From your answers I think I am as clear as one can think,
    If that make any sense.

    Take Care,
    TheQuest :cool:
     
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    My pleasure *cackles evilly*

    What you could do if you were feeling really paranoid is to start your system using a DOS boot floppy and run a DOS-based virus scanner (such as F-Prot for DOS) on any DVD/CD backups. This should sidestep any malware on your system.
     
Thread Status:
Not open for further replies.