What about ring-0 and BIOS Trojans?

What about super low-level trojans like ring-0, or ones that flash themselves into your BIOS (cmos)? They are below the kernel level.

Do they exist?

 

There's user-mode and kernel-mode, but nothing 'above' or 'below'. The x86 architecture has four privilege levels (ring 0, 1, 2 and 3), but only rings 0 (kernel mode) and 3 (user mode) are used by Windows.

Process Guard uses a kernel-mode driver, so it operates at the lowest possible level - ring 0, although the user interface naturally rings in ring 3, like all other applications. There are very, very few kernel-mode trojans (the only ones so far are rootkits), but yes, Process Guard does protect against kernel-mode trojans. However, one thing to be aware of with kernel-mode trojans is that as they're kernel-mode they can essentially modify any part of the system, so although Process Guard will still protect you against such trojans,
it's important to prevent such trojans from installing in the first place. Process Guard makes this easy by allowing you to block the installation of new drivers.

Regards,
Wayne

 

Thanks for the quick response.

What about BIOS Trojans? It sounds rediculous, but things can be run in the BIOS. For example some systems have an intergrated debugger in the BIOS, like these: http://www.embeddedx86.com/epc/index.php

If they can have a debugger in the BIOS, what's to stop a Trojan from flashing itself into the BIOS? The BIOS is lower than any rings.


Anyway I think it's great that you have a kernel-mode process guard, security shoudln't take place at the application-level, too rrisky. My only complaint is that all your products aren't kernel-mode.

 

Hi, Wayne - DiamondCS

The thing is how do I [us] know I a driver as the said Rootkits?

As Process Guard ask if you what to allow, but as above.[? ]

Do you know of a program that you could please recommend that finds Rootkits?

Thank you for your attention and any help.

With Regards,
Take Care,
TheeQuest

 

I heard that some Trojans can survive a HDD format by creating a secret partition for themselves. They hibernate there until an OS is reinstalled, and then hijacking the new system drivers.

Please tell me this isn't true. It's getting me paranoid.

 

Hi, Tortle

Possibly true, formatting a HDD only changes the MBR .

Does not delete the Data.

But there is no way they [it or anything] would survive a low level format. [overwritten with zero's]

Take Care,
TheQuest

 

Just make sure that every bit is accounted for on the format. The trojan would only need a 100KB secret partition.

Formatting only does one partition.

 

TheQuest,

When you install a program that uses kernel-mode components (ie. firewall), the actual kernel-mode driver(s) will be installed during the installation. Some programs such as Process Explorer from SysInternals 'dynamically' drop/install/use drivers when you run them. So the general rule of thumb is if you run or install a system-related program then it may install a driver. No other programs should install drivers, so for example if you get emailed a small game from a friend and run it and Process Guard alerts you that it blocked the installation of a driver then you'd have reason to be very suspicious of that game, as it's not system-related. (Some large/complex games sometimes install video or sound drivers, but not small/simple games).

Tortle,

If your motherboard isnt too old then you should have a BIOS setting that will prevent BIOS from being updated/modified. Keep this option enabled - you only really need to disable it when/if updating your BIOS.

 

Hi, Wayne - DiamondCS

Once again thank you for your reply.

One of reasons I asked was because I have just been updating my backup programs, from one DVD to HDD.

Getting rid of all the old programs and burning back to DVD.

The thing I was thinking [worried about] was if a Rootkit was hiding and then got itself copied to the programs in some way.

Or is that not possible. [Excuse my Ignorants! ]

Thanks once again for your time,
Take Care,
TheQuest

 

Just note that detecting a rootkit will probably never be impossible, but detection by standard methods first requires a sample. Since its invisible, who will submit it ? Rootkits are the most dangerous trojans, hence the release of ProcessGuard with a "block drivers" option to STOP them ever getting there.

If you ever see ProcessGuard block a driver and the software is of unknown origin - by that I mean if you dont know whether to trust it or not, send the file to submit@diamondcs.com.au, its that simple If you buy an antivirus in a box then you can trust it. If someone you talk to on MSN or email sends you something how can you trust it ? Never blindly trust this sort of program..

 

Hi, Gavin - DiamondCS

Thank you for you response.

I never ever use anything from an email other than key files.

In fact the only time I use my email is rare.

The only people who know it are IP provider, vender's of my software and forums I belong to,
and very close friends which I insist do not have it in their address books.

So all other mail is deleted, without a second thought.

Thanks again for your help,
Take Care,
TheQuest

 

Hi, Tortle

Sorry just seen your reply post 7 to post 6 in answer your post 5.

A low level format destroys all partitions and data.

You can get a program that write start to finish of a disk and then writes the other way.

And if that not safe enough for you get a program that as Peter Gutmann's algorithm.

