Spyware Warrior

Tazmo

Hoo, boy...just got through reading a technical paper that presented a proof of concept method that rootkits can use to avoid virtually all currently available detection methods. Scary reading, indeed. To say nothing of some of the presentations at Black Hat - Europe this week that will discuss the current state of rootkit kernel subversions through the BIOS.

The technical paper is indeed highly technical, but most readers on this forum can get the gist of the message from it:
http://www.phrack.org/phrack/63/p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt

Info on Black Hat and Black Hat - Europe:
http://www.blackhat.com/html/bh-blackpage/bh-blackpage.html
http://www.blackhat.com/html/bh-europe-06/bh-eu-06-speakers.html#Heasman

And finally, some additional info that should make for some good late night reading that claims that Blacklight and Icesword are essentiall ineffective against certain rootkit methods(scroll down to "Rootkit Technology"):
http://uninformed.org/

My apologies if this has all been discussed...I'm sure many of you are aware of some of this...however, it might be good reading for some who haven't seen it.

-Taz

EASTER · Posted: Mon Feb 27, 2006 8:48 pm Post subject:

Very good reading indeed Tazmo

I been all over those papers the past weeks and then some. It's only intimidating when you consider what's been available all this time for those as they say working to subvert the kernel for malicious means. There is also of course educational and security developments being studied to better identify and also to prevent those possibilities from spreading unchecked.

I encourage anyone who is sincerely interested in the truly sound practice of protecting their current and future systems from the possibility of some of those new methods of intrusions, to read and brush up on some of those article releases and test their own defenses with what's being made available for the public.

That way you certainly will have a very strong leg up and not be caught off guard by simple complacency.
That's yet another strong case in favor of and that i fully endorse and even encourage to vendors who haven't before done so to take up some of this initiative too in developing and introducing their own HIPS programs.
_________________
*******************

THE FORCE IS VERY STRONG IN THIS FAMILY!

ld · Posted: Tue Feb 28, 2006 8:04 pm Post subject:

I have been hearing people debate about rootkiting processor instructions through the BIOS for a few years now. First BIOS companies made it possible to execute code from within the OS to upgrade the BIOS. Now any piece of malicious code can modify the BIOS which is fun but is it all that useful? Introduce something like the Crusoe and its emulation layer and more sinister things can be achieved.

If these things start to turn up in the wild booting off of other media to examine the possible compromised drive won't do any good. It will be necessary to remove that possible compromised drive from that machine and load it in a known good machine and examine it from there....

Mrkvonic · Posted: Wed Mar 01, 2006 12:25 am Post subject:

Hello,
The idea sounds daunting, but it's a bit far-fetched.
Mrk

Tazmo · Posted: Wed Mar 01, 2006 9:48 am Post subject:

Mrkvonic · Posted: Wed Mar 01, 2006 10:09 pm Post subject:

Hello,
There was a big discussion about this on broadband forums.
The general idea goes like this:
Let's say malware wants to corrupt a bios.
You need to write malware that targets a specific bios, because otherwise it won't work - so you need about 10,000 specially designed specimens of malware to cover all the bioses out there and then either know in advance what to send someone or hope they download the 'correct' package.
Then, there's the matter of flashing bios and physical protection. It's not as simple as a software upgrade. Some bioses are also protected against flashing.
Now, even if bios is successfully corrupted, it does not corrupt the os. Bios handles the os calls and functions that allow os to interpret hardware. It has no contact whatsoever with dlls, ports or anything of the sort. To be able to that, your flash would have to be able to patch the windows kernel during bootup. This requires a very sophisticated piece of code that cannot be fitted into a tiny storage bioses have. And even if it did that successfully, any change in software (os, patches, updates), hardware etc, would cause your os to fail majorly, because it would be patched to wrong standards. In worst case, this impossible task would destroy the os.
And finally, even if bios is malware-flashed, you can insert the mobo disk you got when you bought your pc, and reflash the bios to its original settings. Or even flash the bios using the manufacturer's bios upgrades.

Flashing the bios, a daunting task.
You must assume:
someone downloads 'correct' malware
someone executes this malware
bios can be patched from within the os in the FIRST place
bios has to be allowed to flash
malware code needs to be super tiny to survive a boot and yet super mighty to patch the kernel properly (not break os)
the problem is undone by another simple flash, no need for any fancy scanners or anything.

One more thing - in most cases, bios is not directly flashed from within os, despite the fact most new bioses have this option. The os utility only helps the user flash the bios.
Usually it goes like this:
User downloads some file.
He executes this file.
This file in return creates ANOTHER file, which needs to be placed on a floppy / cd / usb and then the pc has to be booted with it in order to flash the bios.
The user reboots, inserts the media and flashes.
So, this malware needs a physical carrier and physical access to a pc, but that's another matter altogether.
So, not only does the malware have to downloaded and executed, assuming it's fully compatible in all aspects, it has to be able to write it's own boot sequence and flash upgrade patch and kernel patch upgrade, all in minimal storage, and then it has to be booted by human hand to activate.
And then you go to windows update, update your os, patch the kernel and destroy the malware code and possibly your pc.

Theoretically, yes it's possible. Practically, it's impossible.
Mrk

EASTER · Posted: Wed Mar 01, 2006 10:38 pm Post subject:

Thank You Mrkvonic for a very informative and interesting assessment in an area that i will admit normally lacks my full attention or complete understanding.

That is unless contemplating a BIOS upgrade requiring flash. I might add you are right on the mark too. For XP's as far as i been instructed you need to combine both the .ROM bios file and the flash utility together locally then burn (copy) them to a CD and as you mention boot up by alternative method then insert that media followed by manual keyboard commands for safest results. I like to see a malware try all of that. Smile

And it indeed is a stretch these days to ever be able to completely compile some library with all the different system BIOS's circulating.

Your post briefly but very thoroughly IMO makes an excellent case for the unlikely if ever chance of some bios hijack. Mind you most malicious bios viruses are normally intended from the ones i seen meant to disable functioning of the OS completely or enough to severely cripple regular functions.
_________________
*******************

THE FORCE IS VERY STRONG IN THIS FAMILY!

ld · Posted: Thu Mar 02, 2006 4:31 pm Post subject: