|
Pc Paranoid
Anon
2007-Aug-25 8:59 pm
Rootkit On the motherboard - Rom Chip?Please read this » www.google.com/translate ··· &ie=UTF8Expansion ROM is terminus technicus used in PCI specification. Thus, no standard interface for programming is provided. However, this ROM is often implemented by flash memory, which can be reprogrammed and interface is device specific. PCI defines how to access Expansion ROM. Sometimes you can program the memory chip using this access method. So hardware rootkits are going to become common? |
|
AB57 Premium Member join:2006-04-04 equatorial |
AB57
Premium Member
2007-Aug-25 9:16 pm
|
|
|
to Pc Paranoid
So hardware companies should then make their hardware more safe and be sure nothing can write to it
Well that's all i can say since it's about code on the Rom chip of the motherboard |
|
|
Kiwi88 Premium Member join:2003-05-26 Bryant, AR
1 recommendation |
to Pc Paranoid
People have forgotton the old virus from many years past, that did just that! |
|
AB57 Premium Member join:2006-04-04 equatorial
1 recommendation |
AB57
Premium Member
2007-Aug-26 4:02 pm
said by Kiwi88:People have forgotton the old virus from many years past, that did just that! "That which is forgotten, cannot be remembered." -A. Bargle |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
|
NetFixer
Premium Member
2007-Aug-26 4:10 pm
said by AB57:"That which is forgotten, cannot be remembered." -A. Bargle That's why we have Steve Gibson, he never forgets. The CIH virus attempts to ERASE the writable FLASH BIOS of infected PC's, and also overwrites the first 2,048 sectors (1,048,576 bytes) of all of the system's available non-removable writable disk drives! |
|
AB57 Premium Member join:2006-04-04 equatorial
1 recommendation |
AB57
Premium Member
2007-Aug-26 4:21 pm
said by NetFixer:said by AB57:"That which is forgotten, cannot be remembered." -A. Bargle That's why we have Steve Gibson, he never forgets. Then thank God for him! My apologies-- I had a moment of profundity there (or maybe not ) that just took hold of me. It's over now, thankfully. Whew! "That which is posted, can be edited, though in this case will not be." -Some dork |
|
|
to Pc Paranoid
A reformat can slove most problems
We are talking about rootkits or keyloggers in the hardware
Would a reformat help kill a hardware rootkit
Since it would need an .exe on the OS>?
Or a reformat can render the hardware malware useless |
|
Kiwi88 Premium Member join:2003-05-26 Bryant, AR |
to AB57
|
|
Lagz Premium Member join:2000-09-03 The Rock 1 edit |
to Pc Paranoid
Here is some interesting reading. "A collection of functions for power management, known as the Advanced Configuration and Power Interface (ACPI), has its own high-level interpreted language that could be used to code a rootkit and store key attack functions in the Basic Input/Output System (BIOS) in flash memory, according to John Heasman, principal security consultant for U.K.-based Next-Generation Security Software." » www.securityfocus.com/news/11372edit: This topic isn't new. This is something that I have been worrying about for some time now. |
|
salzanExperienced Optimist Premium Member join:2004-01-08 WA State
1 recommendation |
to XKit1
said by XKit1 :
A reformat can slove most problems
We are talking about rootkits or keyloggers in the hardware
Would a reformat help kill a hardware rootkit
Since it would need an .exe on the OS>?
Or a reformat can render the hardware malware useless A reformat/wipe and flashing both the motherboard and video BIOS would overwrite pretty much everything you can normally change. I suppose you could reflash the firmware in your optical drives if you were really concerned but that's a real stretch. |
|
Kiwi88 Premium Member join:2003-05-26 Bryant, AR 1 edit |
to Pc Paranoid
I would hope we don't revisit yester_year. Actually I'm going to freak a lot of people out, a hex in the right place, on a supposed good download will garner bad things. Check your MD5 hash @ all times. I'm actually wondering if the CIH virus is still in the anti viral data bases...HUmmmmm. A nasty nobody wants an experience of first hand, I got hit back in the late 80's, was smart enough to save and decipher the file...Rather gruesome, to say the least. Edit, ok kill me late 90's. |
|
|
to Pc Paranoid
Well i am a little worried about this malware to the motherboard or other devices
The MAIN problem is - Reformatting won't get rid of it?
I mean you wipe your hdd and install new os - And all of a sudden it can reinstall it self from the hardware
Sounds like a bunch of rubbish - Or nonsense that is just going around to make people paranoid or have Security experts take a big look at this whole hardware rootkit thing
Besides, If this was really true and mainstream wouldn't the security companies cover this garbage>? |
|
Kiwi88 Premium Member join:2003-05-26 Bryant, AR 1 edit |
Kiwi88
Premium Member
2007-Aug-29 5:39 pm
It's the volitile ROM areas, any hardware item that will flash to an upgrade can be affected, certainly writing to the boot sector of a hard drive has been an issue.
There are people that lock the BIOS on their motherboard in order to prevent issues, that can be really tough if the password is forgotton.
Paranoid, no. It's just part of the awareness factor.
Be absoultly sure I'm not directing the following to you, just a general statement.
Though there are some people that can use a keyboard, mouse, click around the internet and don't have any propensity to understand PC issues -They are better off not reading these things, it won't change how they work or think; but will serve up a scare factor.
The CIH link was deliberate so people might reflect on the history of that nasty, some don't know and others have forgotton.
This was me..>>
"In September 1998, Yamaha shipped a firmware update to their CD-R400 Drives that were infected with the virus." |
|
CartelIntel inside Your sensitive data outside Premium Member join:2006-09-13 Chilliwack, BC 4 edits |
to Pc Paranoid
|
|
|
to Pc Paranoid
Awesome^^ lol Apparently the Hardware rootkit is STORED in ROM CHIP of the motherboard Hmmm so i don't see if clearing the Cmos would do anything Wow this is quite disturbing...Nothing is 100% undetectable but hey "A hardware rootkit?" Seems like hardware has to adapt to being more safe or apparently Render "HARDWARE rootkits useless" MALWARE is going to HARDWARE Seems like now hardware also needs security.....BUt hey if we lived in a perfect world |
|
Zkt @optonline.net |
to Pc Paranoid
|
|
javaManThe Dude abides. MVM join:2002-07-15 San Luis Obispo, CA
1 recommendation |
to NetFixer
said by NetFixer:said by AB57:"That which is forgotten, cannot be remembered." -A. Bargle That's why we have Steve Gibson, he never forgets. The CIH virus attempts to ERASE the writable FLASH BIOS of infected PC's, and also overwrites the first 2,048 sectors (1,048,576 bytes) of all of the system's available non-removable writable disk drives! Now those were real viruses! No messing around with zombies and other nonsense. The goal was to destroy the computer. I came very close to getting that one. It occurred to me that since the floppy came from an untrusted source that maybe I should scan it first. |
|
Drunkula Premium Member join:2000-06-12 Denton, TX
1 recommendation |
to Pc Paranoid
Correct. CMOS is not flash ROM where the BIOS lives. For those that may not know CMOS is the memory that is powered by the battery and BIOS uses it to store settings about the system such as disk drives and their geometry, system time and date, etc. Code does not live there - only data. It is my understanding that even if code where in CMOS it could not execute because it is not in the regular memory space. It has to be accessed via the CPUs IN and OUT instructions, not via the ECS:EIP register pair. |
|
Nanaki (banned)aka novaflare. pull punches? Na join:2002-01-24 Akron, OH |
to XKit1
said by XKit1 :
Well i am a little worried about this malware to the motherboard or other devices
The MAIN problem is - Reformatting won't get rid of it?
I mean you wipe your hdd and install new os - And all of a sudden it can reinstall it self from the hardware
Sounds like a bunch of rubbish - Or nonsense that is just going around to make people paranoid or have Security experts take a big look at this whole hardware rootkit thing
Besides, If this was really true and mainstream wouldn't the security companies cover this garbage>? you'd be surprised at what is out there. Viri that are wide spread don't tend to be supper nasty. There are custom ones that people have made that make things like cih look tame. I seen one on a old style programmable keyboard that would re write it self to the system when ever any programed key was pressed (f13 to f24. It was a file killer. Basically it would start destroying files once it was active. From key press to non bootable crashed computer was about 5 to 10 minutes. The bad thing is it does not take much to make such a destructive virus. Think of it this way you do not need to worry about making the virus spread and do as much damage to as many computers as possible instead your after a single target. So you simply write the code infect the keyboard swap out the owners original clean kb with your infected one and walk away. The person in question who had this keyboard bought it from a flea market. It took days to find the cause of his computer problems as we did not expect such a nasty little bit of code. I mean really who would when it acted like a bad hard drive or bad ram causing it all heh |
|
|
to Pc Paranoid
I am pretty sure if Motherboard ROM rootkits spread into the wild - We would have scanners that will scan the rom and see if it is modified
Anti virus companies make MILLIONS $$$$$$$...So just a group of people coding rom rootkits will not really succeed once it spreads into the wild
There is no REPORTS or EVIDENCE of Motherboard malware
POSSIBLE! That this is all a scare and hyped up internet BULLShit
And people have different hardwares and roms and etc...Wow it seems like people are spreading about Nonsense...
We will just wait and see |
|
CartelIntel inside Your sensitive data outside Premium Member join:2006-09-13 Chilliwack, BC |
to Pc Paranoid
What if you: A: Flash you bios to a new/old version? B: Pull the bios rom and replace/reset/re-flash it. C: Get a new Mobo. |
|
|
to Pc Paranoid
It is not stored in the bios
The bios contains the date time, Configurations, etc
It is on the Rom Chip on the motherboard.....Don't ask me how it even gets there LOL
B: Pull the bios rom and replace/reset/re-flash it. C: Get a new Mobo.
YES^^ you are correct
There is something called TPM the Trusted Platform Module, a chip that promises to dramatically improve hardware and network security. which most users will see when they purchase a new PC with Windows Vista on it
Basically hardware TPM should Stop possible hardware malware in the tracks.
It's nothing to worry about....But i would like to know if there are any methods to possibly detect if your ROM on the motherboard has been modified |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
1 recommendation |
NetFixer
Premium Member
2007-Sep-5 1:17 pm
said by Pc Paranoid :
It is not stored in the bios
The bios contains the date time, Configurations, etc Actually, the BIOS (and any hypothetical/theoretical malware) is/would be stored in the BIOS ROM. This is not necessarily just the system bios rom, video, communications, and storage controller bios roms might also be considered as infection targets. The system configuration including the date/time is stored in CMOS RAM, not in the bios rom. |
|
PetePumaHow many lumps do you want MVM join:2002-06-13 Arlington, VA |
to Pc Paranoid
said by Pc Paranoid :
There is no REPORTS or EVIDENCE of Motherboard malware
Nothing in the wild yet, but you can definitely do it: » www.antirootkit.com/blog ··· ould-be/» www.antirootkit.com/blog ··· or-bios/» www.ngssoftware.com/jh_b ··· 2006.pdf |
|
|
to Pc Paranoid
Well even the home user doesn't have to fear Since it is stored in the device ROM lol.
Well if any devices have expansion ROM - The malware would need ROM
Flashable devices are at risk.
Detection for modified rom shouldn't be difficult
But i am still wondering how someone would be able to flash that hardware device
It just makes no sense at all since all hardware is different |
|
salzanExperienced Optimist Premium Member join:2004-01-08 WA State |
salzan
Premium Member
2007-Sep-5 7:16 pm
said by Pc Paranoid :
It just makes no sense at all since all hardware is different This is the reality of trying to flash any hardware. The package has to be able to correctly detect what hardware is available, carry or be able to download the correct malbios and flash it to the system. Anybody who's ever had a flash go wrong even with all the correct information, BIOS and procedures can see problems with the whole concept. Sure it can be done but how practical is it? In most cases it would probably just mess up the computer so it wouldn't even boot. I'm sure not going to lose any sleep over it. |
|
PetePumaHow many lumps do you want MVM join:2002-06-13 Arlington, VA
1 recommendation |
to Pc Paranoid
ALL motherboards today are flashable. There's a limited number of flash chips in use by most manufacturers. It's quite in the realm of possibility, even if you just target one manufacturer and model.
How can you detect a modified flash? The flash itself is modified and can tell the OS anything it wants. The OS is *oblivious* to any change made before it boots. |
|
|
to Pc Paranoid
I don't see anything complex in a ROM scanner or something to detect a modified rom
Since you would store code in the rom or flash it over with some different code "reprogrammed" i guess
But what code would be inside the rom...What would need to be scanned for.
Compare a normal rom code with a modified one. Gather how the code and functions in normal rom are and compare that against a potentially modified one
Once we get deep into the whole ROM Malware scare...It seems like a load of rubbish |
|
salzanExperienced Optimist Premium Member join:2004-01-08 WA State |
to PetePuma
said by PetePuma:ALL motherboards today are flashable. There's a limited number of flash chips in use by most manufacturers. It's quite in the realm of possibility, even if you just target one manufacturer and model. How can you detect a modified flash? The flash itself is modified and can tell the OS anything it wants. The OS is *oblivious* to any change made before it boots. You would have to target one manufacturer/model unless you were able to scan the system and download the appropriate flash for whatever was detected. But at that point, you would already own the computer anyway. The only advantage I can see is that it would be difficult to remove. But can a ROM chip hold enough info to both run the computer and transmit re-infection data back to a clean system or a fresh OS install? Even if you could reflash the BIOS, the CMOS settings would be lost in the process. The computer would wake up with fail safe defaults in another year at another time. Assuming it didn't just stop at the BIOS setup screen. Admittedly, there are users who wouldn't notice anything but lots of people would notice that something was wrong... I'm not saying it's not possible, I just don't think it's practical. |
|