Take Care,
TheQuest

 

Hi, Wayne - DiamondCS and Gavin - DiamondCS and Jason - DiamondCS

Thanks very much to the three of you for your time,
Take Care,
TheQuest

 

Seems dubious - trojans, like any other software, do need to be executed to be effective and sitting on an unused partition will not allow this. However, it is possible for a trojan to install on the Master Boot Record (MBR - where boot managers allowing you to select partitions or OSes on a multiboot system live) and then pretend to do a normal Windows startup while copying itself to the Windows partition.

This would survive a format but should be removed by running FIXMBR from the Recovery Console (note that this will overwrite any third-party boot managers including, if you use Linux, LILO or GRUB). See MS KB 229716 - Description of the Windows 2000 Recovery Console or MS KB 314058 - Description of the Windows XP Recovery Console for more details.

Any half-decent anti-virus software should scream blue murder at an attempt to modify the MBR however.

 

Hi, Paranoid2000

Thanks for the reply to Tortle's question.

Your answer his seems to answer my question too is that right?

Thanks in advance for any help.
Take Care,
TheQuest

 

Not too sure - your question was about rootkits and backing up to DVD, correct?

If so, then this is a very different issue. Running the Recovery Console requires you to boot your system from a setup floppy or the Windows CD-ROM (unless you have installed the Console separately on your system). Starting your system in this fashion would mean not running any code on your hard disk so no rootkit or trojan there could be executed.

However, if you have started Windows normally and have a rootkit present then it would be executed and could hide itself, copy itself to any other volume (i.e. other disk partitions) and thereby affect any backups you make. DVD and CD volumes would be a slightly more difficult situation since these cannot be written to at will (a session needs to be opened first), but a rootkit could certainly attach itself to any files you choose to copy across.

In essence, to guarantee avoiding a rootkit you need to start your system using read-only media (a write-protected boot floppy created on a known clean system or a CD/DVD-ROM). If you suspect a rootkit on your system, you need to start it in this fashion before running any anti-virus/anti-trojan scanners.

 

Most rootkits are for setting up XDCC bots.

I wonder if the XDCC transfers takes place at the kernel-level also, ...this would make them invisible to port explorer.

I was told that there is something called a 'device-level' also.

 

Hi, Paranoid2000

Thank you for your reply, I sorry to be late getting back.

Yes.


It seem there is not much defense against Rootkits.

As one has to backup data some were, and they are invisible.

Never truly sure if you have one.

They can just jump out.

hundreds of pounds still never sure.

In the bin with all security software now. [joking ]

Wished I never read about them, be having nightmares soon.

Thanks once again to you for your help.
Take care,
TheQuest

 

Hi, Paranoid2000

Me again.

These programs I have burned to DVD have never been run from the HDD.

By that I mean they were downloaded [safe sites] to HDD then burned to disk.
The only exception being The sound and graphic which were decompressed. [not run]
So I could erase [CryptoSuite secure clean] the parts I do not use.

So is that safer pease excuse my ignorants on this.

Thanks once again.
Take Care,
TheQuest

 

TheQuest,

If a rootkit gets installed on your system then you cannot trust anything about it - it may modify parts of the OS so it does not report running processes, utilisation or even available files properly. Hence the proper advice is to format and reinstall - as mentioned in the Help: I Got Hacked. Now What Do I Do? article.

This does not make them guaranteed malware-free - if you had a virus on your system (or a rootkit with virus-like properties) then it could have attached itself to any files you accessed or created (executable files would be targetted by such viruses rather than sound/video/data files though). And such a rootkit could cause Windows to misreport file details (size, contents) in order to hide its presence in such files (this is not likely, but possible in a nightmare scenario). So ultimately, only a fresh installation where no downloaded files have ever been executed can be considered completely safe (though installing anti-virus/anti-trojan scanners as a first step along with the likes of Process Guard and a firewall can greatly improve your odds of staying safe - a firewall should be installed before connecting to the Internet in any case).

Please see the Outpost "Open Ports" blank - wierd connectivity thread for an example of someone who got hit by a rootkit.

Tortle,

If malware gets installed at kernel-level then it can modify Windows itself so that no other program can be trusted to give reliable results. An anti-virus scanner for instance has to rely on Windows to tell it what files are present - so yes, it could certainly hide network communications from user-level programs - and also possibly from other kernel-level programs if it got to run first at Windows startup.

 

Hi, Paranoid2000

Thanks once more for the doom and gloom of it.

From your answers I think I am as clear as one can think,
If that make any sense.

Take Care,
TheQuest

 

My pleasure *cackles evilly*

What you could do if you were feeling really paranoid is to start your system using a DOS boot floppy and run a DOS-based virus scanner (such as F-Prot for DOS) on any DVD/CD backups. This should sidestep any malware on your system.