Page 2 of 4 FirstFirst 1234 LastLast
Results 21 to 40 of 66

Thread: Firmware Rootkits - detection 'tool' available?

  1. #21
    nemo_outis
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news:h92dgn02n5b@news3.newsguy.com:

    ....
    >| While you're worrying, you might want to worry about *other* BIOSes
    >| besides the motherboard one. For instance, video cards have a BIOS
    >| and many ethernet cards do as well (as do SCSI cards and other less
    >| common possibilities). In principle any of these could harbour
    >| malware.
    >


    > In principle but not yet in actuality.


    We agree on my qualification: in principle. To my knowledge there's
    nothing "in the wild." Yet!

    However, if I were targetting a BIOS for malware insertion a graphics
    card would have considerable appeal.

    For instance, nVidia has for a long time supported direct programming of
    the GPU (that's "G" not "C") through CUDA (and ATI more recently with
    Stream) using high-level languages such as C. The GPU is a very
    powerful processor and, to my knowledge, no anti-virus (or other
    anti-malware) program even looks at it as a threat source. Very likely
    a compromise of the graphics BIOS could be leveraged to use this
    separate processor.

    Vaguely redolent of how a fireware DMA attack completely bypasses the
    CPU and therefore any anti-virus programs.

    Regards,



  2. #22
    nemo_outis
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news:h92t2v0dm@news3.newsguy.com:
    ....
    > BoaterDave is and idiot and he introduced FUD when he replied to
    > someone in alt.computer.security with "However, have you considered
    > that your BIOS may have been/could be infected? A whole new
    > ball-game!"
    >
    > That's what started this because I replied...
    > "Pure FUD.
    >
    > The BIOS is NOT infected and should not be considered tobe infected or
    > become possibly infected!"
    >
    > To date NO ONE has "infected" a BIOS. ....



    You're not quite right: the Chernobyl virus of a few years back could -
    and did! - trash the motherboard BIOS of many machines.

    But as you go on to describe this was simple trashing, NOT the insertion
    of workable code.

    Moreover, your core point, that BIOS malware is, at present, only a
    theoretical possibility and not a live threat, is well-taken.
    Accordingly, BoaterDave raising the issue to be considered by the OP when
    protecting his system was pure ********.

    Regards,

  3. #23
    nemo_outis
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    Tim Jackson <tim@tim-jackson.co.uk> wrote in news:PuSdnShVg_
    88YinXnZ2dnUVZ8nWdnZ2d@brightview.co.uk:

    > The obvious way to confirm the integrity of programmable firmware in
    > anything is to make a copy of it (before going online) and from time to
    > time to compare the contents with the copy, or to re-flash it from a
    > master copy.


    As a practical matter, yes. But, in principle (although there are very
    considerable barriers to achieving it) a compromised BIOS could "lie" and
    give you the "original contents" when queried.

    This risk (that a compromised system can lie and prevent you detecting
    the compromise) is a "very real" possibility in some contexts (contexts
    which again, in principle, could extend to the compromised BIOS case).
    Joanna Rutkowska (my heroine!) has demonstrated that a rootkit in memory
    can dick with the memory map to hide even from an active outside hardware
    probe! See: Beyond The CPU: Defeating Hardware Based RAM Acquisition
    Tools (Part I: AMD case) - February 2007

    In fact, if you wish to scare the willies out of yourself regarding
    rootkits have a read of some of the rest of Rutkowska's papers at:
    http://www.invisiblethings.org/papers.html

    If there are "black hats" out there with even half Rutkowska's skills
    (and, believe me, there are!) we're in very deep doo-doo.

    Regards,




  4. #24
    nobody >
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    攸hw不f wrote:

    >> "Flashing the BIOS" means that the chip(s) in question are
    >> erasable/reprogrammable. By long convention, ROM is static and can
    >> only be written to ONCE. The term "burning" came from the original
    >> design where you actually burnt elements of the chip away to store the
    >> contents.
    >>

    >
    > Firmware Upgrade.
    >
    > Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    > So when I downloaded a "flash modem tool" from USR and upgraded a modem
    > with linux (it was pretty exciting btw and made me feel like I was a
    > smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    > Or was I mistaken?
    > Hmmmm...
    >


    It's really just a semantics question.
    ROM, EPROM, and EEPROM chips all provide the same function; to store code.

    ROM (Read Only Memory)came first, and as I said is a "one time" write-to
    technology.
    (actually, you could write to it again if there was "unburnt space" but
    that would be in addition to what was origninally burnt)
    Since it took special equipment to do the "burn", it was pretty
    impervious to tampering.

    EPROM (Erasable Read Only Memory) came next and was erasable by exposing
    a clear window to strong UV light, then programmed with new code. As
    again, the special equipment needed precludes tampering.

    EEPROM (Electronically Erasable Read Only Memory) came in two flavors.
    The early stuff needed a higher voltage applied to erase it, so it's
    fairly impervious as well, as the higher voltage was usually only
    available from an outside programming device.
    The later stuff (BIOS and "firmware") can be reprogrammed (flashed)
    in-circuit if the support circuitry supports it.

    Theoretically, the last could attacked and rewritten with malicious
    code, but the malware involved would have to have to code needed to
    access and flash it.

    It's been done, but the stuff needed to do the deed tends to be very
    obvious and spotted quickly.


  5. #25
    Tim Jackson
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    Aratzio wrote:
    > On Sat, 19 Sep 2009 16:58:25 +0100, in the land of
    > 24hoursupport.helpdesk, Tim Jackson <tim@tim-jackson.co.uk> got double
    > secret probation for writing:
    >


    >> ROM is Read-Only Memory which is taken to refer to the fact that the CPU
    >> can't routinely write to it by a simple memory operation as it can to
    >> RAM. If the ROM can be written by an electrical programming procedure,
    >> then it is PROM - programmable ROM. EPROM, EEPROM and Flash are all
    >> types of PROM. Writing PROMs requires some sort of arcane programming
    >> procedure carried out by dedicated software, it is not like writing to
    >> RAM, so cannot happen accidentally.

    >
    > Umm, no. Early EEPROM worked exactly like RAM.
    >
    > Enable (nCS/nCE low usually)
    > Outputs off (nOE low usually)
    > Address (A0-Ax to address location to be programmed)
    > Data (D0-Dx with datat to be programmed)
    > Write (nWE low usually)
    > End (either nCS or nWE returns to 1)
    >
    > IIRC the original 28C devices all worked like that.
    >
    > The later devices included a very simple 3 cycle write algorithm
    >
    > Something on the order of:
    > #AAAA #55
    > #5555 #AA
    > #AAAA #90
    >
    > The erase algorithm was a bit more complex and took 5 cycles and you
    > could cycle through the whole device and erase each individual
    > location (reset 0 to 1). Later they actually added full chip and
    > sector erase fuctions that remved the need to address each location
    > and verify each location. Early flash could be damamged if you tried
    > to write a 0 to a 0.
    >


    That's only half the story. Writing a byte to EEPROM, EPROM or Flash is
    a slow process taking hundreds or thousands of machine cycles and
    totally unlike RAM.

    Yes you could initiate a write to *one byte* like you say, but that is
    because the rest of the work is done by internal logic. Where you say
    "end" that is not the end for the device, nor should it be for the
    programmer if he wants to keep his job. In both 28C64 and Flash, the
    algorithm then has to go into a loop checking a 'busy' flag (for several
    milliseconds per byte in a 28C64) until the internal write process
    completes. An attempt to write successive addresses as if it were RAM
    would not succeed. A read access during an internal write cycle would
    read the flags, not memory contents. So an 'accidental' write to a BIOS
    in an unlocked 28C64 (see below) would not overwrite it, it would
    corrupt one byte and then crash on the next BIOS call.

    I accept early 28xx EEPROMs did not have had have any accidental (or
    malicious) write protection. On recent devices (eg Atmel AT28C64B) it
    is optional, you *can* leave them open to unanticipated write (like you
    describe) if you are careless enough; or you can 'lock' them to require
    a command sequence to enable writing. However it would be a poor
    designer who used an unprotected device for firmware, which is the
    context we are discussing.


    Tim

  6. #26
    David H. Lipman
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    From: "nemo_outis" <abc@xyz.com>

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    | news:h92dgn02n5b@news3.newsguy.com:

    | ...
    >>| While you're worrying, you might want to worry about *other* BIOSes
    >>| besides the motherboard one. For instance, video cards have a BIOS
    >>| and many ethernet cards do as well (as do SCSI cards and other less
    >>| common possibilities). In principle any of these could harbour
    >>| malware.



