Page 1 of 4 1234 LastLast
Results 1 to 20 of 66

Thread: Firmware Rootkits - detection 'tool' available?

  1. #1
    ~BD~
    Guest

    Firmware Rootkits - detection 'tool' available?

    I asked this question in the two 'security' newsgroups to which I now
    crosspost.

    "Is there *any* tool which can identify a rootkit on a ROM chip?"

    I received an answer which said ...........

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:h8volf0hm8@news3.newsguy.com...
    > From: "~BD~" <BoaterDave@hotmail.co.uk>


    > They should be dismissed until they are ACTUALLY found in the wild and not
    > postulated in
    > some white paper(s).



    I believe Firmware rootkits are rare - but *I* think that they should *not*
    be dismissed.

    Read : http://www.ngssoftware.com/research/...07-Heasman.pdf

    So, should I simply accept Mr Lipman's word that the subject is irrelevant?
    I'd really like to know if there is *any* way that someone could identify
    that the firmware on their machine had been infected (in other words, remain
    infected even if a new hard disk was installed).

    *Is* there a detection tool? That remains my question.

    Pure FUD? I think not!

    --
    Dave (for FUD see http://www.cavcomp.demon.co.uk/halloween/fuddef.html )





  2. #2
    nobody >
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    ~BD~ wrote:
    > I asked this question in the two 'security' newsgroups to which I now
    > crosspost.
    >
    > "Is there *any* tool which can identify a rootkit on a ROM chip?"


    If you are truly speaking of Read Only Memory that was installed at
    assembly, there's no way that a rootkit could be there unless it was put
    on when the ROM was "Burned"

  3. #3
    攸hw不f
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com>, "nobody " wrote:
    > ~BD~ wrote:
    > > I asked this question in the two 'security' newsgroups to which I now
    > > crosspost.
    > >
    > > "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >
    > If you are truly speaking of Read Only Memory that was installed at
    > assembly, there's no way that a rootkit could be there unless it was put
    > on when the ROM was "Burned"


    Really? Have you ever flashed a BIOS?

    ^_^

    --
    http://www.care2.com/click-to-donate/wolves/
    Proof of Americas 3rd world status:
    http://www.ramusa.org/
    Cash for *who*?
    http://www.bartcop.com/list-the-facts.htm
    http://www.pavlovianobeisance.com/


  4. #4
    ~BD~
    Guest

    Re: Firmware Rootkits - detection 'tool' available?


    "nobody >" <usenetharvested@aol.com> wrote in message
    news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    > ~BD~ wrote:
    >> I asked this question in the two 'security' newsgroups to which I now
    >> crosspost.
    >>
    >> "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >
    > If you are truly speaking of Read Only Memory that was installed at
    > assembly, there's no way that a rootkit could be there unless it was put
    > on when the ROM was "Burned"


    "攸hw不f" poses the question of 'flashing' the BIOS.

    I'm suggesting that if/when this action is carried out, it might well be
    possible to introduce malware to a system - which will remain for posterity.

    If I am right, I'm asking if there is any way that ordinary folk could ever
    find out the truth. *Is* there a way?

    --
    Dave



  5. #5
    nobody >
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    ~BD~ wrote:
    > "nobody >" <usenetharvested@aol.com> wrote in message
    > news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >> ~BD~ wrote:
    >>> I asked this question in the two 'security' newsgroups to which I now
    >>> crosspost.
    >>>
    >>> "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >> If you are truly speaking of Read Only Memory that was installed at
    >> assembly, there's no way that a rootkit could be there unless it was put
    >> on when the ROM was "Burned"

    >
    > "攸hw不f" poses the question of 'flashing' the BIOS.
    >
    > I'm suggesting that if/when this action is carried out, it might well be
    > possible to introduce malware to a system - which will remain for posterity.
    >
    > If I am right, I'm asking if there is any way that ordinary folk could ever
    > find out the truth. *Is* there a way?
    >
    > --
    > Dave
    >
    >


    "Flashing the BIOS" means that the chip(s) in question are
    erasable/reprogrammable. By long convention, ROM is static and can
    only be written to ONCE. The term "burning" came from the original
    design where you actually burnt elements of the chip away to store the
    contents.

