Re: New virus attacks AMD processors in Security

Re: New virus attacks AMD processors in Security http://www.dslreports.com/forum/r16786792 en Sat, 28 Nov 2009 01:22:01 EDT Sat, 28 Nov 2009 01:22:01 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16806042 m0d : @Dave
"If you told me where I insulted you, I'll take a look and see whether in retrospect I was overly harsh or even wrong."

Don't worry Dave ..While I appreciate the offer.. I dont feel you were "overly harsh".. I actually found the jpeg quite amusing at the time and no I am not easily hurt by txt on a forum.

I guess what I thought was REALLY funny was; you and I posting same thread again and it happens to be on the "topic" of AMD chips :) Otherwise I wouldn't even mention it.

In General .. (for general public .. not specifically @ dave)
I tend to like supporting evidence too .. and I keep an open mind until I see some info from a reputable source (that or do it myself)... a scientific approach ALL the way.

In this particular case?

1) Show me ONE chip "resident" virus in the "wild"? While "theoretically possible" it simply isn't exploited to persist in the wild.

2) Where does it say Intel is NOT affected .. just they found AMD easier to exploit "generically".

3) Its a PoC and not in the "wild" .. a PoC created by an AV Vendor = FUD (especially when it implies from the description that its AMD "specific" when that is clearly not true)

4) Any existing virus that attacks on "chip level" simply corrupts the HDD microcontroler/BIOS and you need to replace drive/reflash BIOS to fix.

5) This particular virus is file based rather than "CPU resident"

This has slowly been recognised as FUD in the press too..]]> http://www.dslreports.com/forum/remark,16806042 Wed, 30 Aug 2006 00:55:40 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16799533 XBL2009 : More lies and FUD.

Read: »www.theinquirer.net/default.aspx···le=33999]]> http://www.dslreports.com/forum/remark,16799533 Tue, 29 Aug 2006 06:41:36 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16799102 X_Digit : Ah, I predicted in 1998 that we'd someday start seeing virii that actually attacks and destorys "flashable" chips and their components. They can send trash data over the programming instruction, rendering the device useless. They can send revised programming data to BIOS or the Video card that could overclock any setting to a degree where physical damage occurs... or even send an ultra-high refresh rate to your monitor and physically damage it (less of a threat now, seeing as most have a kill switch on freqs. out of bounds to their normal capacity).

ANYTHING is possible... and I'm sure it's on it's way!]]> http://www.dslreports.com/forum/remark,16799102 Tue, 29 Aug 2006 01:58:33 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16797976 darrinjh : I don't see much to be alarmed at here, the good thing about proof of concept is that vulnerabilities are revealed before they are exploited. The BIOS microcode can probably be updated to eliminate this threat and I'm sure AMD is working on this possibility and a number of other solutions. The design of future processors should take this threat into account and eventually processors already on the market should be adequately protected by an updated BIOS or anti-virus signatures. No need to remind me that millions will remain vulnerable even after a fix is available because they have no idea how to flash the BIOS or even what it is and are totally unaware that their virus protection is disabled or the subscriptions are out of date. Believe me, I've seen it all. People think they are protected when in reality the gates are wide open & numerous incidents of mal-ware are already present on their systems. These unprotected systems represent the greatest threat to the rest of us because they become the unwitting agents used to rapidly spread new viruses throughout the internet. Yes, I've some concern for the potential of AMD processors to be directly attacked by a virus, but I'm much more concerned that an unrelated virus currently lurks out there undiscovered waiting to be unleashed that will make past attacks look like child's play. Sad thing is, it will probably attack a known vulnerability that most had ample time to patch, but didn't bother or didn't know it existed despite the vast array of information concerning this available to us today.]]> http://www.dslreports.com/forum/remark,16797976 Mon, 28 Aug 2006 22:00:38 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16794535 Fluker : Right now there seems to be more specuation than fact about these new viruses. I looked into it a few days ago and thought I'd share what I took home from reading about this.

From my understanding of the situation, the virus runs in the environment where the virtualization of memory is taking place.

I suppose a good example would be to imagine a a copy of vmware running a clean copy of an OS. Running a virus scan inside the clean OS would obviously show that there are no infections of any kind. Now suppose there is a virus on the OS in which vmware is running, that clean copy of windows can be modified/eavesdropped or whatever and the source of the compromise would be very difficult to detect from inside the user environment.

In this way, a virus could be undetectable because when the os passes a request to a memory controller to look for something that ought not to be there, the controller maps the request to that of a virtual machine and not an actual physical location.

One thing though, just as there have been rootkits and rootkit detectors. There will be viruses that lodge themselves above the OS and then scanners that are able to peer past the limitations that the OS is bound to.

Sounds like a new generation of mousetraps may be in order..]]> http://www.dslreports.com/forum/remark,16794535 Mon, 28 Aug 2006 12:51:50 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16793377 dave :

said by m0d

:

It dont look like the POCs change microcode at all.
I understand what you are saying though.

I wasn't claiming that this particular exploit changed microcode. I was simply refuting the assertion that "you can't infect CPUs". I claim that, with loadable CPU microcode, you can infect CPUs.

The title of this thread is "virus attacks AMD processors", but it's difficult to find any details that back that up. The attack is aimed at PE files, and as far as I can tell that's all. I could be wrong here, but no-one's come up with sufficient info to judge.

I seem to remember my last post in the same thread as you was labeled "h0r5esh1t" by you .. complete with a jpeg.. and without qualifcation.. kinda funny

Yeah, I tend to like supporting evidence. So when someone tells me of some novel attack, for example, without positing how that works, nor without mentioning the mechanism that is being attacked, I tend to view that as alarmist in nature. Which is to say, "horseshit".

Maybe you would like to apoligise for that and realise that I do have some idea what I am talking about ?

If you told me where I insulted you, I'll take a look and see whether in retrospect I was overly harsh or even wrong. But I can't find what you're talking about on a quick search.

(Call it a payback.. if you want to be harsh .. so can I .. like it? I think not .. )

Oh, come now. This is just idle chat in an online forum. I'm not hurt by it. ]]> http://www.dslreports.com/forum/remark,16793377 Mon, 28 Aug 2006 08:41:55 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16793334 dave :

said by garys_2k

:

Sure, the CPU could be killed, killing the computer, but I can't see how changing the CPU's microcode could, for instance, let in a rootkit or a keylogger.

You could, I suppose, relax the checks on privileged instructions, so that they could be executed from ring 3.

You could, I suppose, relax the memory-access checks, so that the kernel was writeable from ring 3.]]> http://www.dslreports.com/forum/remark,16793334 Mon, 28 Aug 2006 08:26:28 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16792383 m0d : Since w32.bounds and w64.bounds are the threats refenced I try to confine myself to those initially.

There are others such as:
1) W64.Shruggle.1318 (AMD64 Windows PE) and ..
2) W64.Rugrat.3344 (IA64A Assembly) which affect 64 bit systems only.

W32.Bounds is a proof of concept (POC) polymorphic entrypoint-obscuring infector of Windows executable files.
- from Symantec..

In other words:
Infection Vector: Win32/64 PE exe (e.g. files, not CPU resident)

The w32.bounds and w64.bounds viruses infect systems by infecting Windows executable files (exe/dll), which disqualifies them as so-called chip level threats. They do however employ elements of such attacks by showing an ability to execute chip level (and in this case .. chip specific) assembly code.

Historically, most people are unsure if CIH/Chernobyl overwrote BOIS with JUNK "accidentially" or "by design" .. fact is it did do this resulting in serious problems. Having personally dealt whith this, I recall it also overwrote the Primary DOS Partition thereby destroying drives (how do ppl forget losing drives?). That hardly looks like an "accident" to me. Maybe I was unlucky and CIH bugs happened to wipe a drive. I could google more but I am pretty sure at the time I read that was intentional.

What Symantec say:
CIH is a destructive virus with a payload that destroys data. On April 26, 1999, the payload triggered for the first time, causing many computer users to lose their data. In Korea, it was estimated that as many as one million computers were affected, resulting in more than $250 million in damages.

Luckily DOS kept a second copy that could be used to overwrite the Primary resulting in minimal data loss even on an apparently dead drive.

Finally these are not "chip threats" because so far no POC claims to persist a reboot/reformat inside the CPU itself. Rather the virus resides in files and exploits some specific chip capabilities.

PS:
On W64.Shruggle.1318: The virus is written in AMD64 assembly code.

W64.Rugrat.3344: already targets Intel systems.Of course AMD supporting IA64 makes AMD systems a target too.

W32/64.Bounds: Checking Symmantec's website, it doesn't clearly say that W32.Bounds is limited to AMD processors, but W64.Bounds (at least) looks to be limited to Windows 64-bit on AMD64.

Do NOT assume Intel is unaffected. I am sure someone can POC that on Intel64 too..

If it can be done on PE it can probably also be done on Coff etc too

While publishing POC is considered a "low level" threat, we have to question what is going on here. What opportunity were the vendors given to address threats before "full disclosure" was employed?

Are the AV vendors worried about the Kernel Lockout in Vista and trying desperately to get our attention? I have to wonder.

Clearly AMD are not the only target here. While some of the POC code found AMD "easier to exploit" because of similarities between 32/64 bit in AMD Architecture, I would not say Intel is safe here either. Proposing them as chip-level threats though is nonsence at this point .. they do not persist boot or stay chip resident. At least for now no POC claims that.

@Dave:
It dont look like the POCs change microcode at all.
I understand what you are saying though.
I seem to remember my last post in the same thread as you was labeled "h0r5esh1t" by you .. complete with a jpeg.. and without qualifcation.. kinda funny :) Maybe you would like to apoligise for that and realise that I do have some idea what I am talking about ? :) .. That or lets just avoid each other. The blind will never see and to educate those who dont want to open their minds is not my personal responsibility. (Call it a payback.. if you want to be harsh .. so can I .. like it? I think not .. )

@RedXII1234:
I have to wonder about the "limited user" point you made too. After all its a file infector using some CPU capabilities.

Why did the AV vendors make these POCs and not allow "full disclosure" to CPU vendors for a reasonable time is beyond me.

If they did, I certainly didnt hear about it.
Looks like a lame attempt to drum up some FUD.]]> http://www.dslreports.com/forum/remark,16792383 Mon, 28 Aug 2006 00:20:07 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16792198 devicenull : As far as I can tell, it's simply refering to the first native 64 bit virus.. Intel copied AMD64, and named it EMT64.. so I can't see how this virus is processor specific?

It seems to me like someone saw this, and didn't know what AMD64 actually is.]]> http://www.dslreports.com/forum/remark,16792198 Sun, 27 Aug 2006 23:34:38 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16792189 commodog : after disassembling the code, researchers found an interesting line of code: "copyright Intel 2006"]]> http://www.dslreports.com/forum/remark,16792189 Sun, 27 Aug 2006 23:33:23 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16792014 garys_2k :

said by dave

said by Oleg

:

You can't infect CPU chip.

Sure you can. If you can change the CPU microcode then it should be obvious that you can insert malware into the CPU itself.

But all you could do is add or change op-codes. Would that really be malware?

Sure, the CPU could be killed, killing the computer, but I can't see how changing the CPU's microcode could, for instance, let in a rootkit or a keylogger.]]> http://www.dslreports.com/forum/remark,16792014 Sun, 27 Aug 2006 22:56:32 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16791204 seqrets :

said by dave

:

Is there any more technical detail anywhere?

Related article: Polymorphism comes to the AMD64]]> http://www.dslreports.com/forum/remark,16791204 Sun, 27 Aug 2006 19:55:03 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16790728 dave :

said by Oleg

:

You can't infect CPU chip.

Sure you can. If you can change the CPU microcode then it should be obvious that you can insert malware into the CPU itself.]]> http://www.dslreports.com/forum/remark,16790728 Sun, 27 Aug 2006 18:23:46 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16790615 Oleg : You can't infect CPU chip.]]> http://www.dslreports.com/forum/remark,16790615 Sun, 27 Aug 2006 18:00:20 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16789315 Ctrl Alt Del : I was under the impression that this virus makes use of the new virtualization features in AMD's new processors. The hypervisor ends up "running" both Windows and the virus in virtualized environments.

But I could be way off. Details are skimpy.
--
less talk, more music]]> http://www.dslreports.com/forum/remark,16789315 Sun, 27 Aug 2006 13:48:34 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16789254 garys_2k :

said by devicenull

:

Basically, until I hear someone respectable telling me this works, and is only effective on AMD processors, I call BS.

Me, too. Assembly language is just programming language. Maybe the AMD chips have a few unique-to-them commands for register transfers and stuff, but if they did, it's no big deal. I smell FUD.]]> http://www.dslreports.com/forum/remark,16789254 Sun, 27 Aug 2006 13:34:21 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16789224 devicenull : Er, "chip level assembly code"? What, exactly is that? I wonder if they realize that MS Word also executes "chip level assembly code"..

