... and moving to BIOS rootkits? A BIOS rootkit would work for any OS, it would survive reboot, it would survive reinstallation, and it would even survive changing harddrives! And, it would still have as much control as a normal rootkit has, possibly even more. It's perfectly possible to do, and virus-scanners and rootkit-checkers don't check for it yet!
Quote
In the cat-and-mouse game of computer security, rootkits are a powerful way to hide malicious code on a compromised computer where it is difficult to detect and remove.
As detection tools become more sophisticated, one researcher thinks that the BIOS may be the new frontier for rootkits.
"There are no tools now to audit your BIOS for a rootkit," said John Heasman, principal security consultant for NGS Software Ltd. of the U.K. Heasman, speaking at the Black Hat Federal Briefings in Arlington, Va., described a proof of concept technique for placing a rootkit at such a low level on the computer's system that it would survive reboots, reinstallation of operating systems and even replacement of the hard drive.
http://www.gcn.com/vol1_no1/daily-updates/38102-1.html
Would be hard to pull off I'd imagine.
Besides, if you could access the BIOS, why install a rootkit? Why not turn off fans and overclock the processor by a few hundred times (even if you can't) so that the CPU bursts into flames, costing the owner a few hundred (if not a thousand) bucks for a new processor.
Quote from: Newby on January 27, 2006, 06:39:03 PM
Would be hard to pull off I'd imagine.
Besides, if you could access the BIOS, why install a rootkit? Why not turn off fans and overclock the processor by a few hundred times (even if you can't) so that the CPU bursts into flames, costing the owner a few hundred (if not a thousand) bucks for a new processor.
More often than not, the primary purpose of hacking (especially if the target is not premeditated) is to obtain something from the target, not cause the target agony. That's hard to do when your computer is a smoking pile of goo.
So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat. :P
Duh. Use EFI!
but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?
Quote from: Newby on January 27, 2006, 07:32:06 PM
So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat. :P
The main use for rootkits is to be able to re-gain access to the computer at a later date for some specific purpose, like Sidoh said. Worms and trojans that spread over AIM and such usually aren't rootkits.
Quote from: Nate on January 27, 2006, 08:43:33 PM
but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?
Yes, if you could figure out that that was the problem. You could also just update the bios, I think that would do it too.
Quote from: iago on January 27, 2006, 08:46:29 PM
Quote from: Newby on January 27, 2006, 07:32:06 PM
So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat. :P
The main use for rootkits is to be able to re-gain access to the computer at a later date for some specific purpose, like Sidoh said. Worms and trojans that spread over AIM and such usually aren't rootkits.
Quote from: Nate on January 27, 2006, 08:43:33 PM
but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?
Yes, if you could figure out that that was the problem. You could also just update the bios, I think that would do it too.
Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?
iirc yes.
Quote from: Lord[nK] on January 27, 2006, 09:18:58 PM
Quote from: iago on January 27, 2006, 08:46:29 PM
Yes, if you could figure out that that was the problem. You could also just update the bios, I think that would do it too.
Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?
That is what I think iago meant. :P
Quote from: Lord[nK] on January 27, 2006, 09:28:40 PM
Quote from: Newby on January 27, 2006, 09:26:50 PM
Quote from: Lord[nK] on January 27, 2006, 09:18:58 PM
Quote from: iago on January 27, 2006, 08:46:29 PM
Yes, if you could figure out that that was the problem. You could also just update the bios, I think that would do it too.
Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?
That is what I think iago meant. :P
Well, I figured he meant updated as in the BIOS software being updated, or flashed. If that's not what he meant then this would only be of great use on systems which rarely undergo hardware updates and have long-lasting CMOS batteries. Either way, the 5 year old BIOS on the IBM machine that I'm currently using as a gateway monitors changes to the BIOS & MBR alerting me during POST if a change has been made so it's hard for me to believe that BIOS checking would be difficult for anti-virus software companies to impliment.
Hmm, if BIOS is stored on E2 then yeah, it would have to erase every time you changed a setting. But you only have to erase E2 in sectors, not the whole thing. Without knowing more about how it works, I have no idea if changing a setting would make a difference.
But yeah, flashing it would definitely work.
Quote from: iago on January 28, 2006, 03:34:43 AM
Hmm, if BIOS is stored on E2 then yeah, it would have to erase every time you changed a setting. But you only have to erase E2 in sectors, not the whole thing. Without knowing more about how it works, I have no idea if changing a setting would make a difference.
But yeah, flashing it would definitely work.
By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.
Quote from: zorm on January 29, 2006, 07:56:15 PM
Quote from: iago on January 28, 2006, 03:34:43 AM
Hmm, if BIOS is stored on E2 then yeah, it would have to erase every time you changed a setting. But you only have to erase E2 in sectors, not the whole thing. Without knowing more about how it works, I have no idea if changing a setting would make a difference.
But yeah, flashing it would definitely work.
By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.
Exactly what I was thinking.
And if you're stupid enough to download BIOS to flash from a website that's NOT your motherboard manufacturer's company, you suck at life and deserve the rootkit.
Quote from: zorm on January 29, 2006, 07:56:15 PM
Quote from: iago on January 28, 2006, 03:34:43 AM
Hmm, if BIOS is stored on E2 then yeah, it would have to erase every time you changed a setting. But you only have to erase E2 in sectors, not the whole thing. Without knowing more about how it works, I have no idea if changing a setting would make a difference.
But yeah, flashing it would definitely work.
By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.
It would be difficult, no question there. They aren't calling it a "frontier" because it's a simple problem, because it's not.
And actually, with (normal) e
2, you can write 0's, you just can't write 1's. So maybe, just maybe, it would be possible to encode a virus in the pre-existing data. Who knows? But IF it was possible, it would be difficult but very rewarding.
Quote from: iago on January 29, 2006, 10:48:45 PM
It would be difficult, no question there. They aren't calling it a "frontier" because it's a simple problem, because it's not.
And actually, with (normal) e2, you can write 0's, you just can't write 1's. So maybe, just maybe, it would be possible to encode a virus in the pre-existing data. Who knows? But IF it was possible, it would be difficult but very rewarding.
The BIOS has been around forever, I suspect that if it was actually possible to do something evil with it, it would have been done by now. Consider bootsector viruses for example.
Also, how rewarding would something like this actually be? I'd imagine detecting OS, finding network drivers/apis to take advantage of them would be extremely difficult and not worth the effort.
Quote from: zorm on January 29, 2006, 11:11:18 PM
Quote from: iago on January 29, 2006, 10:48:45 PM
It would be difficult, no question there. They aren't calling it a "frontier" because it's a simple problem, because it's not.
And actually, with (normal) e2, you can write 0's, you just can't write 1's. So maybe, just maybe, it would be possible to encode a virus in the pre-existing data. Who knows? But IF it was possible, it would be difficult but very rewarding.
The BIOS has been around forever, I suspect that if it was actually possible to do something evil with it, it would have been done by now. Consider bootsector viruses for example.
Also, how rewarding would something like this actually be? I'd image detecting OS, finding network drivers/apis to take advantage of them would be extremely difficult and not worth the effort.
True; I suppose it depends on what you actually want to do.