  6. #6
    Todd H.
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    "~BD~" <BoaterDave@hotmail.co.uk> writes:

    > "nobody >" <usenetharvested@aol.com> wrote in message
    > news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >> ~BD~ wrote:
    >>> I asked this question in the two 'security' newsgroups to which I now
    >>> crosspost.
    >>>
    >>> "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >>
    >> If you are truly speaking of Read Only Memory that was installed at
    >> assembly, there's no way that a rootkit could be there unless it was put
    >> on when the ROM was "Burned"

    >
    > "攸hw不f" poses the question of 'flashing' the BIOS.
    >
    > I'm suggesting that if/when this action is carried out, it might well be
    > possible to introduce malware to a system - which will remain for posterity.
    >
    > If I am right, I'm asking if there is any way that ordinary folk could ever
    > find out the truth. *Is* there a way?


    Dave,

    I think the short answer is no, i believe (though it's always hard to
    prove a negative). The technique is too new to have tamper detection
    commercially available.

    If you're worried, simply reflash your BIOS with an image from the
    manufacturer. And hope they haven't trojaned it themselves.

    #include <a_variety_of_global_sourcing_fears.h>


    --
    Todd H.
    http://www.toddh.net/

  7. #7
    David H. Lipman
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    From: "攸hw不f" <snuhwolf@netscape.net>

    | In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com>, "nobody " wrote:
    >> ~BD~ wrote:
    >> > I asked this question in the two 'security' newsgroups to which I now
    >> > crosspost.
    >> >
    >> > "Is there *any* tool which can identify a rootkit on a ROM chip?"


    >> If you are truly speaking of Read Only Memory that was installed at
    >> assembly, there's no way that a rootkit could be there unless it was put
    >> on when the ROM was "Burned"


    | Really? Have you ever flashed a BIOS?

    That's not ROM that's a form of EEPROM.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  8. #8
    thanatoid
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    "~BD~" <BoaterDave@hotmail.co.uk> wrote in
    news:h913fv$ou5$1@news.eternal-september.org:

    >
    > "nobody >" <usenetharvested@aol.com> wrote in message
    > news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >> ~BD~ wrote:
    >>> I asked this question in the two 'security' newsgroups to
    >>> which I now crosspost.
    >>>
    >>> "Is there *any* tool which can identify a rootkit on a
    >>> ROM chip?"

    >>
    >> If you are truly speaking of Read Only Memory that was
    >> installed at assembly, there's no way that a rootkit could
    >> be there unless it was put on when the ROM was "Burned"

    >
    > "攸hw不f" poses the question of 'flashing' the BIOS.
    >
    > I'm suggesting that if/when this action is carried out, it
    > might well be possible to introduce malware to a system -
    > which will remain for posterity.
    >
    > If I am right, I'm asking if there is any way that ordinary
    > folk could ever find out the truth. *Is* there a way?


    I just happen to have a rom.bin BIOS file handy and I just
    checked wit with ESET NOD32. No problems. It came from the
    computer manuf. Now if someone wants to "stick" a virus into one
    and THEN run it through an A-V program again, we'll know if A-V
    programs can "do" BIOS ROM files.


    --
    Lots of theoretical butchers are alleged and other bloody eyes
    are suitable, but will Pam secure that?

  9. #9
    nemo_outis
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news:h91e3s01tdq@news3.newsguy.com:

    > From: "攸hw不f" <snuhwolf@netscape.net>
    >
    >| In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com>, "nobody
    >| " wrote:
    >>> ~BD~ wrote:
    >>> > I asked this question in the two 'security' newsgroups to which I
    >>> > now crosspost.
    >>> >
    >>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"

    >
    >>> If you are truly speaking of Read Only Memory that was installed at
    >>> assembly, there's no way that a rootkit could be there unless it was
    >>> put on when the ROM was "Burned"

    >
    >| Really? Have you ever flashed a BIOS?
    >
    > That's not ROM that's a form of EEPROM.
    >


    While you're worrying, you might want to worry about *other* BIOSes
    besides the motherboard one. For instance, video cards have a BIOS and
    many ethernet cards do as well (as do SCSI cards and other less common
    possibilities). In principle any of these could harbour malware.

    Regards,


  10. #10
    Todd H.
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    thanatoid <waiting@the.exit.invalid> writes:

    > I just happen to have a rom.bin BIOS file handy and I just
    > checked wit with ESET NOD32. No problems. It came from the
    > computer manuf. Now if someone wants to "stick" a virus into one
    > and THEN run it through an A-V program again, we'll know if A-V
    > programs can "do" BIOS ROM files.