Basically, until I hear someone respectable telling me this works, and is only effective on AMD processors, I call BS.]]> http://www.dslreports.com/forum/remark,16789224 Sun, 27 Aug 2006 13:26:25 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16788893 anon : wasn't intel the butt of jokes with their processor serial number which could be read "at will" over the internet, and tracked, hacked, and parboiled for data mining years ago?]]> http://www.dslreports.com/forum/remark,16788893 Sun, 27 Aug 2006 12:13:02 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16788566 Vampirefo : What are they suppose to do? flash the Bios or what, I can't see them as any threat, just from what I have read.
--
Best Regards Vampirefo ]]> http://www.dslreports.com/forum/remark,16788566 Sun, 27 Aug 2006 10:58:46 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16788517 dave : The Symantec write-up shows no sign of anything exotic being involved.

»www.symantec.com/security_respon···-5115-99

All I got from this is that the w32.bounds attack mucks with the import table, which of course will allow execution of arbitrary code (program thinks it's calling function X but in reality it's calling function Y).

Is there any more technical detail anywhere?]]> http://www.dslreports.com/forum/remark,16788517 Sun, 27 Aug 2006 10:48:44 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16788402 controler : "The w32.bounds and w64.bounds viruses infect systems by tying themselves to Windows executable files, which disqualifies them as so-called chip level threats. They do however employ elements of such attacks by showing an ability to executive chip level assembly code.

The last large scale outbreak of a chip level threat dates back to 1998. The CIH/Chernobyl then embedded itself into the flash-BIOS of several million computers and on the 13th anniversary of the nuclear disaster in the city destroyed all data. Chernobyl originated in South Korea, where it was estimated to cause $250m in damages."

Is this guy using some of Johanna's Blue Pill code then?
It only runs on the new dual core CPUs. Sounds like it, even though this new code attaches itself to exes.

controler]]> http://www.dslreports.com/forum/remark,16788402 Sun, 27 Aug 2006 10:19:44 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16786873 bluezanetti :

said by CU ReDUX :

Didn't CU just get raked over the coals by the AV vendor community for "laboratory" viruses that are not functional and are not on the "in the wild" list? But then this is an AV "player" doing the reporting, so we will hear little criticism from those who beat up CU for similar disclosures.

If you cannot fathom the differences in circumstance - technical proof of concept vs. direct comparison test of commercial products - you've completely and utterly missed the boat.

Blue]]> http://www.dslreports.com/forum/remark,16786873 Sat, 26 Aug 2006 23:37:19 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16786809 rotty97 : Their is nothing wrong with looking at new attack vectors, if they don't someone will that's for sure.

cheers, rotty]]> http://www.dslreports.com/forum/remark,16786809 Sat, 26 Aug 2006 23:22:30 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16786792 anon : Didn't CU just get raked over the coals by the AV vendor community for "laboratory" viruses that are not functional and are not on the "in the wild" list? But then this is an AV "player" doing the reporting, so we will hear little criticism from those who beat up CU for similar disclosures. ]]> http://www.dslreports.com/forum/remark,16786792 Sat, 26 Aug 2006 23:18:07 EDT Re: New virus attacks AMD processors http://www.dslreports.com/forum/remark,16786296 redxii : Seeing how their programs hardly run properly under anything lower than an administrator account, I assume they always run and program as an administrator. Therefore I must question what privileges they decided to run it with. If it was an administrator account then they went through entirely too much trouble.]]> http://www.dslreports.com/forum/remark,16786296 Sat, 26 Aug 2006 21:46:43 EDT New virus attacks AMD processors http://www.dslreports.com/forum/remark,16785887 seqrets : Proof of concept code shows advanced attack vector

Tom Sanders in California, vnunet.com, 28 Aug 2006

Security researchers at Symantec have discovered a new proof of concept virus that targets processors AMD rather than operating systems.

The worm comes in two versions, targeting 32-bit and 64-bit processors from AMD. Symantec refers to the online pests as w32.bounds and w64.bounds. Because it involves proof of concept code, both viruses are rated as low level threats.

More at: »www.computing.co.uk/vnunet/news/···ocessors]]> http://www.dslreports.com/forum/remark,16785887 Sat, 26 Aug 2006 20:18:24 EDT