Ping: David H Lipman

[Mike Easter]

to a.p.s only

FromTheRafters wrote:

> In fact, I am probably the only one here that accepts that an attacker
> with access to (and intimate knowledge of) a particular computer can
> compromise firmware in such a way as to have a *persistant* compromise
> of the machine even if the harddrive is swapped out.
>
> ...and even then, such a machine would have to have a network available
> for bootstrapping the malicious code.

The wiki article on rootkits has a section on firmware exploitation,
which had links to the articles on the 'laboratory' example of infecting
the Award Phoenix BIOS, which the investigators are further developing
to be a more 'generic' tool. In addition, there is a 'new' development
for a CompuTrace LoJack in the BIOS designed/intended as anti-theft
which can be subverted to malware purposes.

And the BIOS isn't the only firmware place the malware can be installed.

But I don't know of any 'in the wild' malware which can do these things
by remote exploitation. The experiments and real-life exploits required
physical access to the computers or control at root level. Naturally
control at root level could be achieved remotely, but all of that kind
of firmware manipulation isn't really the same as 'picking up an infection'.


--
Mike Easter

[Polk Salad]

In article <i9fdgi$16d$1@news.eternal-september.org>,
~BD~@nomail.afraid.org says...
>
>
>
>"Dustin" <bughunter.dustin@gmail.com> wrote in message
>news:Xns9E14CAFE5639HHI2948AJD832@no...
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
>> news:i9dd6d03048@news3.newsguy.com:
>>
>>> From: "~BD~" <~BD~@nomail.afraid.org>
>>>
>>>| If all goes according to plan, I should be having a RL face-to-face
>>>| meeting tomorrow with my boater friend who works for IBM.
>>>
>>>| I shall ask again about malware infection of a BIOS chip.
>>>
>>>| Please advise of any question(s) you feel I should ask - to put my
>>>| mind at rest about an infected machine continuing to be infected
>>>| even when a hard disk has been replaced with a new one.
>>>
>>>| I'll tell him that you and Dustin Cook tell me that this impossible
>>>| outside of a laboratory! ;-)
>>>
>>>| BD
>>>
>>>
>>> Not interested if you are acting as his proxy.
>>> He must make his own posts and his own replies.
>>>
>>
>> Same here. In fact, he's welcome to contact me via email if he'd like.
>
>Andrew came to my boat at around 1130 and stayed for two hours! He is a
>graduate of Manchester University and has a degree in Computer Science
>and Mathematics. He's worked for IBM since Dustin was born!
>
>He confirmed that malware *can* infect the BIOS - and then reinfect a
>new or cleaned hard drive - *outside* of a laboratory environment. He
>did say that this was rare but he will liase with his specialist
>colleagues and thereafter endeavour to provide me with some information
>to confirm his assertion.

You are SO full of ****! I "liased" with some of my "specialist
colleauges" and they confirmed my suspictions.
I can't believe these regulars in here are letting you lead them on!

Whoever you are.... crossposting idiot.

[Dustin]

"~BD~" <~BD~@nomail.afraid.org> wrote in
news:i9fpp5$svg$1@news.eternal-september.org:

> "Peter Foldes" <okf22@hotmail.com> wrote in message
> news:i9fgm6$e7u$1@speranza.aioe.org...
>> BD
>>
>> Your friend either did not tell you correctly or he does not know
>> his stuff. A general Bios infector does not exist and it never has.
>> I know a few people that have Masters degrees for many years and
>> yet they are clueless to many if not most issues be it about
>> anything
>
>
> A better response from you, Peter Foldes, might have been to
> acknowledge that you *lied* when you alleged that I do not *own* a
> narrowboat! Ha!
>
> No one has mentioned a 'general' BIOS infector - Dustin mentioned a
> *universal* BIOS infector. I didn't!
>
> Isn't it possible that bad guys simply select a narrow target area?

That's entirely possible in theory; I've never disputed it. What would
be the point tho? It would be a very specific target BD, as in; a
particular system only and ones which are identical atleast in so far
as bios is concerned.

However, it's already defeated in one sense.. Atleast one mainboard
manufacturer has been placing a backup BIOS on the mainboards which is
not software writable. It can be used to blow away the primary system
BIOS and reload her with known clean code. <G>

Other than crypto BD, (and that's really a time constraint issue) what
can be done with software can usually be reversed with software.