    Writing signatures for a known issue in a BIOS ROM would be relatively
    straightfoward with current signature based file AV technology.

    That's not the same, however, as testing for malware in the system's
    current BIOS.

    --
    Todd H.
    http://www.toddh.net/

  11. #11
    thanatoid
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    comphelp@toddh.net (Todd H.) wrote in
    news:841vm360jc84zl8r4lyw__84y6ob4lyw@yahoo.com:

    > thanatoid <waiting@the.exit.invalid> writes:
    >
    >> I just happen to have a rom.bin BIOS file handy and I just
    >> checked wit with ESET NOD32. No problems. It came from the
    >> computer manuf. Now if someone wants to "stick" a virus
    >> into one and THEN run it through an A-V program again,
    >> we'll know if A-V programs can "do" BIOS ROM files.

    >
    > Writing signatures for a known issue in a BIOS ROM would be
    > relatively straightfoward with current signature based file
    > AV technology.
    >
    > That's not the same, however, as testing for malware in the
    > system's current BIOS.


    Well, you can SAVE your /current/ BIOS and then scan THAT,
    right?
    Unless an "entirely different and not detectable by normal AV
    programs type of malware" applies to BIOS chips.



    --
    Lots of theoretical butchers are alleged and other bloody eyes
    are suitable, but will Pam secure that?

  12. #12
    David H. Lipman
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    From: "nemo_outis" <abc@xyz.com>

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    | news:h91e3s01tdq@news3.newsguy.com:

    >> From: "攸hw不f" <snuhwolf@netscape.net>


    >>| In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com>, "nobody
    >>| " wrote:
    >>>> ~BD~ wrote:
    >>>> > I asked this question in the two 'security' newsgroups to which I
    >>>> > now crosspost.
    >>>> >
    >>>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"


    >>>> If you are truly speaking of Read Only Memory that was installed at
    >>>> assembly, there's no way that a rootkit could be there unless it was
    >>>> put on when the ROM was "Burned"


    >>| Really? Have you ever flashed a BIOS?


    >> That's not ROM that's a form of EEPROM.



    | While you're worrying, you might want to worry about *other* BIOSes
    | besides the motherboard one. For instance, video cards have a BIOS and
    | many ethernet cards do as well (as do SCSI cards and other less common
    | possibilities). In principle any of these could harbour malware.

    | Regards,


    In principle but not yet in actuality.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  13. #13
    攸hw不f
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    David H. Lipman <DLipman~nospam~@Verizon.Net> pinched out a steaming
    pile of<h92dgn02n5b@news3.newsguy.com>:

    >From: "nemo_outis" <abc@xyz.com>
    >
    >| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    >| news:h91e3s01tdq@news3.newsguy.com:
    >
    >>> From: "攸hw不f" <snuhwolf@netscape.net>

    >
    >>>| In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com>,

    "nobody
    >>>| " wrote:
    >>>>> ~BD~ wrote:
    >>>>> > I asked this question in the two 'security' newsgroups to which

    I
    >>>>> > now crosspost.
    >>>>> >
    >>>>> > "Is there *any* tool which can identify a rootkit on a ROM

    chip?"
    >
    >>>>> If you are truly speaking of Read Only Memory that was installed

    at
    >>>>> assembly, there's no way that a rootkit could be there unless it

    was
    >>>>> put on when the ROM was "Burned"

    >
    >>>| Really? Have you ever flashed a BIOS?

    >
    >>> That's not ROM that's a form of EEPROM.

    >
    >
    >| While you're worrying, you might want to worry about *other* BIOSes
    >| besides the motherboard one. For instance, video cards have a BIOS

    and
    >| many ethernet cards do as well (as do SCSI cards and other less

    common
    >| possibilities). In principle any of these could harbour malware.
    >
    >| Regards,
    >
    >
    >In principle but not yet in actuality.
    >

    Dont worry, we're working on it ;)


    --
    http://www.youtube.com/watch?v=COaoYqkpkUA
    cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
    _____ ____ ____ __ /\_/\ __ _ ______ _____
    / __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
    _\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
    /___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\


  14. #14
    攸hw不f
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    nobody > <usenetharvested@aol.com> pinched out a steaming pile
    of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com>:

    >~BD~ wrote:
    >> "nobody >" <usenetharvested@aol.com> wrote in message
    >> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >>> ~BD~ wrote:
    >>>> I asked this question in the two 'security' newsgroups to which I

    now
    >>>> crosspost.
    >>>>
    >>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>> If you are truly speaking of Read Only Memory that was installed at
    >>> assembly, there's no way that a rootkit could be there unless it

    was put
    >>> on when the ROM was "Burned"

    >>
    >> "攸hw不f" poses the question of 'flashing' the BIOS.
    >>
    >> I'm suggesting that if/when this action is carried out, it might

    well be
    >> possible to introduce malware to a system - which will remain for

    posterity.
    >>
    >> If I am right, I'm asking if there is any way that ordinary folk

    could ever
    >> find out the truth. *Is* there a way?
    >>
    >> --
    >> Dave
    >>
    >>

    >
    >"Flashing the BIOS" means that the chip(s) in question are
    >erasable/reprogrammable. By long convention, ROM is static and can
    >only be written to ONCE. The term "burning" came from the original
    >design where you actually burnt elements of the chip away to store the
    >contents.
    >


    Firmware Upgrade.

    Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    So when I downloaded a "flash modem tool" from USR and upgraded a modem
    with linux (it was pretty exciting btw and made me feel like I was a
    smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    Or was I mistaken?
    Hmmmm...

    --
    http://www.youtube.com/watch?v=COaoYqkpkUA
    cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
    _____ ____ ____ __ /\_/\ __ _ ______ _____
    / __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
    _\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
    /___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\


  15. #15
    David H. Lipman
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    From: "攸hw不f" <snuhwolf5150@hotmail.com>




    >>In principle but not yet in actuality.


    | Dont worry, we're working on it ;)

    I doubt you are :-)

    But... I am sure some malcious actor is but to date, nothing.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  16. #16
    David H. Lipman
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    From: "攸hw不f" <snuhwolf5150@hotmail.com>

    | nobody > <usenetharvested@aol.com> pinched out a steaming pile
    | of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com>:

    >>~BD~ wrote:
    >>> "nobody >" <usenetharvested@aol.com> wrote in message
    >>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >>>> ~BD~ wrote:
    >>>>> I asked this question in the two 'security' newsgroups to which I

    | now
    >>>>> crosspost.


    >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>>> If you are truly speaking of Read Only Memory that was installed at
    >>>> assembly, there's no way that a rootkit could be there unless it

    | was put
    >>>> on when the ROM was "Burned"


    >>> "攸hw不f" poses the question of 'flashing' the BIOS.


    >>> I'm suggesting that if/when this action is carried out, it might

    | well be
    >>> possible to introduce malware to a system - which will remain for

    | posterity.

    >>> If I am right, I'm asking if there is any way that ordinary folk

    | could ever
    >>> find out the truth. *Is* there a way?


    >>> --
    >>> Dave




    >>"Flashing the BIOS" means that the chip(s) in question are
    >>erasable/reprogrammable. By long convention, ROM is static and can
    >>only be written to ONCE. The term "burning" came from the original
    >>design where you actually burnt elements of the chip away to store the
    >>contents.



    | Firmware Upgrade.

    | Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    | So when I downloaded a "flash modem tool" from USR and upgraded a modem
    | with linux (it was pretty exciting btw and made me feel like I was a
    | smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    | Or was I mistaken?
    | Hmmmm...

    Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
    by actually causing leads within the microchip to be burnt away like a burned out
    lightbulb. Then there were the EPROMS where ultraviolet light was used to "erase" what
    was stored in ROM. These are noted by there glass windows which would then be covered by
    a label indicating its function and application. Then there is the Electrically Erasable
    Programmable ROM which is more like the Flashable ROM we know Today.

    BoaterDave is and idiot and he introduced FUD when he replied to someone in
    alt.computer.security with "However, have you considered that your BIOS may have
    been/could be infected? A whole new ball-game!"

    That's what started this because I replied...
    "Pure FUD.

    The BIOS is NOT infected and should not be considered tobe infected or become possibly
    infected!"

    To date NO ONE has "infected" a BIOS. There have been malware attempts and when it comes
    to Motherboard BIOS at best the BIOS is corrupted or deleted rendering the system
    incapable of booting. This subject matter has been dicussed to death in alt.comp.virus
    and alt.comp.anti-virus long before BoaterDave posted to Usenet.

