Ping: David H Lipman

[Dustin]

"~BD~" <~BD~@nomail.afraid.org> wrote in
news:i9fpp5$svg$1@news.eternal-september.org:

> "Peter Foldes" <okf22@hotmail.com> wrote in message
> news:i9fgm6$e7u$1@speranza.aioe.org...
>> BD
>>
>> Your friend either did not tell you correctly or he does not know
>> his stuff. A general Bios infector does not exist and it never has.
>> I know a few people that have Masters degrees for many years and
>> yet they are clueless to many if not most issues be it about
>> anything
>
>
> A better response from you, Peter Foldes, might have been to
> acknowledge that you *lied* when you alleged that I do not *own* a
> narrowboat! Ha!
>
> No one has mentioned a 'general' BIOS infector - Dustin mentioned a
> *universal* BIOS infector. I didn't!
>
> Isn't it possible that bad guys simply select a narrow target area?

That's entirely possible in theory; I've never disputed it. What would
be the point tho? It would be a very specific target BD, as in; a
particular system only and ones which are identical atleast in so far
as bios is concerned.

However, it's already defeated in one sense.. Atleast one mainboard
manufacturer has been placing a backup BIOS on the mainboards which is
not software writable. It can be used to blow away the primary system
BIOS and reload her with known clean code. <G>

Other than crypto BD, (and that's really a time constraint issue) what
can be done with software can usually be reversed with software.

> He confirmed that malware *can* infect the BIOS - and then reinfect
> a new or cleaned hard drive - *outside* of a laboratory environment.
> He did say that this was rare but he will liase with his specialist
> colleagues and thereafter endeavour to provide me with some
> information to confirm his assertion.

On a very specific BIOS flashrom software configuration. Sure. You
couldn't for example hit both of these machines on both sides of me
with the same code. One is an AMD powered box and the other an Intel
powered box, although both using VIA chipsets; very different in
design. BIOS's are completely incompatable with each other.

The closest thing to come to malware and BIOS was the infamous CIH
virus, but the really interesting payload didn't always work. Only
*some* bios systems supported the writing commands and accepted the
corrupted code. Outside of a laboratory that is. Perhaps this what your
friend is thinking of?


--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

[~BD~]

"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9E1537F96841HHI2948AJD832@no...
> "~BD~" <~BD~@nomail.afraid.org> wrote in
> news:i9fpp5$svg$1@news.eternal-september.org:
[....]
>> No one has mentioned a 'general' BIOS infector - Dustin mentioned a
>> *universal* BIOS infector. I didn't!
>>
>> Isn't it possible that bad guys simply select a narrow target area?
>
> That's entirely possible in theory; I've never disputed it. What would
> be the point tho? It would be a very specific target BD, as in; a
> particular system only and ones which are identical atleast in so far
> as bios is concerned.

Whilst specific, it could still be a very large group, Dustin.

> However, it's already defeated in one sense.. Atleast one mainboard
> manufacturer has been placing a backup BIOS on the mainboards which is
> not software writable. It can be used to blow away the primary system
> BIOS and reload her with known clean code. <G>

That's very interesting! There must, surely, be a significant *reason*
why they've done so! Will you share which manufacturer?

> Other than crypto BD, (and that's really a time constraint issue) what
> can be done with software can usually be reversed with software.

I have no doubt you are right! Some folk may have set up more than one
partition on a hard disk (say C: and D thinking that they can reload
Windows on C: and have a 'clean' machine again. My understanding is that
malware can lurk on the D: drive and easily reinfect the 'new' C:
partition. Is that correct?

>> He confirmed that malware *can* infect the BIOS - and then reinfect
>> a new or cleaned hard drive - *outside* of a laboratory environment.
>> He did say that this was rare but he will liase with his specialist
>> colleagues and thereafter endeavour to provide me with some
>> information to confirm his assertion.
>
> On a very specific BIOS flashrom software configuration. Sure. You
> couldn't for example hit both of these machines on both sides of me
> with the same code. One is an AMD powered box and the other an Intel
> powered box, although both using VIA chipsets; very different in
> design. BIOS's are completely incompatable with each other.

I do understand that, Dustin.

> The closest thing to come to malware and BIOS was the infamous CIH
> virus, but the really interesting payload didn't always work. Only
> *some* bios systems supported the writing commands and accepted the
> corrupted code. Outside of a laboratory that is. Perhaps this what
> your
> friend is thinking of?

Maybe. Andrew has said he'll have a chat with his specialist pals within
IBM and get back to me. You will appreciate though that some matters may
need to be kept under wraps!

Thanks for your comments.

