seqrets
Premium
join:2001-05-03
Nederland, TX
clubs:
 ·RoadRunner Cable
| New virus attacks AMD processors
Proof of concept code shows advanced attack vector
Tom Sanders in California, vnunet.com, 28 Aug 2006
Security researchers at Symantec have discovered a new proof of concept virus that targets processors AMD rather than operating systems.
The worm comes in two versions, targeting 32-bit and 64-bit processors from AMD. Symantec refers to the online pests as w32.bounds and w64.bounds. Because it involves proof of concept code, both viruses are rated as low level threats.
More at: »www.computing.co.uk/vnunet/news/···ocessors |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
ISDN
Fiber Optic
AOL Broadband
1 edit | reply to seqrets
Re: New virus attacks AMD processors
Seeing how their programs hardly run properly under anything lower than an administrator account, I assume they always run and program as an administrator. Therefore I must question what privileges they decided to run it with. If it was an administrator account then they went through entirely too much trouble. |
|
CU ReDUX
@rr.com
| reply to seqrets
Re: New virus attacks AMD processors
Didn't CU just get raked over the coals by the AV vendor community for "laboratory" viruses that are not functional and are not on the "in the wild" list? But then this is an AV "player" doing the reporting, so we will hear little criticism from those who beat up CU for similar disclosures. |
|
rotty97
join:2005-06-30
Australia | Their is nothing wrong with looking at new attack vectors, if they don't someone will that's for sure.
cheers, rotty |
|
bluezanetti
Premium
join:2003-10-04
| reply to CU ReDUX
said by CU ReDUX :Didn't CU just get raked over the coals by the AV vendor community for "laboratory" viruses that are not functional and are not on the "in the wild" list? But then this is an AV "player" doing the reporting, so we will hear little criticism from those who beat up CU for similar disclosures. If you cannot fathom the differences in circumstance - technical proof of concept vs. direct comparison test of commercial products - you've completely and utterly missed the boat.
Blue |
|
controler
join:2003-11-02
| reply to seqrets
"The w32.bounds and w64.bounds viruses infect systems by tying themselves to Windows executable files, which disqualifies them as so-called chip level threats. They do however employ elements of such attacks by showing an ability to executive chip level assembly code.
The last large scale outbreak of a chip level threat dates back to 1998. The CIH/Chernobyl then embedded itself into the flash-BIOS of several million computers and on the 13th anniversary of the nuclear disaster in the city destroyed all data. Chernobyl originated in South Korea, where it was estimated to cause $250m in damages."
Is this guy using some of Johanna's Blue Pill code then?
It only runs on the new dual core CPUs. Sounds like it, even though this new code attaches itself to exes.
controler |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
| reply to seqrets
The Symantec write-up shows no sign of anything exotic being involved.
»www.symantec.com/security_respon···-5115-99
All I got from this is that the w32.bounds attack mucks with the import table, which of course will allow execution of arbitrary code (program thinks it's calling function X but in reality it's calling function Y).
Is there any more technical detail anywhere? |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV | reply to seqrets
What are they suppose to do? flash the Bios or what, I can't see them as any threat, just from what I have read.
--
Best RegardsVampirefo |
|
xploitcode
@verizon.net | reply to seqrets
wasn't intel the butt of jokes with their processor serial number which could be read "at will" over the internet, and tracked, hacked, and parboiled for data mining years ago? |
|
devicenull
Premium
join:2002-12-01
Clifton, NJ
| reply to controler
Er, "chip level assembly code"? What, exactly is that? I wonder if they realize that MS Word also executes "chip level assembly code"..
Basically, until I hear someone respectable telling me this works, and is only effective on AMD processors, I call BS. |
|
garys_2k
join:2004-05-07
Farmington, MI
 ·Future Nine Corpor..
·Vonage
| said by devicenull  :Basically, until I hear someone respectable telling me this works, and is only effective on AMD processors, I call BS. Me, too. Assembly language is just programming language. Maybe the AMD chips have a few unique-to-them commands for register transfers and stuff, but if they did, it's no big deal. I smell FUD. |
|
Ctrl Alt Del
Premium
join:2002-02-18
| reply to seqrets
I was under the impression that this virus makes use of the new virtualization features in AMD's new processors. The hypervisor ends up "running" both Windows and the virus in virtualized environments.
But I could be way off. Details are skimpy.
--
less talk, more music |
|
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL
1 edit | reply to seqrets
You can't infect CPU chip. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
| said by Oleg :You can't infect CPU chip. Sure you can. If you can change the CPU microcode then it should be obvious that you can insert malware into the CPU itself. |
|
seqrets
Premium
join:2001-05-03
Nederland, TX
clubs:
·RoadRunner Cable
| reply to dave
said by dave :Is there any more technical detail anywhere? Related article: Polymorphism comes to the AMD64 |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| reply to dave
said by dave :said by Oleg :You can't infect CPU chip. Sure you can. If you can change the CPU microcode then it should be obvious that you can insert malware into the CPU itself. But all you could do is add or change op-codes. Would that really be malware?
Sure, the CPU could be killed, killing the computer, but I can't see how changing the CPU's microcode could, for instance, let in a rootkit or a keylogger. |
|
commodog
Premium
join:2000-02-03
Oxnard, CA | reply to seqrets
after disassembling the code, researchers found an interesting line of code: "copyright Intel 2006" |
|