    To infect a BIOS there are just too many variables from which chip-set used, entry points
    for code insertion, CRC checks, etc. Even if one particular module can be infected it
    would be an extremely small niche as there is no way a programmer is going to program a
    dictionary of chip-sets and systems into the code.

    Just consider the idea of dlashing a BIOS. Whose BIOS ? Phoenix, Award ??? For what
    system ?

    Take an Award BIOS for motherboard X. If you try to flash Motherboard X with Award BIOS
    for motherboard Y, you'll have a dead system.

    Now extrapolate that to BIOS chips on periphery. It becomes exponentially more difficult.

    Thus the idea of infecting BIOS (at this time) is pure FUD and BoaterDave is showing his
    trolling nature.



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  17. #17
    Tim Jackson
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    禮簽羹hw瞻瞿f wrote:
    > nobody > <usenetharvested@aol.com> pinched out a steaming pile
    > of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com>:
    >
    >> ~BD~ wrote:
    >>> "nobody >" <usenetharvested@aol.com> wrote in message
    >>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >>>> ~BD~ wrote:
    >>>>> I asked this question in the two 'security' newsgroups to which I

    > now
    >>>>> crosspost.
    >>>>>
    >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>>> If you are truly speaking of Read Only Memory that was installed at
    >>>> assembly, there's no way that a rootkit could be there unless it

    > was put
    >>>> on when the ROM was "Burned"
    >>> "禮hw瞻f" poses the question of 'flashing' the BIOS.
    >>>
    >>> I'm suggesting that if/when this action is carried out, it might

    > well be
    >>> possible to introduce malware to a system - which will remain for

    > posterity.
    >>> If I am right, I'm asking if there is any way that ordinary folk

    > could ever
    >>> find out the truth. *Is* there a way?
    >>>
    >>> --
    >>> Dave
    >>>
    >>>

    >> "Flashing the BIOS" means that the chip(s) in question are
    >> erasable/reprogrammable. By long convention, ROM is static and can
    >> only be written to ONCE. The term "burning" came from the original
    >> design where you actually burnt elements of the chip away to store the
    >> contents.
    >>

    >
    > Firmware Upgrade.
    >
    > Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    > So when I downloaded a "flash modem tool" from USR and upgraded a modem
    > with linux (it was pretty exciting btw and made me feel like I was a
    > smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    > Or was I mistaken?
    > Hmmmm...
    >


    ROM is Read-Only Memory which is taken to refer to the fact that the CPU
    can't routinely write to it by a simple memory operation as it can to
    RAM. If the ROM can be written by an electrical programming procedure,
    then it is PROM - programmable ROM. EPROM, EEPROM and Flash are all
    types of PROM. Writing PROMs requires some sort of arcane programming
    procedure carried out by dedicated software, it is not like writing to
    RAM, so cannot happen accidentally.

    The type of ROM which can only be written once is called OTP, (One Time
    Programmable), which also includes the 'burnable' fuse ROMs mentioned
    above. There is also "true ROM" or "mask ROM" which is programmed at
    manufacture by the data actually being incorporated into the etching
    mask of the chip.

    EEPROM (Electrically Erasable Programmable ROM) refers to devices which
    can be written both to binary ones or zeroes bye by byte. These are
    expensive (per byte), usually small, and are typically used for
    non-volatile storage of parameters.

    Most ROM used for BIOSes, and firmware in routers and modems is Flash,
    which can be written only to binary zeroes byte by byte, but can be
    electrically 'erased' (written to binary ones) in large blocks (or the
    whole chip). This has largely replaced EPROM, which was written in a
    similar way and the entire chip erased by ultraviolet light.


    The obvious way to confirm the integrity of programmable firmware in
    anything is to make a copy of it (before going online) and from time to
    time to compare the contents with the copy, or to re-flash it from a
    master copy.

    Exploits in flash BIOS, while possible are unlikely to be popular in the
    wild because there is a large variety of BIOSes and programming methods
    out there and it would be lengthy work to write something that would
    work on the majority of PCs. Some devices would require physical access
    to install an exploit because they have a physical write-protection
    switch (jumper). Malware writers will always be drawn to a monoculture
    like Windows because the target population for any given exploit is so
    much bigger. Terrorist don't set off bombs in the countryside.


    Tim Jackson

  18. #18
    Aratzio
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
    24hoursupport.helpdesk, 攸hw不f <snuhwolf5150@hotmail.com> got double
    secret probation for writing:

    >nobody > <usenetharvested@aol.com> pinched out a steaming pile
    >of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com>:
    >
    >>~BD~ wrote:
    >>> "nobody >" <usenetharvested@aol.com> wrote in message
    >>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >>>> ~BD~ wrote:
    >>>>> I asked this question in the two 'security' newsgroups to which I

    >now
    >>>>> crosspost.
    >>>>>
    >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>>> If you are truly speaking of Read Only Memory that was installed at
    >>>> assembly, there's no way that a rootkit could be there unless it

    >was put
    >>>> on when the ROM was "Burned"
    >>>
    >>> "攸hw不f" poses the question of 'flashing' the BIOS.
    >>>
    >>> I'm suggesting that if/when this action is carried out, it might

    >well be
    >>> possible to introduce malware to a system - which will remain for

    >posterity.
    >>>
    >>> If I am right, I'm asking if there is any way that ordinary folk

    >could ever
    >>> find out the truth. *Is* there a way?
    >>>
    >>> --
    >>> Dave
    >>>
    >>>

    >>
    >>"Flashing the BIOS" means that the chip(s) in question are
    >>erasable/reprogrammable. By long convention, ROM is static and can
    >>only be written to ONCE. The term "burning" came from the original
    >>design where you actually burnt elements of the chip away to store the
    >>contents.
    >>

    >
    >Firmware Upgrade.
    >
    >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    >So when I downloaded a "flash modem tool" from USR and upgraded a modem
    >with linux (it was pretty exciting btw and made me feel like I was a
    >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    >Or was I mistaken?
    >Hmmmm...


    VERY BASIC:
    ROM - Data fixed in silicon - expensive in small quantity.
    PROM - Write Once - Read Many - Much less expensive but not eraseable.
    EPROM - UV Eraseable data - Erase was slow and required UV lamps
    EEPROM - Electrically Eraseable - Essentially a RAM with retention.
    (Multiple types of flash & rom fit here)
    FLASH - An EEPROM with higher density, faster write speeds and more
    write cycles. Different technology than the original EEPROM. Multiple
    types now NAND/NOR.


    A flash modem tool would have been used on any of the "electrically
    erasable" devices that could be reprogrammed under software control.
    Anything before that technology would require removal of the memory.

  19. #19
    Aratzio
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    On Sat, 19 Sep 2009 11:24:11 -0400, in the land of
    24hoursupport.helpdesk, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> got double secret probation for writing:

    >From: "攸hw不f" <snuhwolf5150@hotmail.com>
    >
    >| nobody > <usenetharvested@aol.com> pinched out a steaming pile
    >| of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com>:
    >
    >>>~BD~ wrote:
    >>>> "nobody >" <usenetharvested@aol.com> wrote in message
    >>>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >>>>> ~BD~ wrote:
    >>>>>> I asked this question in the two 'security' newsgroups to which I

    >| now
    >>>>>> crosspost.

    >
    >>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>>>> If you are truly speaking of Read Only Memory that was installed at
    >>>>> assembly, there's no way that a rootkit could be there unless it

    >| was put
    >>>>> on when the ROM was "Burned"

    >
    >>>> "攸hw不f" poses the question of 'flashing' the BIOS.

    >
    >>>> I'm suggesting that if/when this action is carried out, it might

    >| well be
    >>>> possible to introduce malware to a system - which will remain for

    >| posterity.
    >
    >>>> If I am right, I'm asking if there is any way that ordinary folk

    >| could ever
    >>>> find out the truth. *Is* there a way?

    >
    >>>> --
    >>>> Dave

    >
    >
    >
    >>>"Flashing the BIOS" means that the chip(s) in question are
    >>>erasable/reprogrammable. By long convention, ROM is static and can
    >>>only be written to ONCE. The term "burning" came from the original
    >>>design where you actually burnt elements of the chip away to store the
    >>>contents.

    >
    >
    >| Firmware Upgrade.
    >
    >| Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    >| So when I downloaded a "flash modem tool" from USR and upgraded a modem
    >| with linux (it was pretty exciting btw and made me feel like I was a
    >| smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    >| Or was I mistaken?
    >| Hmmmm...
    >
    >Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
    >by actually causing leads within the microchip to be burnt away like a burned out
    >lightbulb.


    Err, no, ROM were masked devices where data was etched in the raw
    material. No "leads" burnt. Early ROM were not even "chips" but blocks
    of laminate with hardwired address.

    PROM were the first that used a high voltage to disable one of two
    paths within the silicon. Later as technology changed they reoriented
    the junctions rather than use destructive means which changed the
    location from a 1 to a 0.

    EPROM used a high frequency light to reset the juction to its original
    1 state and allow reprogramming.

  20. #20
    Aratzio
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    On Sat, 19 Sep 2009 16:58:25 +0100, in the land of
    24hoursupport.helpdesk, Tim Jackson <tim@tim-jackson.co.uk> got double
    secret probation for writing:

    >攸hw不f wrote:
    >> nobody > <usenetharvested@aol.com> pinched out a steaming pile
    >> of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com>:
    >>
    >>> ~BD~ wrote:
    >>>> "nobody >" <usenetharvested@aol.com> wrote in message
    >>>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >>>>> ~BD~ wrote:
    >>>>>> I asked this question in the two 'security' newsgroups to which I

    >> now
    >>>>>> crosspost.
    >>>>>>
    >>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>>>> If you are truly speaking of Read Only Memory that was installed at
    >>>>> assembly, there's no way that a rootkit could be there unless it

    >> was put
    >>>>> on when the ROM was "Burned"
    >>>> "??hw?f" poses the question of 'flashing' the BIOS.
    >>>>
    >>>> I'm suggesting that if/when this action is carried out, it might

    >> well be
    >>>> possible to introduce malware to a system - which will remain for

    >> posterity.
    >>>> If I am right, I'm asking if there is any way that ordinary folk

    >> could ever
    >>>> find out the truth. *Is* there a way?
    >>>>
    >>>> --
    >>>> Dave
    >>>>
    >>>>
    >>> "Flashing the BIOS" means that the chip(s) in question are
    >>> erasable/reprogrammable. By long convention, ROM is static and can
    >>> only be written to ONCE. The term "burning" came from the original
    >>> design where you actually burnt elements of the chip away to store the
    >>> contents.
    >>>

    >>
    >> Firmware Upgrade.
    >>
    >> Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    >> So when I downloaded a "flash modem tool" from USR and upgraded a modem
    >> with linux (it was pretty exciting btw and made me feel like I was a
    >> smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    >> Or was I mistaken?
    >> Hmmmm...
    >>

    >
    >ROM is Read-Only Memory which is taken to refer to the fact that the CPU
    >can't routinely write to it by a simple memory operation as it can to
    >RAM. If the ROM can be written by an electrical programming procedure,
    >then it is PROM - programmable ROM. EPROM, EEPROM and Flash are all
    >types of PROM. Writing PROMs requires some sort of arcane programming
    >procedure carried out by dedicated software, it is not like writing to
    >RAM, so cannot happen accidentally.


    Umm, no. Early EEPROM worked exactly like RAM.

    Enable (nCS/nCE low usually)
    Outputs off (nOE low usually)
    Address (A0-Ax to address location to be programmed)
    Data (D0-Dx with datat to be programmed)
    Write (nWE low usually)
    End (either nCS or nWE returns to 1)

    IIRC the original 28C devices all worked like that.

    The later devices included a very simple 3 cycle write algorithm

    Something on the order of:
    #AAAA #55
    #5555 #AA
    #AAAA #90

    The erase algorithm was a bit more complex and took 5 cycles and you
    could cycle through the whole device and erase each individual
    location (reset 0 to 1). Later they actually added full chip and
    sector erase fuctions that remved the need to address each location
    and verify each location. Early flash could be damamged if you tried
    to write a 0 to a 0.


Similar Threads

  1. Firmware rootkits
    By ~BD~ in forum alt.computer.security
    Replies: 1
    Last Post: 09-18-09, 05:50 AM
  2. PEAK Wireless Broadband Router (Model# 6147ABPK) alternative firmware update source
    By Johnny B Good in forum alt.comp.networking.routers
    Replies: 4
    Last Post: 05-19-09, 04:28 PM
  3. Bioshock Activation revoke tool for DMR
    By Sava700 in forum Gaming
    Replies: 17
    Last Post: 12-05-07, 11:00 AM
  4. Umm how does it work?
    By Rivas in forum Console Gaming
    Replies: 17
    Last Post: 05-11-07, 12:27 AM
  5. Replies: 6
    Last Post: 01-29-07, 09:14 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •