Security → A super trojan?

Have you heard about this:

»forums.spywareinfo.com/i ··· 056&st=0

It seems scary...

Hmmm. There are some things in the posts that don't add up:

quote:

---

...hidden modules that are embedded into your systems ramdisk (BIOS)...

---

BIOS is one thing and a Ramdisk is another thing. Don't know if the guy is talking about CMOS though.

quote:

---

Since i used a new board + memory + hard drive and it lived...

---

Sounds like nonsense to me. Now the guy says it infected his CPU? Rediculous.
Even infecting the CMOS sounds pretty outta whack these days. Most use some type of checksum to validate the file.
Besides, how much code can be written to 256KB that is almost ALL used up for hardware instructions.

I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900.
I've formatted the HD, checked the system with NAV2004, KAV4.5, TDS3, Spybot, Adavare... and there is nothing suspicious. At that time I thought I'm perhaps paranoid, after this "news" I'm not so sure anymore...
One thing I have noticed just today: on ZAPro Alerts and logs Winword.exe tried to connect, and there is nothing written as Action taken. Weird!

I hope you're right.

quote:

---

It has the full package, a real trojan's trojan including: a Keylogger, a virus that attacks .exe, .com, and .vbs files, the hidden server, the ability to create ISO files (using exe2bin.exe), and the topper is a hidden "read only" file system containing a boot image and hidden modules that are embedded into your systems ramdisk (BIOS), and infects Windows on every re-install also any hard drive that is connected to the mainboard (before or after infection).

---

Ok, first things first... exe2bin.exe doesn't create ISOs, it's an old DOS utility for making .com files out of .exe files. The "ramdisk" BIOS is a misnomer, and the CMOS is too small to contain any useful executable code. Most anything that overwrites a flash BIOS would render the machine unbootable, unless they created trojan code that is customized for every motherboard/BIOS combination out there (a daunting task to say the least). Even if it could be done, I doubt there'd be enough free space in the BIOS EEPROM to embed a boot image and "ISOs" as they so elegantly put it.

I think it's either a hoax, or someone who did get a trojan and is blowing the details way out of proportion. For example, if he reformatted and got infected again, perhaps it came in through a vulnerable service (hint, use a firewall).

zmaugy , »Security »I think my computer is infected or hijacked. What should I do?

How did you determine that your system is calling that IP? Zone Alarm? Netstat? I suggest following the steps above and post a Hijack This log.

Zone alarm. And my IE is not hijacked and the system is always patched, AV (NAV2004) is always updated, from time to time the system is checked with KAV 4.5 on demand, system is Spybot1.3 immunized and checked, running from behind a router with stateful packet inspection, also ZaPRO is installed and running - every application has to ask to connect (except IE6, OE6, NAV2004, ZaPRO). The only pages I'm surfing with the machine is my ISP's webmail, no other than business software is running.
How the hell could I be infected? And my ISP checks email for viruses...

Did Zone Alarm say what application was hitting that IP?

As mentioned here: »www.geocities.com/techno ··· fip.html

quote:

---

Class D - This is a class meant for multicasting only, for sending multicast messages to other groups of host machines.

First Octet - - The first octet is between 224 to 239. (Starts with binary bits - 1110).

The class D is a special purpose reserved class, and addresses in this range are not assigned as IP addresses on an IP network, including Internet.

---

In other words, 239.255.255.250 isn't even a routable address on the Internet.

said by mboy:

---

Sounds like nonsense to me. Now the guy says it infected his CPU? Rediculous.
Even infecting the CMOS sounds pretty outta whack these days. Most use some type of checksum to validate the file.
Besides, how much code can be written to 256KB that is almost ALL used up for hardware instructions.

---

bios infection possible
cpu infection not possible
ram infection not possible
hard drive mother board possible (hard drive mother board is the board on the hd it has some bios chips aka s.m.a.r.t)
video card possible that it over wrote part of his video bios.
keyboard bios chip on keyboards with programable funtion keys very possible i have a example here at my house with a unknown unnamed virus i can not scan the keyboard and dare not allow it to infect my computer to scan the computer.
Im going to post and ask him if he has a key board with programable keys and also alert him that it could be storeing it self in his vid card.

i dont see how a motherboard can become "trojanized"

said by Nanaki:

---

video card possible that it over wrote part of his video bios.

---

But in that case the card bios would be screwed and the card wouldn't function correctly I guess

said by kpatz:

---

Did Zone Alarm say what application was hitting that IP?

---

Generic host process for win32 services. And it's logged only when automatic lock on ZA is turned on.

said by zmaugy:

---

Generic host process for win32 services. And it's logged only when automatic lock on ZA is turned on.

---

Bingo... when ZA is locked, it blocks all traffic. Windows uses TCP/IP internally for certain interprocess communication (this traffic never goes out over the network), but Zone Alarm sees it, and blocks it when it's locked. Windows is likely using the 239. IP range for this purpose.

I've seen instances, where when I was having network issues, and didn't have a valid IP, that certain Windows services would cause Zone Alarm prompts (the Spooler Subsystem is prone to doing this). I'm at work now so I can't see what IP it was trying to use though, but I wouldn't be surprised if it was a 239.* IP.

said by zmaugy:

---

I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900.

---

being that's a broadcast i wonder what really is going on with that....

Thanks, I know my question was off topic:), anyway I'm going to go step by step through the procedure just in case.

said by Martinus:

---

said by Nanaki:

---

video card possible that it over wrote part of his video bios.

---

But in that case the card bios would be screwed and the card wouldn't function correctly I guess

---

Accualy not true. Ive seen at least one case personaly where the video card bios was infected with a virus yes it caused more video related errors in windows error and even reporting. But hell i was playing (looseing badly) cs on it with good frame rate and no noticable errors.
For a viri or trojan to cause problems it would need to over right a important area on the cards bios. Ive seen bios hacks that let you put your name in a video cards bios so that it comes up on the splash screen dureing the cards own post test. Say some image and some text total size 10k and theres still room left for more. A virus can be as small as 4 to 7 k or smaller. A typical bios chip is 256k or larger and the bios code it self may only use 190k of that. Theres plenty of wiggle room or can be on a bios chip. Some bioses now have filler in the bios code that does nothign but take up the rest of the space.

Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.

Even if someone coded a virus and stored it in the filler space of a flash BIOS, it would still have to be hooked into the executable portion of the BIOS, in order for the virus to execute. Otherwise, it is just a bunch of bits that never gets executed. Hooking into the executable portion, would have to be customized for every BIOS version.

said by kpatz:

---

Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.

Even if someone coded a virus and stored it in the filler space of a flash BIOS, it would still have to be hooked into the executable portion of the BIOS, in order for the virus to execute. Otherwise, it is just a bunch of bits that never gets executed. Hooking into the executable portion, would have to be customized for every BIOS version.

---

yup but it does happen. And youd be suprised at what you can flash the bios on vid cards sound card cd burners harddrive dvd roms and even players you hook up to your tv. Ive personaly seen a viri infected keyboard as i said. And i used it to infect at the managers request some realy old cash registers so she could get new ones. These things were constantly crashing and she wanted them gone but the franchise owner wouldnt replace them untill they were totaly dead. So i made sure they were dead hooked keyboard up to the computer that controlled them and hit f13 and watched the registers crash.
It is entirely possible for this all to happen its rare as hell and if it infact happened it is likly a viri/trojan that some oen delib targeted him with prob totaly custom one of a kind deal. Few months ago we found out who infected the guys keyboard and why. Some punk kid that use to mow his lawn and do some basic stuff around the house minor repairs and some computer work for the guy was caught ripping the guy off he fired him and pressed charges kid got 3 months in dh for it and restitution . well before he could confront the kid and before he called the cops the kid got wise that he was caught and infected the keyboard with this nasty.
He never named it And it was never in the wild.
Thankfully viri like these are so generaly so destrutive and fast acting they cant get out in the wild they make the system they infect crash and become unbootable almost imediatly after infection/execution.

I still doubt this is the case with this supper trojan My bet is hes installign software from a back up or maybe useign a pirated copy of xp pro or other pirated os or maybe just a activation crack cause he is anoyed by the windows activation and doesnt want to send out all the personal info that was "sent with activation" accordign to all the xp anti hype.

Here is an example of a flashing a vid card, and why one would do it. Though aside from potentially disrupting the operations of the vid card, if someone added malicious code to the firmware of a video card would it act on any other part of the pc?

'http://www.hardforum.com/showthread.php?t=767726'

quote:

---

Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.

---

Another reason would be to flash a PC video card with the correct ROM needed for it to work in a Mac. I did this a few years ago on an ATi card.

said by x539:

---

quote:

---

Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.

---

Another reason would be to flash a PC video card with the correct ROM needed for it to work in a Mac. I did this a few years ago on an ATi card.

---

I remember seeing that posted i understand theres not alot of diff between the bios on the cards. Was right after macs started useing pin compatible agp cards.

quote:

---

I remember seeing that posted i understand theres not alot of diff between the bios on the cards. Was right after macs started useing pin compatible agp cards.

---

If you mean the difference between the BIOS on a Mac card and on a PC card, it's a difference between working and not working ;-P. Basically the Mac ROMs contain the necessary low-level drivers for Open Firmware to recognize the card.

If you mean the difference between the BIOS on one Mac card and another similar card by the same manufacturer, that's the whole point of the exercise. Basically at the time that this was more common there was not a lot of choice in the Mac video card market. Not very many cards were available in a Mac version, and most of them were significantly more expensive than their PC counterparts. Apple supported and shipped certain cards in their machines. The ROMs included on those cards could be extracted and flashed onto the same or similar PC versions of the cards, giving the person who wanted to upgrade their Mac more choice and cheaper options (albeit at a greater risk). I don't know whether people still do this or not. There are more cards available in Mac versions these days, so I've seen no compelling reason to do so myself since then.

This whole topic makes me feel like I need to put my aluminium foil hat on...

Yes, its true viruses can be basicly anywhere... But if someone can create a virus that reflashes most popular BIOS/video card/HDD memory and then starts infecting the rest of the computer, we are in trouble. Seriously, we are in biiiig trouble.

The virus could also create "payload" to the hdd in the last sectors of the hdd, and then call upon it when booted/started up. This way, even formatting the whole hdd would not make any difference, since the payload is still in the hdd at specific sector of it. The only way to cure this kind of infection would be, to same time, flash all the flashable components on the computer and then overwrite the hdd with tool like DBAN. Ofcourse, currently, there arent any tools for that.

Concider the doomsday scenario too. Concider, that this kind of virus would start infecting other computers. Then, on one particular time or when some particular piece of code would be read by it (just simple word or graphic in case of infected graphic card), it would activate. Upon activating, it would overwrite all the bios it can find and file allocation tables of the hdd. Basicly speaking, you would have to dump your computer with your garbage. Now, if millions of people would have to do that...

said by jansson_mark:

---

This whole topic makes me feel like I need to put my aluminium foil hat on...

Yes, its true viruses can be basicly anywhere... But if someone can create a virus that reflashes most popular BIOS/video card/HDD memory and then starts infecting the rest of the computer, we are in trouble. Seriously, we are in biiiig trouble.

The virus could also create "payload" to the hdd in the last sectors of the hdd, and then call upon it when booted/started up. This way, even formatting the whole hdd would not make any difference, since the payload is still in the hdd at specific sector of it. The only way to cure this kind of infection would be, to same time, flash all the flashable components on the computer and then overwrite the hdd with tool like DBAN. Ofcourse, currently, there arent any tools for that.

Concider the doomsday scenario too. Concider, that this kind of virus would start infecting other computers. Then, on one particular time or when some particular piece of code would be read by it (just simple word or graphic in case of infected graphic card), it would activate. Upon activating, it would overwrite all the bios it can find and file allocation tables of the hdd. Basicly speaking, you would have to dump your computer with your garbage. Now, if millions of people would have to do that...

---

memory is not infectable nor is cpu. Only hard ware with a bios. Some hds and cd/dvd roms all mother boards alot of video cards and older programable keyboards. I forgot about printers. Ive not yet seen a router be infected but if some one does make one that does then were are truely screwed. Isp router gets infected viri goes out with arp trafic and infects any pc not blocking arp. far fetched sure but possible.

You can format a disk to your heart's content and a boot-sector bug will still come up.

I don't buy it.

said by zmaugy:

---

I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900

---

Not weird at all, 239.255.255.250 is uPNP and is normal, unless you turn it off and turn off the SSDP discovery service and that still might not stop it if the Windows Messenger service is using the SSDP discovery process.

»support.microsoft.com/de ··· ;q317843
»grc.com/unpnp/unpnp.htm
»www.updatexp.com/upnp_se ··· ity.html
»www.winguides.com/regist ··· hp/1235/

said by kpatz:

---

The "ramdisk" BIOS is a misnomer, and the CMOS is too small to contain any useful executable code. Most anything that overwrites a flash BIOS would render the machine unbootable, unless they created trojan code that is customized for every motherboard/BIOS combination out there (a daunting task to say the least). Even if it could be done, I doubt there'd be enough free space in the BIOS EEPROM to embed a boot image and "ISOs" as they so elegantly put it.

