Flashing the BIOS - and maybe the EEPROM

Flashing the BIOS - and maybe the EEPROM
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Flashing the BIOS - and maybe the EEPROM Chana C 09-19-2005
Posted by =?Utf-8?B?Q2hhbmEgQw==?= on September 19, 2005, 7:55 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
To those who feel that flashing the BIOS is ludicrous since it "can't be
infected" ...

Please see quote below from Microsoft Research Strider Rootkit Project
publication called:

"Detecting Stealth Software with Strider GhostBuster "

http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=875

As we pointed out in the Introduction, the problem
space of stealth software is broader than that of ghostware,
which has been our focus so far. Stealth software may hide
their persistent state in a form for which current OS does
not provide query/enumeration APIs or does not provide
common utilities that make use of such APIs. Examples
include hiding executable code inside the BIOS [YB],
video card EEPROM, boot sectors [D], bad disk sectors,
Alternate Data Streams (ADS), etc.

Stealth software can
also hide their active running code in a form that cannot be
revealed by the process/module query APIs; they can
inject code into an existing process and hijack a thread to
execute that code. Detection of these advanced hiding
resources is to intercept system calls to the kernel via a
Loadable Kernel Module (LKM) [ZK,YJ,J01]. For
example, some rootkits are known to hook read, write,
close, and the getdents (get directory entries) system calls.
More advanced rootkits can directly patch the kernel in
memory [YC98,YL01].

You will notice that video card EEPROM is also a potential target...so, I
guess you wouldn't try
flashing those either???

Cheers,

Chana



You will notice that video card EEPROM is also a potential target...so, I
guess you wouldn't try
flashing those either???

Cheers,

Chana


Posted by Phil Weldon on September 19, 2005, 8:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
'Chana C' reposted the content of his earlier reply:
| To those who feel that flashing the BIOS is ludicrous since it "can't be
| infected"...
_____

There you go again, flailing.
Not only is it suggested proceedure to read at least some of the post to a
newsgroup before posting yourself, it can avoid embarassment.

Phil Weldon

> To those who feel that flashing the BIOS is ludicrous since it "can't be
> infected" ...
>
> Please see quote below from Microsoft Research Strider Rootkit Project
> publication called:
>
> "Detecting Stealth Software with Strider GhostBuster "
>
>
http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=875
>
> As we pointed out in the Introduction, the problem
> space of stealth software is broader than that of ghostware,
> which has been our focus so far. Stealth software may hide
> their persistent state in a form for which current OS does
> not provide query/enumeration APIs or does not provide
> common utilities that make use of such APIs. Examples
> include hiding executable code inside the BIOS [YB],
> video card EEPROM, boot sectors [D], bad disk sectors,
> Alternate Data Streams (ADS), etc.
>
> Stealth software can
> also hide their active running code in a form that cannot be
> revealed by the process/module query APIs; they can
> inject code into an existing process and hijack a thread to
> execute that code. Detection of these advanced hiding
> resources is to intercept system calls to the kernel via a
> Loadable Kernel Module (LKM) [ZK,YJ,J01]. For
> example, some rootkits are known to hook read, write,
> close, and the getdents (get directory entries) system calls.
> More advanced rootkits can directly patch the kernel in
> memory [YC98,YL01].
>
> You will notice that video card EEPROM is also a potential target...so, I
> guess you wouldn't try
> flashing those either???
>
> Cheers,
>
> Chana
>
>
>
> You will notice that video card EEPROM is also a potential target...so, I
> guess you wouldn't try
> flashing those either???
>
> Cheers,
>
> Chana
>



Posted by David H. Lipman on September 19, 2005, 8:19 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| To those who feel that flashing the BIOS is ludicrous since it "can't be
| infected" ...

< snip >

Pure FUD !

Now, go show me an article from the IEEE stating about an infector that can do
this. If an
IEEE paper purported the possibility Cryptovirology back in 1996 then they
surely would
also have information on viruses hiding in FirmWare.

Do you have any authoritative source other than Microsoft ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by =?Utf-8?B?Q2hhbmEgQw==?= on September 19, 2005, 9:00 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

This is really amusing....guys, nothing is impossible in this world.
Especially in the
world of technology. I'm truly sorry if I'm rattling your whole
world-view...but, really -
this stuff isn't even NEW!

Anyway, you wanted an IEEE reference...

Here you go....

James Butler, Jeffrey L. Undercoffer and John Pinkston, HIDDEN PROCESSES:
The Implication for Intrusion Detection, Proceedings of the 2003 IEEE
Workshop on Information Assurance, United States Military
Academy, West Point, NY, June, 2003.

ames R. Butler II, Detecting Compromises of Core Subsystems and Kernel
Functions in Windows
NT/2000/XP, M.S. thesis, University of Maryland, Baltimore County, 2002.

From Addison Wesley:

The Basics of Rootkits: Leave No Trace
By Greg Hoglund, Jamie Butler.
SDate: Aug 26, 2005.

Their bio in case you doubt their credentials...

Greg Hoglund has been a pioneer in the area of software security. He is CEO
of HBGary, Inc., a leading provider of software security verification
services. After writing one of the first network vulnerability scanners
(installed in over half of all Fortune 500 companies), he created and
documented the first Windows NT-based rootkit, founding rootkit.com in the
process. Greg is a frequent speaker at Black Hat, RSA, and other security
conferences.

James Butler, Director of Engineering at HBGary, has a world-class talent
for kernel programming and rootkit development and extensive experience in
host-based intrusion-detection systems. He is the developer of VICE, a
rootkit detection and forensics system. Jamie's previous positions include
Senior Security Software Engineer at Enterasys and Computer Scientist at the
National Security Agency. He is a frequent trainer and speaker at Black Hat
security conferences. He holds a masters of computer science from the
University of Maryland, Baltimore County. He has published articles in the
IEEE Information Assurance Workshop, Phrack, USENIX ;login:, and Information
Management and Computer Security.

The book discussed the ability of advanced rootkits to hack firmware...

Want more - please just let me know...

Cheers,

Chana



"David H. Lipman" wrote:

>
> | To those who feel that flashing the BIOS is ludicrous since it "can't be
> | infected" ...
>
> < snip >
>
> Pure FUD !
>
> Now, go show me an article from the IEEE stating about an infector that can do
this. If an
> IEEE paper purported the possibility Cryptovirology back in 1996 then they
surely would
> also have information on viruses hiding in FirmWare.
>
> Do you have any authoritative source other than Microsoft ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

Posted by David H. Lipman on September 19, 2005, 9:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

|
| This is really amusing....guys, nothing is impossible in this world.
| Especially in the
| world of technology. I'm truly sorry if I'm rattling your whole
| world-view...but, really -
| this stuff isn't even NEW!
|
| Anyway, you wanted an IEEE reference...
|
| Here you go....
|

< snip >

You reference a book that is less than 1 month old. However, there are no
citations on
viruses infecting PROM,
OK.

Where's the URL from IEEE or other authoratative source for our inspection ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Similar ThreadsPosted
Flashing ? and X icon next to time clock October 30, 2006, 5:30 pm
BIOS infected August 8, 2008, 9:13 pm
Does the BIOS Virus Protection & Win XP really help? April 24, 2006, 7:06 pm

The site map in XML format XML site map

Contact Us | Privacy Policy