Security → Rootkit On the motherboard - Rom Chip?

Please read this

»www.google.com/translate ··· &ie=UTF8

Expansion ROM is terminus technicus used in PCI specification. Thus, no standard interface for programming is provided. However, this ROM is often implemented by flash memory, which can be reprogrammed and interface is device specific.
PCI defines how to access Expansion ROM. Sometimes you can program the memory chip using this access method.

So hardware rootkits are going to become common?

Please read this:

»BioShock game bundled with vile DRMalware

Sounds related.

So hardware companies should then make their hardware more safe and be sure nothing can write to it

Well that's all i can say since it's about code on the Rom chip of the motherboard

People have forgotton the old virus from many years past, that did just that!

"That which is forgotten, cannot be remembered." -A. Bargle

That's why we have Steve Gibson, he never forgets.

Then thank God for him!

My apologies-- I had a moment of profundity there (or maybe not ) that just took hold of me.
It's over now, thankfully. Whew!

"That which is posted, can be edited, though in this case will not be." -Some dork

A reformat can slove most problems

We are talking about rootkits or keyloggers in the hardware

Would a reformat help kill a hardware rootkit

Since it would need an .exe on the OS>?

Or a reformat can render the hardware malware useless

»en.wikipedia.org/wiki/CIH_virus

Here is some interesting reading.

"A collection of functions for power management, known as the Advanced Configuration and Power Interface (ACPI), has its own high-level interpreted language that could be used to code a rootkit and store key attack functions in the Basic Input/Output System (BIOS) in flash memory, according to John Heasman, principal security consultant for U.K.-based Next-Generation Security Software."

»www.securityfocus.com/news/11372

edit: This topic isn't new. This is something that I have been worrying about for some time now.

A reformat/wipe and flashing both the motherboard and video BIOS would overwrite pretty much everything you can normally change. I suppose you could reflash the firmware in your optical drives if you were really concerned but that's a real stretch.

I would hope we don't revisit yester_year. Actually I'm going to freak a lot of people out, a hex in the right place, on a supposed good download will garner bad things. Check your MD5 hash @ all times. I'm actually wondering if the CIH virus is still in the anti viral data bases...HUmmmmm.

A nasty nobody wants an experience of first hand, I got hit back in the late 80's, was smart enough to save and decipher the file...Rather gruesome, to say the least.

Edit, ok kill me late 90's.

Well i am a little worried about this malware to the motherboard or other devices

The MAIN problem is - Reformatting won't get rid of it?

I mean you wipe your hdd and install new os - And all of a sudden it can reinstall it self from the hardware

Sounds like a bunch of rubbish - Or nonsense that is just going around to make people paranoid or have Security experts take a big look at this whole hardware rootkit thing

Besides, If this was really true and mainstream wouldn't the security companies cover this garbage>?

It's the volitile ROM areas, any hardware item that will flash to an upgrade can be affected, certainly writing to the boot sector of a hard drive has been an issue.

There are people that lock the BIOS on their motherboard in order to prevent issues, that can be really tough if the password is forgotton.

Paranoid, no. It's just part of the awareness factor.

Be absoultly sure I'm not directing the following to you, just a general statement.

Though there are some people that can use a keyboard, mouse, click around the internet and don't have any propensity to understand PC issues -They are better off not reading these things, it won't change how they work or think; but will serve up a scare factor.

The CIH link was deliberate so people might reflect on the history of that nasty, some don't know and others have forgotton.

This was me..>>

"In September 1998, Yamaha shipped a firmware update to their CD-R400 Drives that were infected with the virus."

Awesome^^ lol

Apparently the Hardware rootkit is STORED in ROM CHIP of the motherboard

Hmmm so i don't see if clearing the Cmos would do anything

Wow this is quite disturbing...Nothing is 100% undetectable but hey "A hardware rootkit?" Seems like hardware has to adapt to being more safe or apparently Render "HARDWARE rootkits useless"

MALWARE is going to HARDWARE

Seems like now hardware also needs security.....BUt hey if we lived in a perfect world

Now those were real viruses! No messing around with zombies and other nonsense. The goal was to destroy the computer. I came very close to getting that one. It occurred to me that since the floppy came from an untrusted source that maybe I should scan it first.