    >> In principle but not yet in actuality.


    | We agree on my qualification: in principle. To my knowledge there's
    | nothing "in the wild." Yet!

    | However, if I were targetting a BIOS for malware insertion a graphics
    | card would have considerable appeal.

    | For instance, nVidia has for a long time supported direct programming of
    | the GPU (that's "G" not "C") through CUDA (and ATI more recently with
    | Stream) using high-level languages such as C. The GPU is a very
    | powerful processor and, to my knowledge, no anti-virus (or other
    | anti-malware) program even looks at it as a threat source. Very likely
    | a compromise of the graphics BIOS could be leveraged to use this
    | separate processor.

    | Vaguely redolent of how a fireware DMA attack completely bypasses the
    | CPU and therefore any anti-virus programs.

    | Regards,


    I remember reading about the FireWire exploitation,

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  7. #27
    David H. Lipman
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    From: "nemo_outis" <abc@xyz.com>

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    | news:h92t2v0dm@news3.newsguy.com:
    | ...
    >> BoaterDave is and idiot and he introduced FUD when he replied to
    >> someone in alt.computer.security with "However, have you considered
    >> that your BIOS may have been/could be infected? A whole new
    >> ball-game!"


    >> That's what started this because I replied...
    >> "Pure FUD.


    >> The BIOS is NOT infected and should not be considered tobe infected or
    >> become possibly infected!"


    >> To date NO ONE has "infected" a BIOS. ....



    | You're not quite right: the Chernobyl virus of a few years back could -
    | and did! - trash the motherboard BIOS of many machines.

    | But as you go on to describe this was simple trashing, NOT the insertion
    | of workable code.

    | Moreover, your core point, that BIOS malware is, at present, only a
    | theoretical possibility and not a live threat, is well-taken.
    | Accordingly, BoaterDave raising the issue to be considered by the OP when
    | protecting his system was pure ********.

    | Regards,

    Right. It trashed it. It did not replace the code nor infect the BIOS. It rendered the
    motherboard useless.

    The Chrnobyl was not the only one as there were copycats. None however could replace the
    code nor infect the BIOS.

    There was one case but that was unusual. It was the case of a disgruntled employee who
    modified the BIOS code at the factory.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  8. #28
    攸hw不f
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    In message <bu0ab5d7ntv6pkm67sae1sr9ve1o1iq1sb@4ax.com>, Aratzio wrote:
    > On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
    > 24hoursupport.helpdesk, 攸hw不f <snuhwolf5150@hotmail.com> got double
    > secret probation for writing:
    >
    > >nobody > <usenetharvested@aol.com> pinched out a steaming pile
    > >of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com>:
    > >
    > >>~BD~ wrote:
    > >>> "nobody >" <usenetharvested@aol.com> wrote in message
    > >>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    > >>>> ~BD~ wrote:
    > >>>>> I asked this question in the two 'security' newsgroups to which I

    > >now
    > >>>>> crosspost.
    > >>>>>
    > >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    > >>>> If you are truly speaking of Read Only Memory that was installed at
    > >>>> assembly, there's no way that a rootkit could be there unless it

    > >was put
    > >>>> on when the ROM was "Burned"
    > >>>
    > >>> "攸hw不f" poses the question of 'flashing' the BIOS.
    > >>>
    > >>> I'm suggesting that if/when this action is carried out, it might

    > >well be
    > >>> possible to introduce malware to a system - which will remain for

    > >posterity.
    > >>>
    > >>> If I am right, I'm asking if there is any way that ordinary folk

    > >could ever
    > >>> find out the truth. *Is* there a way?
    > >>>
    > >>> --
    > >>> Dave
    > >>>
    > >>>
    > >>
    > >>"Flashing the BIOS" means that the chip(s) in question are
    > >>erasable/reprogrammable. By long convention, ROM is static and can
    > >>only be written to ONCE. The term "burning" came from the original
    > >>design where you actually burnt elements of the chip away to store the
    > >>contents.
    > >>

    > >
    > >Firmware Upgrade.
    > >
    > >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    > >So when I downloaded a "flash modem tool" from USR and upgraded a modem
    > >with linux (it was pretty exciting btw and made me feel like I was a
    > >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    > >Or was I mistaken?
    > >Hmmmm...

