BIOS infection - an item for discussion
in [Viruses]
|
From: Dustin Cook on 15 Jun 2010 21:29 ASCII <me2(a)privacy.net> wrote in news:4c1b26dc.5386765(a)EDCBIC: > Dustin Cook wrote: >>stop.nospam.gbbsg(a)shaw.ca (gufus) wrote in >>news:1276617270(a)f77.n342.z1.fidonet.org: >> >>> Hi David, >>> >>> 15 Jun 10, David H. Lipman writes to All: >>> >>> > In practice -- it isn't and that why we do NOT see this! >>> >>> I would think the flashable vector code would have to be installed >>> first, before the PC is powered up. Yes/no? >> >>No.. You can reflash live in windows; so the machine can already be >>powered up. It has to be, in fact. >> >>However, with that said, once you reboot, if the flash was bad; your >>goose is cooked. >> > > Isn't there some way you can short or jump a couple of pins > to physically reset your BIOS, after yanking the CMOS battery first? No man. That's cmos/poweron password reset your thinking of. While they are commonly on the same piece of silicon these days, they are still seperate little beasties. The BIOS contains necessary information that tells your computer what it is, how much/what kind of ram, cpu, etc etc etc it has and whatever customized tweaks you've configured for it. -- A fanatic is one who can't change his mind and won't change the subject -Winston Churchill
From: FromTheRafters on 15 Jun 2010 21:33 "ASCII" <me2(a)privacy.net> wrote in message news:4c1b26dc.5386765(a)EDCBIC... > Dustin Cook wrote: >>stop.nospam.gbbsg(a)shaw.ca (gufus) wrote in >>news:1276617270(a)f77.n342.z1.fidonet.org: >> >>> Hi David, >>> >>> 15 Jun 10, David H. Lipman writes to All: >>> >>> > In practice -- it isn't and that why we do NOT see this! >>> >>> I would think the flashable vector code would have to be installed >>> first, before the PC is powered up. Yes/no? >> >>No.. You can reflash live in windows; so the machine can already be >>powered >>up. It has to be, in fact. >> >>However, with that said, once you reboot, if the flash was bad; your >>goose >>is cooked. >> > > Isn't there some way you can short or jump a couple of pins > to physically reset your BIOS, after yanking the CMOS battery first? That's for resetting the CMOS setup data, not the BIOS code itself (although the same chip may be involved). Some boards have a BIOS recovery scheme that allows you to flash the BIOS with a rudimentary BIOS code that it keeps in a non-flashable area. Others have one that allows you to flash an image from a floppy to the firmware (load floppy, set jumper, energize unit - beep beep beep and Bob's yer uncle as they say).
From: Dustin Cook on 15 Jun 2010 21:36 "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in news:hv99lv$65v$1(a)news.eternal-september.org: > "ASCII" <me2(a)privacy.net> wrote in message > news:4c1b26dc.5386765(a)EDCBIC... >> Dustin Cook wrote: >>>stop.nospam.gbbsg(a)shaw.ca (gufus) wrote in >>>news:1276617270(a)f77.n342.z1.fidonet.org: >>> >>>> Hi David, >>>> >>>> 15 Jun 10, David H. Lipman writes to All: >>>> >>>> > In practice -- it isn't and that why we do NOT see this! >>>> >>>> I would think the flashable vector code would have to be installed >>>> first, before the PC is powered up. Yes/no? >>> >>>No.. You can reflash live in windows; so the machine can already be >>>powered >>>up. It has to be, in fact. >>> >>>However, with that said, once you reboot, if the flash was bad; your >>>goose >>>is cooked. >>> >> >> Isn't there some way you can short or jump a couple of pins >> to physically reset your BIOS, after yanking the CMOS battery first? > > That's for resetting the CMOS setup data, not the BIOS code itself > (although the same chip may be involved). > > Some boards have a BIOS recovery scheme that allows you to flash the > BIOS with a rudimentary BIOS code that it keeps in a non-flashable > area. Others have one that allows you to flash an image from a floppy > to the firmware (load floppy, set jumper, energize unit - beep beep > beep and Bob's yer uncle as they say). > > > I like the gigabyte boards for the redudant BIOS feature. They keep two identical BIOS chips on the board. When the main BIOS fails for corruption, the other one kicks in; Alerts you, and in some revisions, even offers to correct the primary chip by loading it's own image back onto it. The secondary BIOS is stored on a ROM chip, so she's not going to be neutered. Very cool design, imho. -- A fanatic is one who can't change his mind and won't change the subject -Winston Churchill
From: ~BD~ on 16 Jun 2010 03:27 "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in message news:hv9871$17r$1(a)news.eternal-september.org... > "gufus" <stop.nospam.gbbsg(a)shaw.ca> wrote in message >> Or could the BIOS code be flashed via malware? > > Yes, that is the implication. CIH demonstrated this fact by corrupting > the BIOS firmware of vulnerable motherboards. > > The possibility exists that something useful from an attackers point > of view can be done with this additional storage area. Any attack of > this sort would be very hardware specific, and not too likely to > become a mobile code malware problem. It seems to follow, then, that if malware *can* be stored in the BIOS ROM chip, even if a hard disk is cleaned (or replaced by a new one) and the operating system reloaded from scratch, the malware *could* be resurrected - as if from the dead! With the powerful machines available to just ordinary folk nowadays, a user might never know that their machine was infected and/or controlled by an outside agency. Impossible? Cybercrime is still escalating exponentially, in spite of all the anti-virus/anti-malware programmes available nowadays. How? Food for more thought, IMO. As far as I know, there is no way a user can check what is contained within/on the BIOS chip - so no way to know whether or not a machine *has* actually been compromised! Might this warrant a new thread for discussion? <wink> -- Dave
From: ~BD~ on 16 Jun 2010 03:42
"FwomTheWaftewth" <ewwatik(a)nomaiw.afwaid.owg> wwote in methage newth:hw9871$17w$1(a)newth.etewnaw-theptembew.owg... > "gufus" <stop.nospam.gbbsg(a)shaw.ca> wrote in message >> Or could the BIOS code be flashed via malware? > > Yes, that is the implication. CIH demonstrated this fact by corrupting > the BIOS firmware of vulnerable motherboards. > > The possibility exists that something useful from an attackers point > of view can be done with this additional storage area. Any attack of > this sort would be very hardware specific, and not too likely to > become a mobile code malware problem. It theemth to fowwow, then, that if mawwawe *kan* be ftowed in the BIOTh WOM tthip, ewen if a hawd dithk ith kweaned (ow wepwathed by a new one) and the opewating thyftem wewoaded fwom thkwattth, the mawwawe *kowwd* be wethuwwekted - ath if fwom the dead! With the powewfuw makhineth awaiwabwe to yuft owdinawy fowk nowadayth, a uthew might newew know that theiw makhine wath infekted and/ow kontwowwed by an outthide agenthy. Impothibwe? Thybewthwime ith ftiww ethkawating ekthponentiawwy, in thpite of aww the anti-wiwuth/anti-mawwawe pwogwammeth awaiwabwe nowadayth. How? Food fow mowe thought, IMO. Ath faw ath I know, thewe ith no way a uthew kan kekk what ith kontained within/on the BIOTh tthip - tho no way to know whethew ow not a makhine *hath* aktuawwy been kompwomithed! Might thith wawwant a new thwead fow dithkuthion? <wink> |