Correct. CMOS is not flash ROM where the BIOS lives. For those that may not know CMOS is the memory that is powered by the battery and BIOS uses it to store settings about the system such as disk drives and their geometry, system time and date, etc. Code does not live there - only data. It is my understanding that even if code where in CMOS it could not execute because it is not in the regular memory space. It has to be accessed via the CPUs IN and OUT instructions, not via the ECS:EIP register pair.

you'd be surprised at what is out there. Viri that are wide spread don't tend to be supper nasty. There are custom ones that people have made that make things like cih look tame. I seen one on a old style programmable keyboard that would re write it self to the system when ever any programed key was pressed (f13 to f24. It was a file killer. Basically it would start destroying files once it was active. From key press to non bootable crashed computer was about 5 to 10 minutes.

The bad thing is it does not take much to make such a destructive virus. Think of it this way you do not need to worry about making the virus spread and do as much damage to as many computers as possible instead your after a single target. So you simply write the code infect the keyboard swap out the owners original clean kb with your infected one and walk away.

The person in question who had this keyboard bought it from a flea market. It took days to find the cause of his computer problems as we did not expect such a nasty little bit of code. I mean really who would when it acted like a bad hard drive or bad ram causing it all heh

I am pretty sure if Motherboard ROM rootkits spread into the wild - We would have scanners that will scan the rom and see if it is modified

Anti virus companies make MILLIONS $$$$$$$...So just a group of people coding rom rootkits will not really succeed once it spreads into the wild

There is no REPORTS or EVIDENCE of Motherboard malware

POSSIBLE! That this is all a scare and hyped up internet BULLShit

And people have different hardwares and roms and etc...Wow it seems like people are spreading about Nonsense...

We will just wait and see

What if you:
A: Flash you bios to a new/old version?
B: Pull the bios rom and replace/reset/re-flash it.
C: Get a new Mobo.

It is not stored in the bios

The bios contains the date time, Configurations, etc

It is on the Rom Chip on the motherboard.....Don't ask me how it even gets there LOL

B: Pull the bios rom and replace/reset/re-flash it.
C: Get a new Mobo.

YES^^ you are correct

There is something called TPM the Trusted Platform Module, a chip that promises to dramatically improve hardware and network security. which most users will see when they purchase a new PC with Windows Vista on it

Basically hardware TPM should Stop possible hardware malware in the tracks.

It's nothing to worry about....But i would like to know if there are any methods to possibly detect if your ROM on the motherboard has been modified

Actually, the BIOS (and any hypothetical/theoretical malware) is/would be stored in the BIOS ROM. This is not necessarily just the system bios rom, video, communications, and storage controller bios roms might also be considered as infection targets.

The system configuration including the date/time is stored in CMOS RAM, not in the bios rom.

Nothing in the wild yet, but you can definitely do it:
»www.antirootkit.com/blog ··· ould-be/
»www.antirootkit.com/blog ··· or-bios/
»www.ngssoftware.com/jh_b ··· 2006.pdf

Well even the home user doesn't have to fear Since it is stored in the device ROM lol.

Well if any devices have expansion ROM - The malware would need ROM

Flashable devices are at risk.

Detection for modified rom shouldn't be difficult

But i am still wondering how someone would be able to flash that hardware device

It just makes no sense at all since all hardware is different

This is the reality of trying to flash any hardware. The package has to be able to correctly detect what hardware is available, carry or be able to download the correct malbios and flash it to the system. Anybody who's ever had a flash go wrong even with all the correct information, BIOS and procedures can see problems with the whole concept.

Sure it can be done but how practical is it? In most cases it would probably just mess up the computer so it wouldn't even boot. I'm sure not going to lose any sleep over it.

ALL motherboards today are flashable. There's a limited number of flash chips in use by most manufacturers. It's quite in the realm of possibility, even if you just target one manufacturer and model.

How can you detect a modified flash? The flash itself is modified and can tell the OS anything it wants. The OS is *oblivious* to any change made before it boots.

I don't see anything complex in a ROM scanner or something to detect a modified rom

Since you would store code in the rom or flash it over with some different code "reprogrammed" i guess

But what code would be inside the rom...What would need to be scanned for.

Compare a normal rom code with a modified one. Gather how the code and functions in normal rom are and compare that against a potentially modified one

Once we get deep into the whole ROM Malware scare...It seems like a load of rubbish

You would have to target one manufacturer/model unless you were able to scan the system and download the appropriate flash for whatever was detected. But at that point, you would already own the computer anyway. The only advantage I can see is that it would be difficult to remove. But can a ROM chip hold enough info to both run the computer and transmit re-infection data back to a clean system or a fresh OS install?

Even if you could reflash the BIOS, the CMOS settings would be lost in the process. The computer would wake up with fail safe defaults in another year at another time. Assuming it didn't just stop at the BIOS setup screen.

Admittedly, there are users who wouldn't notice anything but lots of people would notice that something was wrong...

I'm not saying it's not possible, I just don't think it's practical.