Dave

[Dustin]

"~BD~" <~BD~@nomail.afraid.org> wrote in
news:i9h2en$lnb$1@news.eternal-september.org:

> "Dustin" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9E1537F96841HHI2948AJD832@no...
>> "~BD~" <~BD~@nomail.afraid.org> wrote in
>> news:i9fpp5$svg$1@news.eternal-september.org:
> [....]
>>> No one has mentioned a 'general' BIOS infector - Dustin mentioned
>>> a *universal* BIOS infector. I didn't!
>>>
>>> Isn't it possible that bad guys simply select a narrow target
>>> area?
>>
>> That's entirely possible in theory; I've never disputed it. What
>> would be the point tho? It would be a very specific target BD, as
>> in; a particular system only and ones which are identical atleast
>> in so far as bios is concerned.
>
> Whilst specific, it could still be a very large group, Dustin.

Doubtful. Computer models change every few months. Depending on which
one you trojanized (your basically only accomplishing this with a bios
modification anyway) you might not even have a hundred users.

>> However, it's already defeated in one sense.. Atleast one mainboard
>> manufacturer has been placing a backup BIOS on the mainboards which
>> is not software writable. It can be used to blow away the primary
>> system BIOS and reload her with known clean code. <G>
>
> That's very interesting! There must, surely, be a significant
> *reason* why they've done so! Will you share which manufacturer?

The reason? To ensure a customer could repair the machine in the event
the customer (more likely) or a virus (far less likely) somehow
corrupted the machines system BIOS. It didn't render you with a dead
mainboard. The manufacturer is gigabyte.

> I have no doubt you are right! Some folk may have set up more than
> one partition on a hard disk (say C: and D thinking that they can
> reload Windows on C: and have a 'clean' machine again. My
> understanding is that malware can lurk on the D: drive and easily
> reinfect the 'new' C: partition. Is that correct?

I don't see why not... Under conditions. It's not a magical process.

> Maybe. Andrew has said he'll have a chat with his specialist pals
> within IBM and get back to me. You will appreciate though that some
> matters may need to be kept under wraps!

With all due respect, Dave... I don't believe for one second that IBM
or anybody else has super malware secrets the rest in the antimalware
field aren't aware of. IBM published a web forum business package at
one point; and a good friend of mine was able to exploit a
vulnerability in the software and get a persons specific details; last
used credit card, last user etc...So you'll have to excuse me if I
don't think IBM is God anymore so than Microsoft.



--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

[~BD~]

"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9E159A5A98CFFHHI2948AJD832@no...
> "~BD~" <~BD~@nomail.afraid.org> wrote in
> news:i9h2en$lnb$1@news.eternal-september.org:
>
>> "Dustin" <bughunter.dustin@gmail.com> wrote in message
>> news:Xns9E1537F96841HHI2948AJD832@no...
>>> "~BD~" <~BD~@nomail.afraid.org> wrote in
>>> news:i9fpp5$svg$1@news.eternal-september.org:
>> [....]
>>>> No one has mentioned a 'general' BIOS infector - Dustin mentioned
>>>> a *universal* BIOS infector. I didn't!
>>>>
>>>> Isn't it possible that bad guys simply select a narrow target
>>>> area?
>>>
>>> That's entirely possible in theory; I've never disputed it. What
>>> would be the point tho? It would be a very specific target BD, as
>>> in; a particular system only and ones which are identical atleast
>>> in so far as bios is concerned.
>>
>> Whilst specific, it could still be a very large group, Dustin.
>
> Doubtful. Computer models change every few months. Depending on which
> one you trojanized (your basically only accomplishing this with a bios
> modification anyway) you might not even have a hundred users.

If it *were* such a small group, I'd understand why such an attack
method wouldn't be viable!

>>> However, it's already defeated in one sense.. Atleast one mainboard
>>> manufacturer has been placing a backup BIOS on the mainboards which
>>> is not software writable. It can be used to blow away the primary
>>> system BIOS and reload her with known clean code. <G>
>>
>> That's very interesting! There must, surely, be a significant
>> *reason* why they've done so! Will you share which manufacturer?
>
> The reason? To ensure a customer could repair the machine in the event
> the customer (more likely) or a virus (far less likely) somehow
> corrupted the machines system BIOS. It didn't render you with a dead
> mainboard. The manufacturer is gigabyte.

Thanks for your comments.

>> I have no doubt you are right! Some folk may have set up more than
>> one partition on a hard disk (say C: and D thinking that they can
>> reload Windows on C: and have a 'clean' machine again. My
>> understanding is that malware can lurk on the D: drive and easily
>> reinfect the 'new' C: partition. Is that correct?
>
> I don't see why not... Under conditions. It's not a magical process.

Thanks for confirming that, Dustin.

>> Maybe. Andrew has said he'll have a chat with his specialist pals
>> within IBM and get back to me. You will appreciate though that some
>> matters may need to be kept under wraps!
>
> With all due respect, Dave... I don't believe for one second that IBM
> or anybody else has super malware secrets the rest in the antimalware
> field aren't aware of. IBM published a web forum business package at
> one point; and a good friend of mine was able to exploit a
> vulnerability in the software and get a persons specific details; last
> used credit card, last user etc...So you'll have to excuse me if I
> don't think IBM is God anymore so than Microsoft.

Please don't misunderstand me, Dustin. All I meant was that it might be
imprudent to notify any bad guys, on Usenet, just how close on the heels
of the bad guys are the good guys!

Alas, I fear they will *never* catch up!

Dave

[FromTheRafters]

"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:i9ia6e$7tg$1@news.eternal-september.org...
>
> "Dustin" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9E159A5A98CFFHHI2948AJD832@no...
>> "~BD~" <~BD~@nomail.afraid.org> wrote in
>> news:i9h2en$lnb$1@news.eternal-september.org:
>>
>>> "Dustin" <bughunter.dustin@gmail.com> wrote in message
>>> news:Xns9E1537F96841HHI2948AJD832@no...
>>>> "~BD~" <~BD~@nomail.afraid.org> wrote in
>>>> news:i9fpp5$svg$1@news.eternal-september.org:
>>> [....]
>>>>> No one has mentioned a 'general' BIOS infector - Dustin mentioned
>>>>> a *universal* BIOS infector. I didn't!
>>>>>
>>>>> Isn't it possible that bad guys simply select a narrow target
>>>>> area?
>>>>
>>>> That's entirely possible in theory; I've never disputed it. What
>>>> would be the point tho? It would be a very specific target BD, as
>>>> in; a particular system only and ones which are identical atleast
>>>> in so far as bios is concerned.
>>>
>>> Whilst specific, it could still be a very large group, Dustin.
>>
>> Doubtful. Computer models change every few months. Depending on which
>> one you trojanized (your basically only accomplishing this with a
>> bios
>> modification anyway) you might not even have a hundred users.
>
> If it *were* such a small group, I'd understand why such an attack
> method wouldn't be viable!

A much larger group exists, that is the group of people whose computer's
BIOS is ever susceptible to corruption.
Since they almost all are, that group is "everyone".

http://www.biosman.com/biosrecovery.html

It is *not* just about corruption due to malware, bit rot counts too.

[...]

[~BD~]

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message
news:i9icpl$rcn$1@news.eternal-september.org...
[....]
> A much larger group exists, that is the group of people whose
> computer's BIOS is ever susceptible to corruption.
> Since they almost all are, that group is "everyone".
>
> http://www.biosman.com/biosrecovery.html
>
> It is *not* just about corruption due to malware, bit rot counts too.
>

I thought you might be pulling my leg again FTR, then found
http://en.wikipedia.org/wiki/Bit_rot

I've only once flashed the BIOS on a machine and that was years ago. I
would have started off here
http://eu.msi.com/index.php?func=downloadindex

Nowadays, though, I'd probably simply replace either the motherboard or,
more likely, the whole machine! ;-)

[Peter Foldes]

Read the following also so as you will have a base to this issue

http://www.biosman.com/faq.html

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect


"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:i9jli3$uc2$1@news.eternal-september.org...
>
> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message
> news:i9icpl$rcn$1@news.eternal-september.org...
> [....]
>> A much larger group exists, that is the group of people whose computer's BIOS is
>> ever susceptible to corruption.
>> Since they almost all are, that group is "everyone".
>>
>> http://www.biosman.com/biosrecovery.html
>>
>> It is *not* just about corruption due to malware, bit rot counts too.
>>
>
> I thought you might be pulling my leg again FTR, then found
> http://en.wikipedia.org/wiki/Bit_rot
>
> I've only once flashed the BIOS on a machine and that was years ago. I would have
> started off here http://eu.msi.com/index.php?func=downloadindex
>
> Nowadays, though, I'd probably simply replace either the motherboard or, more
> likely, the whole machine! ;-)
>

[Dustin]

"~BD~" <~BD~@nomail.afraid.org> wrote in
news:i9jli3$uc2$1@news.eternal-september.org:

> Nowadays, though, I'd probably simply replace either the motherboard
> or, more likely, the whole machine! ;-)

The landfills appreciate ignorance like that. I don't, but they do. They
absolutely love it when people replace and throw away rather than repair.
It's understandable if the machine is really old and/or beyond repair,
but... Many times that's not the case.


--
Some people are like a Slinky. Not much good for anything, but you can't
help but smile when one tumbles down the stairs.