> He confirmed that malware *can* infect the BIOS - and then reinfect
> a new or cleaned hard drive - *outside* of a laboratory environment.
> He did say that this was rare but he will liase with his specialist
> colleagues and thereafter endeavour to provide me with some
> information to confirm his assertion.

On a very specific BIOS flashrom software configuration. Sure. You
couldn't for example hit both of these machines on both sides of me
with the same code. One is an AMD powered box and the other an Intel
powered box, although both using VIA chipsets; very different in
design. BIOS's are completely incompatable with each other.

The closest thing to come to malware and BIOS was the infamous CIH
virus, but the really interesting payload didn't always work. Only
*some* bios systems supported the writing commands and accepted the
corrupted code. Outside of a laboratory that is. Perhaps this what your
friend is thinking of?


--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

[Dustin]

Mike Easter <MikeE@ster.invalid> wrote in
news:8i1jtcF3cjU1@mid.individual.net:

> to a.p.s only
>
> FromTheRafters wrote:
>
>> In fact, I am probably the only one here that accepts that an
>> attacker with access to (and intimate knowledge of) a particular
>> computer can compromise firmware in such a way as to have a
>> *persistant* compromise of the machine even if the harddrive is
>> swapped out.
>>
>> ...and even then, such a machine would have to have a network
>> available for bootstrapping the malicious code.
>
> The wiki article on rootkits has a section on firmware exploitation,
> which had links to the articles on the 'laboratory' example of
> infecting the Award Phoenix BIOS, which the investigators are
> further developing to be a more 'generic' tool. In addition, there
> is a 'new' development for a CompuTrace LoJack in the BIOS
> designed/intended as anti-theft which can be subverted to malware
> purposes.

Well, it's writable software so it can be modified, which I haven't
said couldn't. Just that the modifications are very specific in nature
and are not universal.

> And the BIOS isn't the only firmware place the malware can be
> installed.

Anywhere that allows software updates can potentially be an
installation vector. Hell, my USB mp3 player could "infect" me in
theory; or I it; as I can access it's firmware and modify at will. A
USB scrolling picture frame actually came with a virus and took
advantage of the autorun to give you a copy. <G> That made the news, so
I don't dispute by any means firmware isn't capable of becoming rogue;
just that nothing in the wild exists which infects a system bios and
then remains infectious when you reload the HD. Too many issues against
that becoming a universal issue until everything switches completely
open standard. Then, perhaps...


--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

[~BD~]

"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9E1537F96841HHI2948AJD832@no...
> "~BD~" <~BD~@nomail.afraid.org> wrote in
> news:i9fpp5$svg$1@news.eternal-september.org:
[....]
>> No one has mentioned a 'general' BIOS infector - Dustin mentioned a
>> *universal* BIOS infector. I didn't!
>>
>> Isn't it possible that bad guys simply select a narrow target area?
>
> That's entirely possible in theory; I've never disputed it. What would
> be the point tho? It would be a very specific target BD, as in; a
> particular system only and ones which are identical atleast in so far
> as bios is concerned.

Whilst specific, it could still be a very large group, Dustin.

> However, it's already defeated in one sense.. Atleast one mainboard
> manufacturer has been placing a backup BIOS on the mainboards which is
> not software writable. It can be used to blow away the primary system
> BIOS and reload her with known clean code. <G>

That's very interesting! There must, surely, be a significant *reason*
why they've done so! Will you share which manufacturer?

> Other than crypto BD, (and that's really a time constraint issue) what
> can be done with software can usually be reversed with software.

I have no doubt you are right! Some folk may have set up more than one
partition on a hard disk (say C: and D thinking that they can reload
Windows on C: and have a 'clean' machine again. My understanding is that
malware can lurk on the D: drive and easily reinfect the 'new' C:
partition. Is that correct?

>> He confirmed that malware *can* infect the BIOS - and then reinfect
>> a new or cleaned hard drive - *outside* of a laboratory environment.
>> He did say that this was rare but he will liase with his specialist
>> colleagues and thereafter endeavour to provide me with some
>> information to confirm his assertion.
>
> On a very specific BIOS flashrom software configuration. Sure. You
> couldn't for example hit both of these machines on both sides of me
> with the same code. One is an AMD powered box and the other an Intel
> powered box, although both using VIA chipsets; very different in
> design. BIOS's are completely incompatable with each other.

I do understand that, Dustin.

> The closest thing to come to malware and BIOS was the infamous CIH
> virus, but the really interesting payload didn't always work. Only
> *some* bios systems supported the writing commands and accepted the
> corrupted code. Outside of a laboratory that is. Perhaps this what
> your
> friend is thinking of?

Maybe. Andrew has said he'll have a chat with his specialist pals within
IBM and get back to me. You will appreciate though that some matters may
need to be kept under wraps!

Thanks for your comments.

Dave

[~BD~]

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message
news:i9fqng$ha0$1@news.eternal-september.org...
> "~BD~" <~BD~@nomail.afraid.org> wrote in message
> news:i9fdgi$16d$1@news.eternal-september.org...
[....]
>> He is a graduate of Manchester University and has a degree in
>> Computer Science and Mathematics. He's worked for IBM since Dustin
>> was born!
>
> That doesn't make him an expert on malware and/or its capabilities.

Absolutely correct! He did understand all I mentioned to him though.

>> He confirmed that malware *can* infect the BIOS - and then reinfect a
>> new or cleaned hard drive - *outside* of a laboratory environment.
>
> I would like to know what he meant by that, but since he is not
> here...

He's a family man and still working - I doubt he's the time or
inclination to play here! However, if you tell me *what* to ask him,
I'll do so by email and advise you of his answer.

>> He did say that this was rare but he will liase with his specialist
>> colleagues and thereafter endeavour to provide me with some
>> information to confirm his assertion.
>
> He still hasn't said that any mobile code has shown that ability
> (outside a laboratory).

I don't think I recognise what you mean by 'mobile code' - do you mean
'in the wild'? Out there on the Internet?

> Even if he has actually seen for himself a persistant firmware
> compromise (one that can re-establish itself fully on a *new* disk) -
> he will still fail to convince anyone here that such can be
> *installed* by malicious mobile code.

Hey! He's a real life friend!

Andrew is helping *me* understand matters - not trying to convince
anyone on Usenet of *anything*!

> In fact, I am probably the only one here that accepts that an attacker
> with access to (and intimate knowledge of) a particular computer can
> compromise firmware in such a way as to have a *persistant* compromise
> of the machine even if the harddrive is swapped out.
>
> ...and even then, such a machine would have to have a network
> available for bootstrapping the malicious code.

I'd like to know more about what you've said! Will you explain just
where you have gained such insight?

Is there anything in this Wiki article with which you disagree?
http://en.wikipedia.org/wiki/BIOS

The bad guys are still winning. All the anti-malware experts have so far
failed to stem the tide of Cybercrime. They (the bad guys) obviously
have an 'ace' up their sleeves!

Just sayin'! ;-)

BD

[FromTheRafters]

"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:i9h9fd$cm9$1@news.eternal-september.org...
>
> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message
> news:i9fqng$ha0$1@news.eternal-september.org...
>> "~BD~" <~BD~@nomail.afraid.org> wrote in message
>> news:i9fdgi$16d$1@news.eternal-september.org...
> [....]
>>> He is a graduate of Manchester University and has a degree in
>>> Computer Science and Mathematics. He's worked for IBM since Dustin
>>> was born!
>>
>> That doesn't make him an expert on malware and/or its capabilities.
>
> Absolutely correct! He did understand all I mentioned to him though.

Did he argue with you? If not, I doubt that he understood completely.
)

>>> He confirmed that malware *can* infect the BIOS - and then reinfect
>>> a new or cleaned hard drive - *outside* of a laboratory environment.

How did the subject malware manage to store enough code in firmware to
achieve this? Did it displace or replace code that preexisted, or just
use available free space? How many storage areas were involved (EEPROM),
and how much total space was available.

>> I would like to know what he meant by that, but since he is not
>> here...
>
> He's a family man and still working - I doubt he's the time or
> inclination to play here! However, if you tell me *what* to ask him,
> I'll do so by email and advise you of his answer.

If firmware code was displaced to the drive (which is usually the case)
how would the malware recover from the error of not being able to find
this displaced and now *missing* code (and thus be persistent) when the
*new* drive is swapped in.?

>>> He did say that this was rare but he will liase with his specialist
>>> colleagues and thereafter endeavour to provide me with some
>>> information to confirm his assertion.

I think he misunderstood you, yet I think he is not confusing BIOS
*corruption* with persistent firmware infection.

>> He still hasn't said that any mobile code has shown that ability
>> (outside a laboratory).
>
> I don't think I recognise what you mean by 'mobile code' - do you mean
> 'in the wild'? Out there on the Internet?

Well, basically yes, but not limited to that.

When firmware storage chips became able to get updated code, they
technically entered the mobile code arena. Now that they are not only
updatable, but updatable by software running on the software platform
affected by that update, they entered into the mobile code *problem* -
and *that* is what I meant. The "in the wild" stuff usually means it has
risen above some population threshold - that is to say that it has
become enough of a *problem* for enough people that it must now be
addressed by the anti-malware community.

>> Even if he has actually seen for himself a persistant firmware
>> compromise (one that can re-establish itself fully on a *new* disk) -
>> he will still fail to convince anyone here that such can be
>> *installed* by malicious mobile code.
>
> Hey! He's a real life friend!
>
> Andrew is helping *me* understand matters - not trying to convince
> anyone on Usenet of *anything*!

Yes, but *you* are attempting to convince some here by relaying his RL
experiences. I was merely trying to point out that others have used
words (universal, general) that indicate to me that they are thinking of
a self-distributing persistent BIOS infection which is a near
impossibility if not an actual impossibility. Any discussion will be
worthless if the same words have us thinking about different things
completely.

>> In fact, I am probably the only one here that accepts that an
>> attacker with access to (and intimate knowledge of) a particular
>> computer can compromise firmware in such a way as to have a
>> *persistant* compromise of the machine even if the harddrive is
>> swapped out.
>>
>> ...and even then, such a machine would have to have a network
>> available for bootstrapping the malicious code.
>
> I'd like to know more about what you've said! Will you explain just
> where you have gained such insight?

Firmware EEPROM (collectively) may have just enough storage space to
accomodate a "beachhead" - not enough in and of itself to do battle. It
would need to do just enough to avail itself of code waiting on *other*
storage (such as on the disk or on the network) this is "bootstrapping".

> Is there anything in this Wiki article with which you disagree?
> http://en.wikipedia.org/wiki/BIOS

Probably not, but you may be misunderstanding something there - is there
something in particular that you would expect me or others here to
disagree with?

[...]

[Dustin]

"~BD~" <~BD~@nomail.afraid.org> wrote in
news:i9h2en$lnb$1@news.eternal-september.org:

> "Dustin" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9E1537F96841HHI2948AJD832@no...
>> "~BD~" <~BD~@nomail.afraid.org> wrote in
>> news:i9fpp5$svg$1@news.eternal-september.org:
> [....]
>>> No one has mentioned a 'general' BIOS infector - Dustin mentioned
>>> a *universal* BIOS infector. I didn't!
>>>
>>> Isn't it possible that bad guys simply select a narrow target
>>> area?
>>
>> That's entirely possible in theory; I've never disputed it. What
>> would be the point tho? It would be a very specific target BD, as
>> in; a particular system only and ones which are identical atleast
>> in so far as bios is concerned.
>
> Whilst specific, it could still be a very large group, Dustin.

Doubtful. Computer models change every few months. Depending on which
one you trojanized (your basically only accomplishing this with a bios
modification anyway) you might not even have a hundred users.

>> However, it's already defeated in one sense.. Atleast one mainboard
>> manufacturer has been placing a backup BIOS on the mainboards which
>> is not software writable. It can be used to blow away the primary
>> system BIOS and reload her with known clean code. <G>
>
> That's very interesting! There must, surely, be a significant
> *reason* why they've done so! Will you share which manufacturer?

The reason? To ensure a customer could repair the machine in the event
the customer (more likely) or a virus (far less likely) somehow
corrupted the machines system BIOS. It didn't render you with a dead
mainboard. The manufacturer is gigabyte.

> I have no doubt you are right! Some folk may have set up more than
> one partition on a hard disk (say C: and D thinking that they can
> reload Windows on C: and have a 'clean' machine again. My
> understanding is that malware can lurk on the D: drive and easily
> reinfect the 'new' C: partition. Is that correct?

I don't see why not... Under conditions. It's not a magical process.

> Maybe. Andrew has said he'll have a chat with his specialist pals
> within IBM and get back to me. You will appreciate though that some
> matters may need to be kept under wraps!

With all due respect, Dave... I don't believe for one second that IBM
or anybody else has super malware secrets the rest in the antimalware
field aren't aware of. IBM published a web forum business package at
one point; and a good friend of mine was able to exploit a
vulnerability in the software and get a persons specific details; last
used credit card, last user etc...So you'll have to excuse me if I
don't think IBM is God anymore so than Microsoft.



--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

[~BD~]

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message
news:i9i48s$ppq$1@news.eternal-september.org...
> "~BD~" <~BD~@nomail.afraid.org> wrote in message
> news:i9h9fd$cm9$1@news.eternal-september.org...
[....]
>>> That doesn't make him an expert on malware and/or its capabilities.
>>
>> Absolutely correct! He did understand all I mentioned to him though.
>
> Did he argue with you? If not, I doubt that he understood completely.
> )

See: http://www.youtube.com/watch?v=G_CG0frQAKc

and http://www.youtube.com/watch?v=d33WVID2gdg

>> Is there anything in this Wiki article with which you disagree?
>> http://en.wikipedia.org/wiki/BIOS
>
> Probably not, but you may be misunderstanding something there - is
> there something in particular that you would expect me or others here
> to disagree with?

No.

I've emailed Andrew to review your points. I'll get back to you FTR.

Dave

[~BD~]

"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9E159A5A98CFFHHI2948AJD832@no...
> "~BD~" <~BD~@nomail.afraid.org> wrote in
> news:i9h2en$lnb$1@news.eternal-september.org:
>
>> "Dustin" <bughunter.dustin@gmail.com> wrote in message
>> news:Xns9E1537F96841HHI2948AJD832@no...
>>> "~BD~" <~BD~@nomail.afraid.org> wrote in
>>> news:i9fpp5$svg$1@news.eternal-september.org:
>> [....]
>>>> No one has mentioned a 'general' BIOS infector - Dustin mentioned
>>>> a *universal* BIOS infector. I didn't!
>>>>
>>>> Isn't it possible that bad guys simply select a narrow target
>>>> area?
>>>
>>> That's entirely possible in theory; I've never disputed it. What
>>> would be the point tho? It would be a very specific target BD, as
>>> in; a particular system only and ones which are identical atleast
>>> in so far as bios is concerned.
>>
>> Whilst specific, it could still be a very large group, Dustin.
>
> Doubtful. Computer models change every few months. Depending on which
> one you trojanized (your basically only accomplishing this with a bios
> modification anyway) you might not even have a hundred users.

If it *were* such a small group, I'd understand why such an attack
method wouldn't be viable!

>>> However, it's already defeated in one sense.. Atleast one mainboard
>>> manufacturer has been placing a backup BIOS on the mainboards which
>>> is not software writable. It can be used to blow away the primary
>>> system BIOS and reload her with known clean code. <G>
>>
>> That's very interesting! There must, surely, be a significant
>> *reason* why they've done so! Will you share which manufacturer?
>
> The reason? To ensure a customer could repair the machine in the event
> the customer (more likely) or a virus (far less likely) somehow
> corrupted the machines system BIOS. It didn't render you with a dead
> mainboard. The manufacturer is gigabyte.

Thanks for your comments.

>> I have no doubt you are right! Some folk may have set up more than
>> one partition on a hard disk (say C: and D thinking that they can
>> reload Windows on C: and have a 'clean' machine again. My
>> understanding is that malware can lurk on the D: drive and easily
>> reinfect the 'new' C: partition. Is that correct?
>
> I don't see why not... Under conditions. It's not a magical process.

Thanks for confirming that, Dustin.

>> Maybe. Andrew has said he'll have a chat with his specialist pals
>> within IBM and get back to me. You will appreciate though that some
>> matters may need to be kept under wraps!
>
> With all due respect, Dave... I don't believe for one second that IBM
> or anybody else has super malware secrets the rest in the antimalware
> field aren't aware of. IBM published a web forum business package at
> one point; and a good friend of mine was able to exploit a
> vulnerability in the software and get a persons specific details; last
> used credit card, last user etc...So you'll have to excuse me if I
> don't think IBM is God anymore so than Microsoft.

Please don't misunderstand me, Dustin. All I meant was that it might be
imprudent to notify any bad guys, on Usenet, just how close on the heels
of the bad guys are the good guys!

Alas, I fear they will *never* catch up!

Dave