I think it's either a hoax, or someone who did get a trojan and is blowing the details way out of proportion. For example, if he reformatted and got infected again, perhaps it came in through a vulnerable service (hint, use a firewall).

---

Makes sense to me.

said by Nanaki:

---

memory is not infectable nor is cpu. Only hard ware with a bios. Some hds and cd/dvd roms all mother boards alot of video cards and older programable keyboards. I forgot about printers. Ive not yet seen a router be infected but if some one does make one that does then were are truely screwed. Isp router gets infected viri goes out with arp trafic and infects any pc not blocking arp. far fetched sure but possible.

---

Memory is only infectable while the PC is on. For the virus to persist across a power-cycle it has to reside somewhere non-volatile, either on a disk, or in flash memory somewhere.

The other criteria for a virus to survive is that it has to be executed somehow. The doomsday "ARP traffic virus" or "printer virus" scenario would require the ability for ARP traffic (or the printer) to carry executable code that is then executed by the targeted system. Normally this won't happen, unless there is a vulnerability (buffer overflow perhaps) in the target system that allows this to happen. Even if I reflashed the firmware on my DVD-ROM (for example) with a virus, unless something reads that firmware back into the PC and executes it, the virus won't spread beyond the DVD-ROM drive.

Also, if malware code hides in the last (or any) sectors of the HDD, something still has to read that code into memory, and then execute it. To do so would require either a BIOS reflash or a modification of the MBR, boot record or other executable code within the OS.

MBR and boot viruses can survive formats, if the format doesn't wipe or rebuild the MBR or boot record. A utility like Delpart, or FDISK /MBR, followed by a format should eliminate any boot virus, provided it isn't resident in memory at the time of the format.

239.255.255.250 port 1900 is the Simple Service Discovery Protocol (SSDP) using multicast to locate a gateway. Perfectly normal, nothing to worry about.

said by kpatz:

---

said by Nanaki:

---

memory is not infectable nor is cpu. Only hard ware with a bios. Some hds and cd/dvd roms all mother boards alot of video cards and older programable keyboards. I forgot about printers. Ive not yet seen a router be infected but if some one does make one that does then were are truely screwed. Isp router gets infected viri goes out with arp trafic and infects any pc not blocking arp. far fetched sure but possible.

---

Memory is only infectable while the PC is on. For the virus to persist across a power-cycle it has to reside somewhere non-volatile, either on a disk, or in flash memory somewhere.

The other criteria for a virus to survive is that it has to be executed somehow. The doomsday "ARP traffic virus" or "printer virus" scenario would require the ability for ARP traffic (or the printer) to carry executable code that is then executed by the targeted system. Normally this won't happen, unless there is a vulnerability (buffer overflow perhaps) in the target system that allows this to happen. Even if I reflashed the firmware on my DVD-ROM (for example) with a virus, unless something reads that firmware back into the PC and executes it, the virus won't spread beyond the DVD-ROM drive.

Also, if malware code hides in the last (or any) sectors of the HDD, something still has to read that code into memory, and then execute it. To do so would require either a BIOS reflash or a modification of the MBR, boot record or other executable code within the OS.

MBR and boot viruses can survive formats, if the format doesn't wipe or rebuild the MBR or boot record. A utility like Delpart, or FDISK /MBR, followed by a format should eliminate any boot virus, provided it isn't resident in memory at the time of the format.

---

Well i can asure you its very possible at least with old style keyboards with programable fution keys. What your asumeing is the virus wants to execute on keypress or access all it wants to do is get some where it can be executed. I wish i still had that keyboard id get at the virus on it some how and figure out what makes it work. But my idiot brother decided he could get a quick buck out of it stole it and sold it to some one. Even though i had a big red do not touch this keyboard it is infected with a virus wrote across the top. Any how im not sure where it coppied it self to ut once you hit a f13 - f24 funtion key you was done next reboot or relog in to windows you was reinfected. My guess is it over wrote some on boot only exe something it could over write on win 95/98 that would start up temp dureing boot up at which time the virus spread and wiped out system files till it could no longer do so. By that time the computer was rendered unbootable and windows would die mid boot.