Malware burrows deep into computer BIOS to escape AV

[Irkin Invader Zim]

On Oct 23, 8:57*pm, Emmett BADASS Gulley <emmettgulle...@gmail.com>
wrote:
> On Sep 15, 5:55*pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
>
>
>
>
>
> > "~BD~" <~...@nomail.afraid.org> wrote in message
>
> >news:j4s9f0$83h$1@dont-email.me...
>
> > > Researchers have discovered one of the first pieces of malware ever used in
> > > the wild that modifies the software on the motherboard of infected computers
> > > to ensure the infection can't be easily eradicated.
>
> > > Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it
> > > attacks to add malicious instructions that are executed early in a computer's
> > > boot-up sequence. The instructions, in turn, alter a computer's MBR, or master
> > > boot record, another system component that gets executed prior to theloading
> > > of the operating system of an infected machine. By corrupting the processes
> > > that run immediately after a PC starts, the malware stands a better chance of
> > > surviving attempts by antivirus programs to remove it.
>
> > >http://www.theregister.co.uk/2011/09...it_discovered/
>
> > > --
> > > Dave - exactly what *I've* suspected for years! ;-)
>
> > For years, you've been wrong. D
>
> > Now that it is ITW so they say, the naysayers will be silenced. But
> > you might want to consider that BIOS thing to be more like a
> > payload that *might* sink the roots deeper than was otherwise
> > possible. It is likely to owe more of its wilding ability to its being
> > a user-mode, kernel mode, *and* an MBR mode rootkit - plus a
> > virus - than to its being a BIOS modder. Just wait until some
> > wormable exploit is written to spread it or it gets adopted by evil
> > botnets.
>
> > TPM anyone?
>
> ROTFLMFAO!!!! This is just another version of the famous CMOS virus
> but only affects bios.



eMutt you don't even know what STFU means let alone CMOS or bios.

Please stop trying to be a computer expert you Keiser drop-out. Oh
wait you have to GO THERE FIRST to become a drop-out.
Wow. That is some failure you have. a drop-out drop-out. Holy ****,
can you get any stupider?

[Emmett BADASS Gulley]

On Oct 24, 8:36*pm, Irkin Invader Zim <fitnessforyou2...@yahoo.com>
wrote:
> On Oct 23, 8:57*pm, Emmett BADASS Gulley <emmettgulle...@gmail.com>
> wrote:
>
>
>
>
>
>
>
>
>
> > On Sep 15, 5:55*pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
>
> > > "~BD~" <~...@nomail.afraid.org> wrote in message
>
> > >news:j4s9f0$83h$1@dont-email.me...
>
> > > > Researchers have discovered one of the first pieces of malware everused in
> > > > the wild that modifies the software on the motherboard of infected computers
> > > > to ensure the infection can't be easily eradicated.
>
> > > > Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it
> > > > attacks to add malicious instructions that are executed early in a computer's
> > > > boot-up sequence. The instructions, in turn, alter a computer's MBR, or master
> > > > boot record, another system component that gets executed prior to the loading
> > > > of the operating system of an infected machine. By corrupting the processes
> > > > that run immediately after a PC starts, the malware stands a betterchance of
> > > > surviving attempts by antivirus programs to remove it.
>
> > > >http://www.theregister.co.uk/2011/09...it_discovered/
>
> > > > --
> > > > Dave - exactly what *I've* suspected for years! ;-)
>
> > > For years, you've been wrong. D
>
> > > Now that it is ITW so they say, the naysayers will be silenced. But
> > > you might want to consider that BIOS thing to be more like a
> > > payload that *might* sink the roots deeper than was otherwise
> > > possible. It is likely to owe more of its wilding ability to its being
> > > a user-mode, kernel mode, *and* an MBR mode rootkit - plus a
> > > virus - than to its being a BIOS modder. Just wait until some
> > > wormable exploit is written to spread it or it gets adopted by evil
> > > botnets.
>
> > > TPM anyone?
>
> > ROTFLMFAO!!!! This is just another version of the famous CMOS virus
> > but only affects bios.
>
> eMutt you don't even know what STFU means let alone CMOS or bios.
>
> Please stop trying to be a computer expert you Keiser drop-out. Oh
> wait you have to GO THERE FIRST to become a drop-out.
> Wow. That is some failure you have. a drop-out drop-out. Holy ****,
> can you get any stupider?

Ya'll don't pay any attention to this dork. He's been banned by just
about every NG on usenet.

[Emmett BADASS Gulley]

On Oct 23, 9:13*pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
> "Emmett BADASS Gulley" <emmettgulle...@gmail.com> wrote in messagenews:d0766b94-4cda-4206-a611-5c54f143f2f0@v15g2000vbm.googlegroups.com...
> On Sep 15, 6:14 pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
> > "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in
> > messagenews:j4stlc02snp@news2.newsguy.com...
> > [...]
>
> > > Symantec's writeup...
> > >http://www.symantec.com/connect/blog...-showing-again
>
> > Ugh!
>
> > CIH didn't *infect* the BIOS, it corrupted it.
>
> > Anyway, it is one more step now that mobile code has *infected* the BIOS.
>
> > Not a BIOS virus either, as the BIOS code is a guardian program rather
> > than a copy of the infecting program. Still, expect some misinformation
> > to spread faster than the malware itself.
>
> WRONG!!!!!! any virus that changes anything is considered to have
> INFECTED the system. Damn your a ****nut.
>
> ***
> Within the context of my previous statement, "infection" referred to "viral
> infection".
>
> Viral infection is the attaching to code of 'a possibly mutated copy of the
> virus'.
>
> Since the new BIOS code Mebromi's installer drops does not contain a "virus",
> it can't be considered to have been infected by a virus even if Mebromi were a
> true virus in other aspects - which it isn't.

On the contrary. Evidently you don't know that there are several BIOS
type viruses out there. I got the CMOS years ago when it was unheard
of for CMOS to even get virus'

You act like this is just isolated but it's not. This is just like
rootkits that nobody ever knew existed until sony got busted.
> ***

[Emmett BADASS Gulley]

On Oct 24, 4:40*pm, Dustin <bughunter.dus...@gmail.com> wrote:
> Emmett BADASS Gulley <emmettgulle...@gmail.com> wrote in news:d0766b94-
> 4cda-4206-a611-5c54f143f...@v15g2000vbm.googlegroups.com:
>
>
>
>
>
>
>
>
>
>
>
> > On Sep 15, 6:14*pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
> >> "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in
> messagenews:j4st
> > lc02...@news2.newsguy.com...
> >> [...]
>
> >> > Symantec's writeup...
> >> >http://www.symantec.com/connect/blog...-showing-again
>
> >> Ugh!
>
> >> CIH didn't *infect* the BIOS, it corrupted it.
>
> >> Anyway, it is one more step now that mobile code has *infected* the
> BIOS.
>
> >> Not a BIOS virus either, as the BIOS code is a guardian program rather
> >> than a copy of the infecting program. Still, expect some misinformation
> >> to spread faster than the malware itself.
>
> > WRONG!!!!!! any virus that changes anything is considered to have
> > INFECTED the system. Damn your a ****nut.
>
> You are a stupid ****er. I'll give you that.
>
> Changing registry keys isn't infecting your computer. Creating new data
> files isn't infecting your computer. ****ing stupid tard.

who ****ing said anything about registry's you ****ing asswipe???
>
> --
> I am a sinner
> Hold my prayers upto the sun
> I am a sinner
> Heaven's closed for what I've done.

[Emmett BADASS Gulley]

On Oct 24, 5:24*pm, "Rhonda Lea Kirk Fries"
<rhondaleak...@earthling.net> wrote:
> FromTheRafters wrote:
> > "Rhonda Lea Kirk Fries" <rhondaleak...@earthling.net> wrote in message
> >news:j847rh$hr5$1@news.datemas.de...
> >> FromTheRafters wrote:
> >>> "Emmett BADASS Gulley" <emmettgulle...@gmail.com> wrote in message
> >>>news:d0766b94-4cda-4206-a611-5c54f143f2f0@v15g2000vbm.googlegroups.com....
> >>> On Sep 15, 6:14 pm, "FromTheRafters" <erratic.how...@gmail.com>
> >>> wrote:
> >>>> "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in
> >>>> messagenews:j4stlc02snp@news2.newsguy.com...
> >>>> [...]
>
> >>>>> Symantec's writeup...
> >>>>>http://www.symantec.com/connect/blog...-showing-again
>
> >>>> Ugh!
>
> >>>> CIH didn't *infect* the BIOS, it corrupted it.
>
> >>>> Anyway, it is one more step now that mobile code has *infected* the
> >>>> BIOS. Not a BIOS virus either, as the BIOS code is a guardian
> >>>> program rather than a copy of the infecting program. Still, expect
> >>>> some misinformation to spread faster than the malware itself.
>
> >>> WRONG!!!!!! any virus that changes anything is considered to have
> >>> INFECTED the system. Damn your a ****nut.
>
> >>> ***
> >>> Within the context of my previous statement, "infection" referred to
> >>> "viral infection".
>
> >>> Viral infection is the attaching to code of 'a possibly mutated copy
> >>> of the virus'.
>
> >>> Since the new BIOS code Mebromi's installer drops does not contain a
> >>> "virus", it can't be considered to have been infected by a virus
> >>> even if Mebromi were a true virus in other aspects - which it isn't.
> >>> ***
>
> >> The person who is trying to engage you is a toothless, homeless
> >> felon with an IQ approaching freezer temps.
>
> > Hi Rhonda.
>
> > I kinda suspected that - a first impression so to speak.
>
> > How does it handle spelling/grammar corrections?
>
> The same way he handles any other criticism--ranting, threats, blatant
> falsehoods.
>
> >> He also has pretensions to stalking, but he's not very good at it.
> >> You can read about his felony conviction here:
>
> >>http://www.washingtonpost.com/wp-srv...98/email01.htm
>
> > Maybe, if I get even more bored than I am now.
>
> Good call. A dose of Emmett could cause death by boredom.
>
> >> You can listen to a recording of the phone message that started it
> >> all here:http://www.youtube.com/watch?v=xxLkH99MMy8
>
> >> He will make a nice playmate for BD.
>
> > I guess we'll see. )
>
> Both Emmett and BD are in my killfile, so I--thankfully--will not see. I
> wanted to give you (and the rest of the sane folks) fair warning, but
> avoiding both of the aforementioned nutjobs is high on my list of things
> to do.

shut the **** up *****. You got your ass kicked in court by charles
novins.

[Irkin Invader Zim]

On Oct 24, 9:09*pm, Emmett BADASS Gulley <emmettgulle...@gmail.com>
wrote:
> On Oct 24, 4:40*pm, Dustin <bughunter.dus...@gmail.com> wrote:
>
>
>
>
>
> > Emmett BADASS Gulley <emmettgulle...@gmail.com> wrote in news:d0766b94-
> > 4cda-4206-a611-5c54f143f...@v15g2000vbm.googlegroups.com:
>
> > > On Sep 15, 6:14*pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
> > >> "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in
> > messagenews:j4st
> > > lc02...@news2.newsguy.com...
> > >> [...]
>
> > >> > Symantec's writeup...
> > >> >http://www.symantec.com/connect/blog...-showing-again
>
> > >> Ugh!
>
> > >> CIH didn't *infect* the BIOS, it corrupted it.
>
> > >> Anyway, it is one more step now that mobile code has *infected* the
> > BIOS.
>
> > >> Not a BIOS virus either, as the BIOS code is a guardian program rather
> > >> than a copy of the infecting program. Still, expect some misinformation
> > >> to spread faster than the malware itself.
>
> > > WRONG!!!!!! any virus that changes anything is considered to have
> > > INFECTED the system. Damn your a ****nut.
>
> > You are a stupid ****er. I'll give you that.
>
> > Changing registry keys isn't infecting your computer. Creating new data
> > files isn't infecting your computer. ****ing stupid tard.
>
> who ****ing said anything about registry's you ****ing asswipe???


eMutt, no matter what newsgroup you post in, you are still an
illiterate, misinformed, stupid little *******.

[Irkin Invader Zim]

On Oct 24, 9:05*pm, Emmett BADASS Gulley <emmettgulle...@gmail.com>
wrote:
> On Oct 24, 8:36*pm, Irkin Invader Zim <fitnessforyou2...@yahoo.com>
> wrote:
>
>
>
>
>
> > On Oct 23, 8:57*pm, Emmett BADASS Gulley <emmettgulle...@gmail.com>
> > wrote:
>
> > > On Sep 15, 5:55*pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
>
> > > > "~BD~" <~...@nomail.afraid.org> wrote in message
>
> > > >news:j4s9f0$83h$1@dont-email.me...
>
> > > > > Researchers have discovered one of the first pieces of malware ever used in
> > > > > the wild that modifies the software on the motherboard of infected computers
> > > > > to ensure the infection can't be easily eradicated.
>
> > > > > Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it
> > > > > attacks to add malicious instructions that are executed early in a computer's
> > > > > boot-up sequence. The instructions, in turn, alter a computer's MBR, or master
> > > > > boot record, another system component that gets executed prior tothe loading
> > > > > of the operating system of an infected machine. By corrupting theprocesses
> > > > > that run immediately after a PC starts, the malware stands a better chance of
> > > > > surviving attempts by antivirus programs to remove it.
>
> > > > >http://www.theregister.co.uk/2011/09...it_discovered/
>
> > > > > --
> > > > > Dave - exactly what *I've* suspected for years! ;-)
>
> > > > For years, you've been wrong. D
>
> > > > Now that it is ITW so they say, the naysayers will be silenced. But
> > > > you might want to consider that BIOS thing to be more like a
> > > > payload that *might* sink the roots deeper than was otherwise
> > > > possible. It is likely to owe more of its wilding ability to its being
> > > > a user-mode, kernel mode, *and* an MBR mode rootkit - plus a
> > > > virus - than to its being a BIOS modder. Just wait until some
> > > > wormable exploit is written to spread it or it gets adopted by evil
> > > > botnets.
>
> > > > TPM anyone?
>
> > > ROTFLMFAO!!!! This is just another version of the famous CMOS virus
> > > but only affects bios.
>
> > eMutt you don't even know what STFU means let alone CMOS or bios.
>
> > Please stop trying to be a computer expert you Keiser drop-out. Oh
> > wait you have to GO THERE FIRST to become a drop-out.
> > Wow. That is some failure you have. a drop-out drop-out. Holy ****,
> > can you get any stupider?
>
> Ya'll don't pay any attention to this dork. He's been banned by just
> about every NG on usenet.


"Ya'll?"

If your intention was to sound like the toothless redneck walking
Halloween mask you appear in your photos, nice job.

Second, you can't get "banned" from a "NG," you dumb****.

Emmett, you have barely made six posts in alt.privacy.spyware and they
have already recognized you and called you out as being a dumb****.

[FromTheRafters]

"Emmett BADASS Gulley" <emmettgulley80@gmail.com> wrote in message
news:18d0dd2e-f0cb-4b56-82f9-97253942f18e@h5g2000vbf.googlegroups.com...
On Oct 23, 9:13 pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
> "Emmett BADASS Gulley" <emmettgulle...@gmail.com> wrote in
> messagenews:d0766b94-4cda-4206-a611-5c54f143f2f0@v15g2000vbm.googlegroups.com...
> On Sep 15, 6:14 pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
> > "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in
> > messagenews:j4stlc02snp@news2.newsguy.com...
> > [...]
>
> > > Symantec's writeup...
> > >http://www.symantec.com/connect/blog...-showing-again
>
> > Ugh!
>
> > CIH didn't *infect* the BIOS, it corrupted it.
>
> > Anyway, it is one more step now that mobile code has *infected* the BIOS.
>
> > Not a BIOS virus either, as the BIOS code is a guardian program rather
> > than a copy of the infecting program. Still, expect some misinformation
> > to spread faster than the malware itself.
>
> WRONG!!!!!! any virus that changes anything is considered to have
> INFECTED the system. Damn your a ****nut.
>
> ***
> Within the context of my previous statement, "infection" referred to "viral
> infection".
>
> Viral infection is the attaching to code of 'a possibly mutated copy of the
> virus'.
>
> Since the new BIOS code Mebromi's installer drops does not contain a "virus",
> it can't be considered to have been infected by a virus even if Mebromi were a
> true virus in other aspects - which it isn't.

On the contrary. Evidently you don't know that there are several BIOS
type viruses out there

***
No there aren't. There were some that used the same kind of payload
that CIH used (I think Kriz and maybe Magistr?). That payload did write
to the BIOS, but the code written there was garbage code collected from
an arbitrary area of memory and not in itself *viral*. To *infect* the BIOS
the code needs to be viable (else it is just corruption) and to *virally infect*
the BIOS the valid code needs to be, itsel,f a virus - able to further the viral
infection.
***

I got the CMOS years ago when it was unheard
of for CMOS to even get virus'

***
While it may have been *affected*, the CMOS was not *infected* - there
*is* a difference. The same things as above apply to any code area, and
these code areas are a necessity for a *virus infection* to take place.

Viruses attach viable (possibly mutated) copies of themselves to code.
***

You act like this is just isolated but it's not. This is just like
rootkits that nobody ever knew existed until sony got busted.

***
LOL., Rootkits are as old as the hills, and what are being called rootkits
in the Windows world are mostly only old school stealth tactics revisited.
***

[~BD~]

FromTheRafters wrote:

> ***
> LOL., Rootkits are as old as the hills, and what are being called rootkits
> in the Windows world are mostly only old school stealth tactics revisited.
> ***

Wikipedia agrees with you!

*

Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for
Sun Microsystems' SunOS UNIX operating system. Ken Thompson of Bell
Labs, one of the creators of Unix, subverted the C compiler in a Unix
distribution and discussed the exploit in the lecture he gave upon
receiving the Turing award in 1983.

The modified compiler would detect attempts to compile the Unix "login"
command and generate altered code that would accept not only the user's
correct password, but an additional password known to the attacker.
Additionally, the compiler would detect attempts to compile a new
version of the compiler, and would insert the same exploits into the new
compiler. A review of the source code for the "login" command or the
updated compiler would not reveal any malicious code. This exploit was
equivalent to a rootkit.

The first malicious rootkit for the Windows NT operating system appeared
in 1999: a trojan called NTRootkit created by Greg Hoglund.[7] It was
followed by HackerDefender in 2003.[1] The first rootkit targeting Mac
OS X appeared in 2009, while the Stuxnet worm was the first to target
programmable logic controllers (PLC).

http://en.wikipedia.org/wiki/Rootkit

<aside>

Will you help me out with this please, FTR?
Message-ID: <j86f3h$rgk$1@dont-email.me>

[FromTheRafters]

"Irkin Invader Zim" <fitnessforyou2002@yahoo.com> wrote in message
news:329142bc-040f-4cd4-b1c8-3bfd3477bb87@m4g2000yqm.googlegroups.com...
On Oct 24, 9:05 pm, Emmett BADASS Gulley <emmettgulle...@gmail.com>
wrote:
> On Oct 24, 8:36 pm, Irkin Invader Zim <fitnessforyou2...@yahoo.com>
> wrote:
>
>
>
>
>
> > On Oct 23, 8:57 pm, Emmett BADASS Gulley <emmettgulle...@gmail.com>
> > wrote:
>
> > > On Sep 15, 5:55 pm, "FromTheRafters" <erratic.how...@gmail.com> wrote:
>
> > > > "~BD~" <~...@nomail.afraid.org> wrote in message
>
> > > >news:j4s9f0$83h$1@dont-email.me...
>
> > > > > Researchers have discovered one of the first pieces of malware ever
> > > > > used in
> > > > > the wild that modifies the software on the motherboard of infected
> > > > > computers
> > > > > to ensure the infection can't be easily eradicated.
>
> > > > > Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers
> > > > > it
> > > > > attacks to add malicious instructions that are executed early in a
> > > > > computer's
> > > > > boot-up sequence. The instructions, in turn, alter a computer's MBR,
> > > > > or master
> > > > > boot record, another system component that gets executed prior to the
> > > > > loading
> > > > > of the operating system of an infected machine. By corrupting the
> > > > > processes
> > > > > that run immediately after a PC starts, the malware stands a better
> > > > > chance of
> > > > > surviving attempts by antivirus programs to remove it.
>
> > > > >http://www.theregister.co.uk/2011/09...it_discovered/
>
> > > > > --
> > > > > Dave - exactly what *I've* suspected for years! ;-)
>
> > > > For years, you've been wrong. D
>
> > > > Now that it is ITW so they say, the naysayers will be silenced. But
> > > > you might want to consider that BIOS thing to be more like a
> > > > payload that *might* sink the roots deeper than was otherwise
> > > > possible. It is likely to owe more of its wilding ability to its being
> > > > a user-mode, kernel mode, *and* an MBR mode rootkit - plus a
> > > > virus - than to its being a BIOS modder. Just wait until some
> > > > wormable exploit is written to spread it or it gets adopted by evil
> > > > botnets.
>
> > > > TPM anyone?
>
> > > ROTFLMFAO!!!! This is just another version of the famous CMOS virus
> > > but only affects bios.
>
> > eMutt you don't even know what STFU means let alone CMOS or bios.
>
> > Please stop trying to be a computer expert you Keiser drop-out. Oh
> > wait you have to GO THERE FIRST to become a drop-out.
> > Wow. That is some failure you have. a drop-out drop-out. Holy ****,
> > can you get any stupider?
>
> Ya'll don't pay any attention to this dork. He's been banned by just
> about every NG on usenet.


[...]

Second, you can't get "banned" from a "NG," you dumb****.

***
Yes, you can. Some groups are private and moderated.
***