SigmaSix
join:2002-03-12
1 edit | reply to zmaugy
Re: A super trojan?
This is like the past posts we have seen of a "super hacker" or "super virus", I can't believe some of the stuff that is written. 
--
In GOD I trust, everyone else bring data. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to kpatz
Re: Ouch
said by kpatz  :
said by novaflare :
memory is not infectable nor is cpu. Only hard ware with a bios. Some hds and cd/dvd roms all mother boards alot of video cards and older programable keyboards. I forgot about printers. Ive not yet seen a router be infected but if some one does make one that does then were are truely screwed. Isp router gets infected viri goes out with arp trafic and infects any pc not blocking arp. far fetched sure but possible.
Memory is only infectable while the PC is on. For the virus to persist across a power-cycle it has to reside somewhere non-volatile, either on a disk, or in flash memory somewhere.
The other criteria for a virus to survive is that it has to be executed somehow. The doomsday "ARP traffic virus" or "printer virus" scenario would require the ability for ARP traffic (or the printer) to carry executable code that is then executed by the targeted system. Normally this won't happen, unless there is a vulnerability (buffer overflow perhaps) in the target system that allows this to happen. Even if I reflashed the firmware on my DVD-ROM (for example) with a virus, unless something reads that firmware back into the PC and executes it, the virus won't spread beyond the DVD-ROM drive.
Also, if malware code hides in the last (or any) sectors of the HDD, something still has to read that code into memory, and then execute it. To do so would require either a BIOS reflash or a modification of the MBR, boot record or other executable code within the OS.
MBR and boot viruses can survive formats, if the format doesn't wipe or rebuild the MBR or boot record. A utility like Delpart, or FDISK /MBR, followed by a format should eliminate any boot virus, provided it isn't resident in memory at the time of the format.
Well i can asure you its very possible at least with old style keyboards with programable fution keys. What your asumeing is the virus wants to execute on keypress or access all it wants to do is get some where it can be executed. I wish i still had that keyboard id get at the virus on it some how and figure out what makes it work. But my idiot brother decided he could get a quick buck out of it stole it and sold it to some one. Even though i had a big red do not touch this keyboard it is infected with a virus wrote across the top. Any how im not sure where it coppied it self to ut once you hit a f13 - f24 funtion key you was done next reboot or relog in to windows you was reinfected. My guess is it over wrote some on boot only exe something it could over write on win 95/98 that would start up temp dureing boot up at which time the virus spread and wiped out system files till it could no longer do so. By that time the computer was rendered unbootable and windows would die mid boot.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
j823777
@bulldogdsl.com | reply to zmaugy
Re: A super trojan?
239.255.255.250 port 1900 is the Simple Service Discovery Protocol (SSDP) using multicast to locate a gateway. Perfectly normal, nothing to worry about. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to novaflare
Re: Ouch
said by novaflare :
memory is not infectable nor is cpu. Only hard ware with a bios. Some hds and cd/dvd roms all mother boards alot of video cards and older programable keyboards. I forgot about printers. Ive not yet seen a router be infected but if some one does make one that does then were are truely screwed. Isp router gets infected viri goes out with arp trafic and infects any pc not blocking arp. far fetched sure but possible.
Memory is only infectable while the PC is on. For the virus to persist across a power-cycle it has to reside somewhere non-volatile, either on a disk, or in flash memory somewhere.
The other criteria for a virus to survive is that it has to be executed somehow. The doomsday "ARP traffic virus" or "printer virus" scenario would require the ability for ARP traffic (or the printer) to carry executable code that is then executed by the targeted system. Normally this won't happen, unless there is a vulnerability (buffer overflow perhaps) in the target system that allows this to happen. Even if I reflashed the firmware on my DVD-ROM (for example) with a virus, unless something reads that firmware back into the PC and executes it, the virus won't spread beyond the DVD-ROM drive.
Also, if malware code hides in the last (or any) sectors of the HDD, something still has to read that code into memory, and then execute it. To do so would require either a BIOS reflash or a modification of the MBR, boot record or other executable code within the OS.
MBR and boot viruses can survive formats, if the format doesn't wipe or rebuild the MBR or boot record. A utility like Delpart, or FDISK /MBR, followed by a format should eliminate any boot virus, provided it isn't resident in memory at the time of the format.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to zmaugy
Re: A super trojan?
said by zmaugy :
I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900
Not weird at all, 239.255.255.250 is uPNP and is normal, unless you turn it off and turn off the SSDP discovery service and that still might not stop it if the Windows Messenger service is using the SSDP discovery process.
»support.microsoft.com/default.as···;q317843
»grc.com/unpnp/unpnp.htm
»www.updatexp.com/upnp_security.html
»www.winguides.com/registry/display.php/1235/
said by kpatz :
The "ramdisk" BIOS is a misnomer, and the CMOS is too small to contain any useful executable code. Most anything that overwrites a flash BIOS would render the machine unbootable, unless they created trojan code that is customized for every motherboard/BIOS combination out there (a daunting task to say the least). Even if it could be done, I doubt there'd be enough free space in the BIOS EEPROM to embed a boot image and "ISOs" as they so elegantly put it.
I think it's either a hoax, or someone who did get a trojan and is blowing the details way out of proportion. For example, if he reformatted and got infected again, perhaps it came in through a vulnerable service (hint, use a firewall).
Makes sense to me.
--
Dog and Butterfly |
|
MadMorbius
Premium
join:2004-04-07
Mississauga, ON | reply to novaflare
Re: Ouch
You can format a disk to your heart's content and a boot-sector bug will still come up.
I don't buy it. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to jansson_mark
said by jansson_mark :
This whole topic makes me feel like I need to put my aluminium foil hat on...
Yes, its true viruses can be basicly anywhere... But if someone can create a virus that reflashes most popular BIOS/video card/HDD memory and then starts infecting the rest of the computer, we are in trouble. Seriously, we are in biiiig trouble. 
The virus could also create "payload" to the hdd in the last sectors of the hdd, and then call upon it when booted/started up. This way, even formatting the whole hdd would not make any difference, since the payload is still in the hdd at specific sector of it. The only way to cure this kind of infection would be, to same time, flash all the flashable components on the computer and then overwrite the hdd with tool like DBAN. Ofcourse, currently, there arent any tools for that.
Concider the doomsday scenario too. Concider, that this kind of virus would start infecting other computers. Then, on one particular time or when some particular piece of code would be read by it (just simple word or graphic in case of infected graphic card), it would activate. Upon activating, it would overwrite all the bios it can find and file allocation tables of the hdd. Basicly speaking, you would have to dump your computer with your garbage. Now, if millions of people would have to do that...
memory is not infectable nor is cpu. Only hard ware with a bios. Some hds and cd/dvd roms all mother boards alot of video cards and older programable keyboards. I forgot about printers. Ive not yet seen a router be infected but if some one does make one that does then were are truely screwed. Isp router gets infected viri goes out with arp trafic and infects any pc not blocking arp. far fetched sure but possible.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| reply to zmaugy
This whole topic makes me feel like I need to put my aluminium foil hat on...
Yes, its true viruses can be basicly anywhere... But if someone can create a virus that reflashes most popular BIOS/video card/HDD memory and then starts infecting the rest of the computer, we are in trouble. Seriously, we are in biiiig trouble.
The virus could also create "payload" to the hdd in the last sectors of the hdd, and then call upon it when booted/started up. This way, even formatting the whole hdd would not make any difference, since the payload is still in the hdd at specific sector of it. The only way to cure this kind of infection would be, to same time, flash all the flashable components on the computer and then overwrite the hdd with tool like DBAN. Ofcourse, currently, there arent any tools for that.
Concider the doomsday scenario too. Concider, that this kind of virus would start infecting other computers. Then, on one particular time or when some particular piece of code would be read by it (just simple word or graphic in case of infected graphic card), it would activate. Upon activating, it would overwrite all the bios it can find and file allocation tables of the hdd. Basicly speaking, you would have to dump your computer with your garbage. Now, if millions of people would have to do that...
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. |
|
x539
join:2003-08-23
Oklahoma City, OK
| reply to novaflare
Re: A super trojan?
quote:
I remember seeing that posted i understand theres not alot of diff between the bios on the cards. Was right after macs started useing pin compatible agp cards.
If you mean the difference between the BIOS on a Mac card and on a PC card, it's a difference between working and not working ;-P. Basically the Mac ROMs contain the necessary low-level drivers for Open Firmware to recognize the card.
If you mean the difference between the BIOS on one Mac card and another similar card by the same manufacturer, that's the whole point of the exercise. Basically at the time that this was more common there was not a lot of choice in the Mac video card market. Not very many cards were available in a Mac version, and most of them were significantly more expensive than their PC counterparts. Apple supported and shipped certain cards in their machines. The ROMs included on those cards could be extracted and flashed onto the same or similar PC versions of the cards, giving the person who wanted to upgrade their Mac more choice and cheaper options (albeit at a greater risk). I don't know whether people still do this or not. There are more cards available in Mac versions these days, so I've seen no compelling reason to do so myself since then. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to x539
said by x539 :
quote:
Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.
Another reason would be to flash a PC video card with the correct ROM needed for it to work in a Mac. I did this a few years ago on an ATi card.
I remember seeing that posted i understand theres not alot of diff between the bios on the cards. Was right after macs started useing pin compatible agp cards.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
x539
join:2003-08-23
Oklahoma City, OK
| reply to kpatz
quote:
Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.
Another reason would be to flash a PC video card with the correct ROM needed for it to work in a Mac. I did this a few years ago on an ATi card. |
|
theskulptor
Premium
join:2004-05-15
Minneapolis, MN
| reply to kpatz
Here is an example of a flashing a vid card, and why one would do it. Though aside from potentially disrupting the operations of the vid card, if someone added malicious code to the firmware of a video card would it act on any other part of the pc?
'»www.hardforum.com/showthread.php?t=767726' |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to kpatz
said by kpatz :
Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.
Even if someone coded a virus and stored it in the filler space of a flash BIOS, it would still have to be hooked into the executable portion of the BIOS, in order for the virus to execute. Otherwise, it is just a bunch of bits that never gets executed. Hooking into the executable portion, would have to be customized for every BIOS version.
yup but it does happen. And youd be suprised at what you can flash the bios on vid cards sound card cd burners harddrive dvd roms and even players you hook up to your tv. Ive personaly seen a viri infected keyboard as i said. And i used it to infect at the managers request some realy old cash registers so she could get new ones. These things were constantly crashing and she wanted them gone but the franchise owner wouldnt replace them untill they were totaly dead. So i made sure they were dead hooked keyboard up to the computer that controlled them and hit f13 and watched the registers crash.
It is entirely possible for this all to happen its rare as hell and if it infact happened it is likly a viri/trojan that some oen delib targeted him with prob totaly custom one of a kind deal. Few months ago we found out who infected the guys keyboard and why. Some punk kid that use to mow his lawn and do some basic stuff around the house minor repairs and some computer work for the guy was caught ripping the guy off he fired him and pressed charges kid got 3 months in dh for it and restitution . well before he could confront the kid and before he called the cops the kid got wise that he was caught and infected the keyboard with this nasty.
He never named it And it was never in the wild.
Thankfully viri like these are so generaly so destrutive and fast acting they cant get out in the wild they make the system they infect crash and become unbootable almost imediatly after infection/execution.
I still doubt this is the case with this supper trojan My bet is hes installign software from a back up or maybe useign a pirated copy of xp pro or other pirated os or maybe just a activation crack cause he is anoyed by the windows activation and doesnt want to send out all the personal info that was "sent with activation" accordign to all the xp anti hype.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to novaflare
Do video cards have flash BIOSes? I always thought whatever firmware they ran was loaded by the video driver when Windows boots up. At least I've never heard of flashing a video card, but I suppose some cards do have this.
Even if someone coded a virus and stored it in the filler space of a flash BIOS, it would still have to be hooked into the executable portion of the BIOS, in order for the virus to execute. Otherwise, it is just a bunch of bits that never gets executed. Hooking into the executable portion, would have to be customized for every BIOS version.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to Martinus
said by Martinus :
said by novaflare :
video card possible that it over wrote part of his video bios.
But in that case the card bios would be screwed and the card wouldn't function correctly I guess
Accualy not true. Ive seen at least one case personaly where the video card bios was infected with a virus yes it caused more video related errors in windows error and even reporting. But hell i was playing (looseing badly) cs on it with good frame rate and no noticable errors.
For a viri or trojan to cause problems it would need to over right a important area on the cards bios. Ive seen bios hacks that let you put your name in a video cards bios so that it comes up on the splash screen dureing the cards own post test. Say some image and some text total size 10k and theres still room left for more. A virus can be as small as 4 to 7 k or smaller. A typical bios chip is 256k or larger and the bios code it self may only use 190k of that. Theres plenty of wiggle room or can be on a bios chip. Some bioses now have filler in the bios code that does nothign but take up the rest of the space.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
zmaugy
join:2003-05-24
Slovenia | reply to kpatz
Thanks, I know my question was off topic:), anyway I'm going to go step by step through the procedure just in case.
--
French fries. |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: 
| reply to zmaugy
said by zmaugy :
I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900.
being that's a broadcast i wonder what really is going on with that.... |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to zmaugy
said by zmaugy :
Generic host process for win32 services. And it's logged only when automatic lock on ZA is turned on.
Bingo... when ZA is locked, it blocks all traffic. Windows uses TCP/IP internally for certain interprocess communication (this traffic never goes out over the network), but Zone Alarm sees it, and blocks it when it's locked. Windows is likely using the 239. IP range for this purpose.
I've seen instances, where when I was having network issues, and didn't have a valid IP, that certain Windows services would cause Zone Alarm prompts (the Spooler Subsystem is prone to doing this). I'm at work now so I can't see what IP it was trying to use though, but I wouldn't be surprised if it was a 239.* IP.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
zmaugy
join:2003-05-24
Slovenia
| reply to kpatz
said by kpatz :
Did Zone Alarm say what application was hitting that IP?
Generic host process for win32 services. And it's logged only when automatic lock on ZA is turned on.
--
French fries. |
|
Martinus
Premium
join:2001-08-06
EU
1 edit | reply to novaflare
said by novaflare :
video card possible that it over wrote part of his video bios.
But in that case the card bios would be screwed and the card wouldn't function correctly I guess
--
La venganza de los toros en San Fermin. |
|