    >
    > VERY BASIC:
    > ROM - Data fixed in silicon - expensive in small quantity.
    > PROM - Write Once - Read Many - Much less expensive but not eraseable.
    > EPROM - UV Eraseable data - Erase was slow and required UV lamps
    > EEPROM - Electrically Eraseable - Essentially a RAM with retention.
    > (Multiple types of flash & rom fit here)
    > FLASH - An EEPROM with higher density, faster write speeds and more
    > write cycles. Different technology than the original EEPROM. Multiple
    > types now NAND/NOR.
    >
    >
    > A flash modem tool would have been used on any of the "electrically
    > erasable" devices that could be reprogrammed under software control.
    > Anything before that technology would require removal of the memory.


    SUDENLY I DONT FEEL SO SPECIAL



    --
    http://www.care2.com/click-to-donate/wolves/
    Proof of Americas 3rd world status:
    http://www.ramusa.org/
    Cash for *who*?
    http://www.bartcop.com/list-the-facts.htm
    http://www.pavlovianobeisance.com/


  9. #29
    攸hw不f
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    In message <h92s4m0319g@news3.newsguy.com>, "David H. Lipman" wrote:
    > From: "攸hw不f" <snuhwolf5150@hotmail.com>
    >
    >
    >
    >
    > >>In principle but not yet in actuality.

    >
    > | Dont worry, we're working on it ;)
    >
    > I doubt you are :-)
    >

    Hire a chinese kid to do it.

    > But... I am sure some malcious actor is but to date, nothing.
    >

    Patience is a virture.

    --
    http://www.care2.com/click-to-donate/wolves/
    Proof of Americas 3rd world status:
    http://www.ramusa.org/
    Cash for *who*?
    http://www.bartcop.com/list-the-facts.htm
    http://www.pavlovianobeisance.com/


  10. #30
    ~BD~
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    nemo_outis wrote:

    > Accordingly, BoaterDave raising the issue to be considered by the OP when
    > protecting his system was pure ********.


    Maybe you didn't read the whole thread ......
    .. started by the OP - Albert - 17/9/09 23:27 in alt.computer.security

    Had you done so you would have/will appreciate that 'Albert' was in no
    way the naive poster he pretended to be (in my opinion anyway). My
    comment regarding BIOS rootkits was proffered somewhat tongue-in-cheek;
    the OP did not return to answer/question my comment. I wonder why!

    HTH

    --
    Dave

  11. #31
    ~BD~
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    David H. Lipman wrote:
    > From: "攸hw不f" <snuhwolf5150@hotmail.com>


    >
    >>> In principle but not yet in actuality.

    >
    > | Dont worry, we're working on it ;)
    >
    > I doubt you are :-)
    >
    > But... I am sure some malicious actor is but to date, nothing.
    >


    Please explain just *how* you know that to be a *fact*.

    Indeed, how would a user know that his/her machine had been compromised
    in this way - especially now that modern machines are so much faster
    than in days gone by?

    --
    Dave

  12. #32
    ~BD~
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    David H. Lipman wrote:

    > BoaterDave is and idiot


    That is not true. Please deal with *facts*.

    > To date NO ONE has "infected" a BIOS.


    You cannot possibly know that to be true.

    You may simply be unaware of the truth.

    > Thus the idea of infecting BIOS (at this time) is pure FUD and BoaterDave is showing his
    > trolling nature.


    That is simply your *opinion*, is it not?

    You may be wrong. It is not a *fact*!

    --
    Dave

  13. #33
    ~BD~
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    Todd H. wrote:
    > "~BD~" <BoaterDave@hotmail.co.uk> writes:
    >
    >> "nobody >" <usenetharvested@aol.com> wrote in message
    >> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >>> ~BD~ wrote:
    >>>> I asked this question in the two 'security' newsgroups to which I now
    >>>> crosspost.
    >>>>
    >>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >>> If you are truly speaking of Read Only Memory that was installed at
    >>> assembly, there's no way that a rootkit could be there unless it was put
    >>> on when the ROM was "Burned"

    >> "攸hw不f" poses the question of 'flashing' the BIOS.
    >>
    >> I'm suggesting that if/when this action is carried out, it might well be
    >> possible to introduce malware to a system - which will remain for posterity.
    >>
    >> If I am right, I'm asking if there is any way that ordinary folk could ever
    >> find out the truth. *Is* there a way?

    >
    > Dave,
    >
    > I think the short answer is no, i believe (though it's always hard to
    > prove a negative). The technique is too new to have tamper detection
    > commercially available.
    >
    > If you're worried, simply reflash your BIOS with an image from the
    > manufacturer. And hope they haven't trojaned it themselves.
    >
    > #include <a_variety_of_global_sourcing_fears.h>
    >
    >


    I appreciate your answer, Todd. Thanks!

    You will be pleased to learn that I am not worried on my own account at
    this point. The machine I once had - which I'm confident *was*
    compromised - was relegated to the scrap heap some long time ago now.<smile>

    Cybercrime continues to rise exponentially - maybe this is one reason
    why it is happening, but I doubt we'll ever know the truth!

    The bad guys will always be two steps in front IMO. Sad. :-(

    --
    Dave

  14. #34
    David H. Lipman
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    From: "~BD~" <BoaterDave@hotmail.co.uk>

    | David H. Lipman wrote:
    >> From: "攸hw不f" <snuhwolf5150@hotmail.com>



    >>>> In principle but not yet in actuality.


    >> | Dont worry, we're working on it ;)


    >> I doubt you are :-)


    >> But... I am sure some malicious actor is but to date, nothing.



    | Please explain just *how* you know that to be a *fact*.

    | Indeed, how would a user know that his/her machine had been compromised
    | in this way - especially now that modern machines are so much faster
    | than in days gone by?

    Speed of the PC has NOTHING to do with it.

    I know this to be a fact because there is NO insider information on the occurence.

    In this thread nemo mentioned about a FireWire exploit. He read about it. I read about
    it and it was confirmed.

    The fact there is no BIOS/FirmWare malware/RootKit is a fact based upon knowledge on the
    inside.

    Just because someone postulates the possibility does NOR mean there exists any.

    It is postulated that there is life in the universe outside of the sphere of our Earth.
    It has also peen discussed that such life has visited Earth. You can discuss this as a
    possiblitty because it has NOT been proven to have happened.

    Again...
    When you posted "However, have you considered that your BIOS may have been/could be
    infected? A whole new ball-game!"

    You were injecting pure FUD as nobody should be considering this unless they are wearing
    tin foil hats and expecting an invasion from Mars.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  15. #35
    ~BD~
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    David H. Lipman wrote:
    > From: "~BD~" <BoaterDave@hotmail.co.uk>
    >
    > | David H. Lipman wrote:
    >>> From: "攸hw不f" <snuhwolf5150@hotmail.com>

    >
    >
    >>>>> In principle but not yet in actuality.

    >
    >>> | Dont worry, we're working on it ;)

    >
    >>> I doubt you are :-)

    >
    >>> But... I am sure some malicious actor is but to date, nothing.

    >
    >
    > | Please explain just *how* you know that to be a *fact*.
    >
    > | Indeed, how would a user know that his/her machine had been compromised
    > | in this way - especially now that modern machines are so much faster
    > | than in days gone by?
    >
    > Speed of the PC has NOTHING to do with it.
    >
    > I know this to be a fact because there is NO insider information on the occurence.


    When you refer to "insider information" you seem to be referring to some
    secret band of 'experts' - but do not identify exactly who you mean.

    There will *never* be any "insider information" for you to access or
    read about until such time as one of the good guys uncovers what the bad
    guys are doing! Surely even you must understand that!


    > In this thread nemo mentioned about a FireWire exploit. He read about it. I read about
    > it and it was confirmed.
    >
    > The fact there is no BIOS/FirmWare malware/RootKit is a fact based upon knowledge on the
    > inside.



    What do you mean by "on the inside"?


    > Just because someone postulates the possibility does NOT mean there exists any.


    True. But it *might* be a possibility!


    > It is postulated that there is life in the universe outside of the sphere of our Earth.
    > It has also peen discussed that such life has visited Earth. You can discuss this as a
    > possibility because it has NOT been proven to have happened.


    True. And it *is* possible, isn't it?

    > Again...
    > When you posted "However, have you considered that your BIOS may have been/could be
    > infected? A whole new ball-game!"
    >
    > You were injecting pure FUD as nobody should be considering this unless they are wearing
    > tin foil hats and expecting an invasion from Mars.


    As I've said already, it was a remark said 'tongue in cheek'**. If you
    re-read the thread in question you'll note that others, too, thought
    that 'Albert' is not the simpleton he pretended so to be.

    --
    Dave (** http://www.answers.com/topic/tongue-in-cheek)



  16. #36
    Leythos
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    In article <X-ednTEkkuaxxijXnZ2dnUVZ8rCdnZ2d@bt.com>,
    BoaterDave@hotmail.co.uk says...
    > David H. Lipman wrote:
    >
    > > BoaterDave is and idiot

    >
    > That is not true. Please deal with *facts*.


    Your own history seems to indicate the statement is true.

    > > To date NO ONE has "infected" a BIOS.

    >
    > You cannot possibly know that to be true.
    >
    > You may simply be unaware of the truth.


    I've been working with computers, designing hardware, burning EPROMS,
    EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
    least most of 30 years.

    I have NEVER seen a malware in the wild that rewrites a BIOS, have not
    read about one, have not read about anyone that has actually seen one in
    real-life....

    You need to put the tin-foil hat back on BD.



    --
    You can't trust your best friends, your five senses, only the little
    voice inside you that most civilians don't even hear -- Listen to that.
    Trust yourself.
    spam999free@rrohio.com (remove 999 for proper email address)

  17. #37
    ~BD~
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    Leythos wrote:
    > In article <X-ednTEkkuaxxijXnZ2dnUVZ8rCdnZ2d@bt.com>,
    > BoaterDave@hotmail.co.uk says...
    >> David H. Lipman wrote:
    >>
    >>> BoaterDave is and idiot

    >> That is not true. Please deal with *facts*.

    >
    > Your own history seems to indicate the statement is true.
    >
    >>> To date NO ONE has "infected" a BIOS.

    >> You cannot possibly know that to be true.
    >>
    >> You may simply be unaware of the truth.

    >
    > I've been working with computers, designing hardware, burning EPROMS,
    > EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
    > least most of 30 years.
    >
    > I have NEVER seen a malware in the wild that rewrites a BIOS, have not
    > read about one, have not read about anyone that has actually seen one in
    > real-life....
    >
    > You need to put the tin-foil hat back on BD.
    >


    I have immense respect for your experience, Leythos

    You are 'Old school' though ...... and will *always* be two steps behind
    the bad guys.

    If malware *did* rewrite the BIOS in some malicious way, please explain
    just *how* you would know that it had happened.

    --
    Dave

  18. #38
    The Real Truth MVP
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    BD, Leythos is nothing but a sock puppet for David Lipman. David Lipman
    thinks he is the Usenet god. Mr. know it all is wrong. But I'd bet that if
    anyone other then you would have asked that question(or me) the idiot would
    have probably did some research. See here
    http://www.tomshardware.com/news/bio...door,7400.html
    http://www.v3.co.uk/vnunet/news/2239...ders-antivirus
    http://www.tomshardware.com/news/lem...bios,2155.html



    --
    The Real Truth http://pcbutts1-therealtruth.blogspot.com/
    *WARNING* Do NOT follow any advice given by the people listed below.
    They do NOT have the expertise or knowledge to fix your issue. Do not waste
    your time.
    David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.




    "~BD~" <BoaterDave@hotmail.co.uk> wrote in message
    news:cuSdnflkL49DHyjXnZ2dnUVZ8vudnZ2d@bt.com...
    > Leythos wrote:
    >> In article <X-ednTEkkuaxxijXnZ2dnUVZ8rCdnZ2d@bt.com>,
    >> BoaterDave@hotmail.co.uk says...
    >>> David H. Lipman wrote:
    >>>
    >>>> BoaterDave is and idiot
    >>> That is not true. Please deal with *facts*.

    >>
    >> Your own history seems to indicate the statement is true.
    >>
    >>>> To date NO ONE has "infected" a BIOS.
    >>> You cannot possibly know that to be true.
    >>>
    >>> You may simply be unaware of the truth.

    >>
    >> I've been working with computers, designing hardware, burning EPROMS,
    >> EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
    >> least most of 30 years.
    >>
    >> I have NEVER seen a malware in the wild that rewrites a BIOS, have not
    >> read about one, have not read about anyone that has actually seen one in
    >> real-life....
    >>
    >> You need to put the tin-foil hat back on BD.

    >
    > I have immense respect for your experience, Leythos
    >
    > You are 'Old school' though ...... and will *always* be two steps behind
    > the bad guys.
    >
    > If malware *did* rewrite the BIOS in some malicious way, please explain
    > just *how* you would know that it had happened.
    >
    > --
    > Dave



  19. #39
    Aratzio
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    On Sat, 19 Sep 2009 20:07:28 +0100, in the land of
    24hoursupport.helpdesk, Tim Jackson <tim@tim-jackson.co.uk> got double
    secret probation for writing:

    >Aratzio wrote:
    >> On Sat, 19 Sep 2009 16:58:25 +0100, in the land of
    >> 24hoursupport.helpdesk, Tim Jackson <tim@tim-jackson.co.uk> got double
    >> secret probation for writing:
    >>

    >
    >>> ROM is Read-Only Memory which is taken to refer to the fact that the CPU
    >>> can't routinely write to it by a simple memory operation as it can to
    >>> RAM. If the ROM can be written by an electrical programming procedure,
    >>> then it is PROM - programmable ROM. EPROM, EEPROM and Flash are all
    >>> types of PROM. Writing PROMs requires some sort of arcane programming
    >>> procedure carried out by dedicated software, it is not like writing to
    >>> RAM, so cannot happen accidentally.

    >>
    >> Umm, no. Early EEPROM worked exactly like RAM.
    >>
    >> Enable (nCS/nCE low usually)
    >> Outputs off (nOE low usually)
    >> Address (A0-Ax to address location to be programmed)
    >> Data (D0-Dx with datat to be programmed)
    >> Write (nWE low usually)
    >> End (either nCS or nWE returns to 1)
    >>
    >> IIRC the original 28C devices all worked like that.
    >>
    >> The later devices included a very simple 3 cycle write algorithm
    >>
    >> Something on the order of:
    >> #AAAA #55
    >> #5555 #AA
    >> #AAAA #90
    >>
    >> The erase algorithm was a bit more complex and took 5 cycles and you
    >> could cycle through the whole device and erase each individual
    >> location (reset 0 to 1). Later they actually added full chip and
    >> sector erase fuctions that remved the need to address each location
    >> and verify each location. Early flash could be damamged if you tried
    >> to write a 0 to a 0.
    >>

    >
    >That's only half the story. Writing a byte to EEPROM, EPROM or Flash is
    >a slow process taking hundreds or thousands of machine cycles and
    >totally unlike RAM.


    Half the story? Really, the same command structure to execute a write,
    no difference. The only difference is after executing the write
    sequence is the polling to wait up to 10ms for the internal write
    cycle to complete. The INTERNAL write cycle. The OS does not need to
    wait for the completion.

    >
    >Yes you could initiate a write to *one byte* like you say, but that is
    >because the rest of the work is done by internal logic.


    Just like SRAM & DRAM. They all have internal logic. Some have more
    complex than others.

    > Where you say
    >"end" that is not the end for the device, nor should it be for the
    >programmer if he wants to keep his job. In both 28C64 and Flash, the
    >algorithm then has to go into a loop checking a 'busy' flag (for several
    >milliseconds per byte in a 28C64) until the internal write process
    >completes.


    Yes, that is called polling, something done innumerable times when
    dealing with hardware and software. See interrupts or communications
    protocols.

    >An attempt to write successive addresses as if it were RAM
    >would not succeed.


    Yes, it would, that is called page mode. It would be helpful if you
    understood how the hardware worked.

    > A read access during an internal write cycle would
    >read the flags, not memory contents. So an 'accidental' write to a BIOS
    >in an unlocked 28C64 (see below) would not overwrite it, it would
    >corrupt one byte and then crash on the next BIOS call.


    What you wrote is this:
    "Writing PROMs requires some sort of arcane programming procedure
    carried out by dedicated software"

    Polling requires a read of D7 masking the other 7 bits or D6 the
    toggle bit (the 28C64 has no busy pin like some flash). If a
    programmer could not write an exceedingly simple process like polling
    then they are idiots.

    There is nothing arcane about a write sequence with a poll. I doubt
    there are many more hardware process more simple.


    >
    >I accept early 28xx EEPROMs did not have had have any accidental (or
    >malicious) write protection.


    Yes they did, you could sector lock them.

    >On recent devices (eg Atmel AT28C64B) it
    >is optional, you *can* leave them open to unanticipated write (like you
    >describe) if you are careless enough; or you can 'lock' them to require
    >a command sequence to enable writing. However it would be a poor
    >designer who used an unprotected device for firmware, which is the
    >context we are discussing.


