zmaugy
join:2003-05-24
Slovenia | A super trojan?
Have you heard about this:
»forums.spywareinfo.com/index.php···056&st=0
It seems scary...
--
French fries. |
|
Martinus
Premium
join:2001-08-06
EU
| Hmmm. There are some things in the posts that don't add up:
quote:
...hidden modules that are embedded into your systems ramdisk (BIOS)...
BIOS is one thing and a Ramdisk is another thing. Don't know if the guy is talking about CMOS though.
quote:
Since i used a new board + memory + hard drive and it lived...
--
La venganza de los toros en San Fermin. |
|
mboy
Premium
join:2001-04-13
Little Falls, NJ
| reply to zmaugy
Sounds like nonsense to me. Now the guy says it infected his CPU? Rediculous.
Even infecting the CMOS sounds pretty outta whack these days. Most use some type of checksum to validate the file.
Besides, how much code can be written to 256KB that is almost ALL used up for hardware instructions. |
|
zmaugy
join:2003-05-24
Slovenia
| reply to Martinus
I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900.
I've formatted the HD, checked the system with NAV2004, KAV4.5, TDS3, Spybot, Adavare... and there is nothing suspicious. At that time I thought I'm perhaps paranoid, after this "news" I'm not so sure anymore...
One thing I have noticed just today: on ZAPro Alerts and logs Winword.exe tried to connect, and there is nothing written as Action taken. Weird!
--
French fries. |
|
zmaugy
join:2003-05-24
Slovenia | reply to mboy
I hope you're right.
--
French fries. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to Martinus
quote:
It has the full package, a real trojan's trojan including: a Keylogger, a virus that attacks .exe, .com, and .vbs files, the hidden server, the ability to create ISO files (using exe2bin.exe), and the topper is a hidden "read only" file system containing a boot image and hidden modules that are embedded into your systems ramdisk (BIOS), and infects Windows on every re-install also any hard drive that is connected to the mainboard (before or after infection).
Ok, first things first... exe2bin.exe doesn't create ISOs, it's an old DOS utility for making .com files out of .exe files. The "ramdisk" BIOS is a misnomer, and the CMOS is too small to contain any useful executable code. Most anything that overwrites a flash BIOS would render the machine unbootable, unless they created trojan code that is customized for every motherboard/BIOS combination out there (a daunting task to say the least). Even if it could be done, I doubt there'd be enough free space in the BIOS EEPROM to embed a boot image and "ISOs" as they so elegantly put it.
I think it's either a hoax, or someone who did get a trojan and is blowing the details way out of proportion. For example, if he reformatted and got infected again, perhaps it came in through a vulnerable service (hint, use a firewall).
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to zmaugy
zmaugy  , »Security »I think my computer is infected or hijacked. What should I do?
How did you determine that your system is calling that IP? Zone Alarm? Netstat? I suggest following the steps above and post a Hijack This log.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
zmaugy
join:2003-05-24
Slovenia
1 edit | Zone alarm. And my IE is not hijacked and the system is always patched, AV (NAV2004) is always updated, from time to time the system is checked with KAV 4.5 on demand, system is Spybot1.3 immunized and checked, running from behind a router with stateful packet inspection, also ZaPRO is installed and running - every application has to ask to connect (except IE6, OE6, NAV2004, ZaPRO). The only pages I'm surfing with the machine is my ISP's webmail, no other than business software is running.
How the hell could I be infected? And my ISP checks email for viruses...
--
French fries. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Did Zone Alarm say what application was hitting that IP?
As mentioned here: »www.geocities.com/technofundo/te···fip.html
quote:
Class D - This is a class meant for multicasting only, for sending multicast messages to other groups of host machines.
First Octet - - The first octet is between 224 to 239. (Starts with binary bits - 1110).
The class D is a special purpose reserved class, and addresses in this range are not assigned as IP addresses on an IP network, including Internet.
In other words, 239.255.255.250 isn't even a routable address on the Internet.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to mboy
said by mboy :
Sounds like nonsense to me. Now the guy says it infected his CPU? Rediculous.
Even infecting the CMOS sounds pretty outta whack these days. Most use some type of checksum to validate the file.
Besides, how much code can be written to 256KB that is almost ALL used up for hardware instructions.
bios infection possible
cpu infection not possible
ram infection not possible
hard drive mother board possible (hard drive mother board is the board on the hd it has some bios chips aka s.m.a.r.t)
video card possible that it over wrote part of his video bios.
keyboard bios chip on keyboards with programable funtion keys very possible i have a example here at my house with a unknown unnamed virus i can not scan the keyboard and dare not allow it to infect my computer to scan the computer.
Im going to post and ask him if he has a key board with programable keys and also alert him that it could be storeing it self in his vid card.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs:  | reply to zmaugy
i dont see how a motherboard can become "trojanized" |
|
Martinus
Premium
join:2001-08-06
EU
1 edit | reply to novaflare
said by novaflare :
video card possible that it over wrote part of his video bios.
But in that case the card bios would be screwed and the card wouldn't function correctly I guess
--
La venganza de los toros en San Fermin. |
|
zmaugy
join:2003-05-24
Slovenia
| reply to kpatz
said by kpatz :
Did Zone Alarm say what application was hitting that IP?
Generic host process for win32 services. And it's logged only when automatic lock on ZA is turned on.
--
French fries. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| said by zmaugy :
Generic host process for win32 services. And it's logged only when automatic lock on ZA is turned on.
Bingo... when ZA is locked, it blocks all traffic. Windows uses TCP/IP internally for certain interprocess communication (this traffic never goes out over the network), but Zone Alarm sees it, and blocks it when it's locked. Windows is likely using the 239. IP range for this purpose.
I've seen instances, where when I was having network issues, and didn't have a valid IP, that certain Windows services would cause Zone Alarm prompts (the Spooler Subsystem is prone to doing this). I'm at work now so I can't see what IP it was trying to use though, but I wouldn't be surprised if it was a 239.* IP.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs:
| reply to zmaugy
said by zmaugy :
I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900.
being that's a broadcast i wonder what really is going on with that.... |
|
zmaugy
join:2003-05-24
Slovenia | reply to kpatz
Thanks, I know my question was off topic:), anyway I'm going to go step by step through the procedure just in case.
--
French fries. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to Martinus
said by Martinus :
said by novaflare :
video card possible that it over wrote part of his video bios.
But in that case the card bios would be screwed and the card wouldn't function correctly I guess
Accualy not true. Ive seen at least one case personaly where the video card bios was infected with a virus yes it caused more video related errors in windows error and even reporting. But hell i was playing (looseing badly) cs on it with good frame rate and no noticable errors.
For a viri or trojan to cause problems it would need to over right a important area on the cards bios. Ive seen bios hacks that let you put your name in a video cards bios so that it comes up on the splash screen dureing the cards own post test. Say some image and some text total size 10k and theres still room left for more. A virus can be as small as 4 to 7 k or smaller. A typical bios chip is 256k or larger and the bios code it self may only use 190k of that. Theres plenty of wiggle room or can be on a bios chip. Some bioses now have filler in the bios code that does nothign but take up the rest of the space.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.
Even if someone coded a virus and stored it in the filler space of a flash BIOS, it would still have to be hooked into the executable portion of the BIOS, in order for the virus to execute. Otherwise, it is just a bunch of bits that never gets executed. Hooking into the executable portion, would have to be customized for every BIOS version.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| said by kpatz :
Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.
Even if someone coded a virus and stored it in the filler space of a flash BIOS, it would still have to be hooked into the executable portion of the BIOS, in order for the virus to execute. Otherwise, it is just a bunch of bits that never gets executed. Hooking into the executable portion, would have to be customized for every BIOS version.
yup but it does happen. And youd be suprised at what you can flash the bios on vid cards sound card cd burners harddrive dvd roms and even players you hook up to your tv. Ive personaly seen a viri infected keyboard as i said. And i used it to infect at the managers request some realy old cash registers so she could get new ones. These things were constantly crashing and she wanted them gone but the franchise owner wouldnt replace them untill they were totaly dead. So i made sure they were dead hooked keyboard up to the computer that controlled them and hit f13 and watched the registers crash.
It is entirely possible for this all to happen its rare as hell and if it infact happened it is likly a viri/trojan that some oen delib targeted him with prob totaly custom one of a kind deal. Few months ago we found out who infected the guys keyboard and why. Some punk kid that use to mow his lawn and do some basic stuff around the house minor repairs and some computer work for the guy was caught ripping the guy off he fired him and pressed charges kid got 3 months in dh for it and restitution . well before he could confront the kid and before he called the cops the kid got wise that he was caught and infected the keyboard with this nasty.
He never named it And it was never in the wild.
Thankfully viri like these are so generaly so destrutive and fast acting they cant get out in the wild they make the system they infect crash and become unbootable almost imediatly after infection/execution.
I still doubt this is the case with this supper trojan My bet is hes installign software from a back up or maybe useign a pirated copy of xp pro or other pirated os or maybe just a activation crack cause he is anoyed by the windows activation and doesnt want to send out all the personal info that was "sent with activation" accordign to all the xp anti hype.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
theskulptor
Premium
join:2004-05-15
Minneapolis, MN
| reply to kpatz
Here is an example of a flashing a vid card, and why one would do it. Though aside from potentially disrupting the operations of the vid card, if someone added malicious code to the firmware of a video card would it act on any other part of the pc?
'»www.hardforum.com/showthread.php?t=767726' |
|