    No, you claimed writing to a non volitile required an "arcane
    programming procedure" and "not like writing to ram", both of which
    are wrong.

    >
    >Tim



  20. #40
    Aratzio
    Guest

    Re: Firmware Rootkits - detection 'tool' available?

    On Sat, 19 Sep 2009 15:37:11 -0600, in the land of
    24hoursupport.helpdesk, 攸hw不f <snuhwolf@netscape.net> got double
    secret probation for writing:

    >In message <bu0ab5d7ntv6pkm67sae1sr9ve1o1iq1sb@4ax.com>, Aratzio wrote:
    >> On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
    >> 24hoursupport.helpdesk, 攸hw不f <snuhwolf5150@hotmail.com> got double
    >> secret probation for writing:
    >>
    >> >nobody > <usenetharvested@aol.com> pinched out a steaming pile
    >> >of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com>:
    >> >
    >> >>~BD~ wrote:
    >> >>> "nobody >" <usenetharvested@aol.com> wrote in message
    >> >>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com...
    >> >>>> ~BD~ wrote:
    >> >>>>> I asked this question in the two 'security' newsgroups to which I
    >> >now
    >> >>>>> crosspost.
    >> >>>>>
    >> >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
    >> >>>> If you are truly speaking of Read Only Memory that was installed at
    >> >>>> assembly, there's no way that a rootkit could be there unless it
    >> >was put
    >> >>>> on when the ROM was "Burned"
    >> >>>
    >> >>> "攸hw不f" poses the question of 'flashing' the BIOS.
    >> >>>
    >> >>> I'm suggesting that if/when this action is carried out, it might
    >> >well be
    >> >>> possible to introduce malware to a system - which will remain for
    >> >posterity.
    >> >>>
    >> >>> If I am right, I'm asking if there is any way that ordinary folk
    >> >could ever
    >> >>> find out the truth. *Is* there a way?
    >> >>>
    >> >>> --
    >> >>> Dave
    >> >>>
    >> >>>
    >> >>
    >> >>"Flashing the BIOS" means that the chip(s) in question are
    >> >>erasable/reprogrammable. By long convention, ROM is static and can
    >> >>only be written to ONCE. The term "burning" came from the original
    >> >>design where you actually burnt elements of the chip away to store the
    >> >>contents.
    >> >>
    >> >
    >> >Firmware Upgrade.
    >> >
    >> >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
    >> >So when I downloaded a "flash modem tool" from USR and upgraded a modem
    >> >with linux (it was pretty exciting btw and made me feel like I was a
    >> >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
    >> >Or was I mistaken?
    >> >Hmmmm...

    >>
    >> VERY BASIC:
    >> ROM - Data fixed in silicon - expensive in small quantity.
    >> PROM - Write Once - Read Many - Much less expensive but not eraseable.
    >> EPROM - UV Eraseable data - Erase was slow and required UV lamps
    >> EEPROM - Electrically Eraseable - Essentially a RAM with retention.
    >> (Multiple types of flash & rom fit here)
    >> FLASH - An EEPROM with higher density, faster write speeds and more
    >> write cycles. Different technology than the original EEPROM. Multiple
    >> types now NAND/NOR.
    >>
    >>
    >> A flash modem tool would have been used on any of the "electrically
    >> erasable" devices that could be reprogrammed under software control.
    >> Anything before that technology would require removal of the memory.

    >
    >SUDENLY I DONT FEEL SO SPECIAL


    Oh you are very very special.

Similar Threads

  1. Firmware rootkits
    By ~BD~ in forum alt.computer.security
    Replies: 1
    Last Post: 09-18-09, 05:50 AM
  2. PEAK Wireless Broadband Router (Model# 6147ABPK) alternative firmware update source
    By Johnny B Good in forum alt.comp.networking.routers
    Replies: 4
    Last Post: 05-19-09, 04:28 PM
  3. Bioshock Activation revoke tool for DMR
    By Sava700 in forum Gaming
    Replies: 17
    Last Post: 12-05-07, 11:00 AM
  4. Umm how does it work?
    By Rivas in forum Console Gaming
    Replies: 17
    Last Post: 05-11-07, 12:27 AM
  5. Replies: 6
    Last Post: 01-29-07, 09:14 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •