Malware burrows deep into computer BIOS to escape AV

[~BD~]

David H. Lipman wrote:
> From: "~BD~"<~BD~@nomail.afraid.org>
>
>> David H. Lipman wrote:
>>> From: "~BD~"<~BD~@nomail.afraid.org>
>>>
>>>> David H. Lipman wrote:
>>>>> From: "~BD~"<~BD~@nomail.afraid.org>
>>>>>
>>>>>> Researchers have discovered one of the first pieces of malware ever used in the wild
>>>>>> that modifies the software on the motherboard of infected computers to ensure the
>>>>>> infection can't be easily eradicated.
>>>>>>
>>>>>> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to
>>>>>> add
>>>>>> malicious instructions that are executed early in a computer's boot-up sequence. The
>>>>>> instructions, in turn, alter a computer's MBR, or master boot record, another system
>>>>>> component that gets executed prior to the loading of the operating system of an
>>>>>> infected
>>>>>> machine. By corrupting the processes that run immediately after a PC starts, the
>>>>>> malware
>>>>>> stands a better chance of surviving attempts by antivirus programs to remove it.
>>>>>>
>>>>>> http://www.theregister.co.uk/2011/09...it_discovered/
>>>>>>
>>>>>
>>>>> This is the FIRST malware to infiltrate the BIOS that's been in the wild, it is
>>>>> targeting
>>>>> Chinese computers in China and ONLY targets Phoenix/Award BIOS.
>>>>>
>>>>>
>>>>
>>>> Please explain exactly how you can be so certain about this, Mr Lipman.
>>>
>>>
>>> Its called reading and understanding and it wasn't from reading TheRegister we page.
>>>
>>
>> I think you are full of sh*t, Mr Lipman.
>>
>
> Marco's writeup...
> http://blog.webroot.com/2011/09/13/m...t-in-the-wild/
>
> Symantec's writeup...
> http://www.symantec.com/connect/blog...-showing-again
>
> The sh!t is what spews from your fingertips.
>
>
>

I recall you saying that this was impossible. I simply cannot trust what
you say. You are a fraud, Mr. Lipman.

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> David H. Lipman wrote:
>>>> From: "~BD~"<~BD~@nomail.afraid.org>
>>>>
>>>>> David H. Lipman wrote:
>>>>>> From: "~BD~"<~BD~@nomail.afraid.org>
>>>>>>
>>>>>>> Researchers have discovered one of the first pieces of malware ever used in the
>>>>>>> wild
>>>>>>> that modifies the software on the motherboard of infected computers to ensure the
>>>>>>> infection can't be easily eradicated.
>>>>>>>
>>>>>>> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to
>>>>>>> add
>>>>>>> malicious instructions that are executed early in a computer's boot-up sequence.
>>>>>>> The
>>>>>>> instructions, in turn, alter a computer's MBR, or master boot record, another
>>>>>>> system
>>>>>>> component that gets executed prior to the loading of the operating system of an
>>>>>>> infected
>>>>>>> machine. By corrupting the processes that run immediately after a PC starts, the
>>>>>>> malware
>>>>>>> stands a better chance of surviving attempts by antivirus programs to remove it.
>>>>>>>
>>>>>>> http://www.theregister.co.uk/2011/09...it_discovered/
>>>>>>>
>>>>>>
>>>>>> This is the FIRST malware to infiltrate the BIOS that's been in the wild, it is
>>>>>> targeting
>>>>>> Chinese computers in China and ONLY targets Phoenix/Award BIOS.
>>>>>>
>>>>>>
>>>>>
>>>>> Please explain exactly how you can be so certain about this, Mr Lipman.
>>>>
>>>>
>>>> Its called reading and understanding and it wasn't from reading TheRegister we page.
>>>>
>>>
>>> I think you are full of sh*t, Mr Lipman.
>>>
>>
>> Marco's writeup...
>> http://blog.webroot.com/2011/09/13/m...t-in-the-wild/
>>
>> Symantec's writeup...
>> http://www.symantec.com/connect/blog...-showing-again
>>
>> The sh!t is what spews from your fingertips.
>>
>>
>>
>
> I recall you saying that this was impossible. I simply cannot trust what you say. You
> are a fraud, Mr. Lipman.

You recall WRONG. I elaborated how difficult it was and all the obstacles there were to
overcome and said there was nothing in the wild at that time while you were creatiung FUD
trying to prove that there "could" and probably were cases in the wild.

NOW there is finally something in the wild yet this malware still has huge obstacles to
overcome making it a poor implementation form the POV of the malicious actor.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Peter Foldes]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:j4tc7t0489@news2.newsguy.com...
> From: "~BD~" <~BD~@nomail.afraid.org>

> You recall WRONG. I elaborated how difficult it was and all the obstacles there
> were to overcome and said there was nothing in the wild at that time while you
> were creatiung FUD trying to prove that there "could" and probably were cases in
> the wild.
>
> NOW there is finally something in the wild yet this malware still has huge
> obstacles to overcome making it a poor implementation form the POV of the
> malicious actor.



He is Trolling on purpose David. He is also extremely clueless and only believes
what he decides in his brain and wont let go from that just like the pit-bull.

JS

[David H. Lipman]

From: "Peter Foldes" <okf22@hotmail.com>

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:j4tc7t0489@news2.newsguy.com...
>> From: "~BD~" <~BD~@nomail.afraid.org>
>
>> You recall WRONG. I elaborated how difficult it was and all the obstacles there were
>> to overcome and said there was nothing in the wild at that time while you were
>> creatiung FUD trying to prove that there "could" and probably were cases in the wild.
>>
>> NOW there is finally something in the wild yet this malware still has huge obstacles to
>> overcome making it a poor implementation form the POV of the malicious actor.
>
>
>
> He is Trolling on purpose David. He is also extremely clueless and only believes what
> he decides in his brain and wont let go from that just like the pit-bull.
>
> JS

Unfortunately - yes
{ sigh }


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[G. Morgan]

David H. Lipman wrote:

>You recall WRONG. I elaborated how difficult it was and all the obstacles there were to
>overcome and said there was nothing in the wild at that time

That's the way I remember it.

You said it was possible, but none had been seen in the wild yet.

[~BD~]

G. Morgan wrote:
> David H. Lipman wrote:
>
>> You recall WRONG. I elaborated how difficult it was and all the obstacles there were to
>> overcome and said there was nothing in the wild at that time
>
> That's the way I remember it.
>
> You said it was possible, but none had been seen in the wild yet.


LoJack can *already* do it!!!

Just because Mr Lipman hasn't seen versions 'in the wild' does *NOT*
mean that there aren't such malware scenarios.

I'll wager the bad guys are *way* ahead of those who try to catch them!

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

> G. Morgan wrote:
>> David H. Lipman wrote:
>>
>>> You recall WRONG. I elaborated how difficult it was and all the obstacles there were
>>> to
>>> overcome and said there was nothing in the wild at that time
>>
>> That's the way I remember it.
>>
>> You said it was possible, but none had been seen in the wild yet.
>
>
> LoJack can *already* do it!!!
>
> Just because Mr Lipman hasn't seen versions 'in the wild' does *NOT* mean that there
> aren't such malware scenarios.
>
> I'll wager the bad guys are *way* ahead of those who try to catch them!

LoJack is a different animal altogether and CAN NOT be lumped together with mebromi
trojan.

Mebromi is malware. LoJack is not.

LoJack is loaded in an area of extra ROM at the factory and is designed to be there. For
malware to be loaded in ROM at the factory we would have a whole different scenario which
is called the Insider Threat.

Mebromi uses a cludgy method of ROM injection based upon the IceLord proof of concept.

LoJack in no way injects itself into ROM.

You have a *bad* reading and comprehension problem!

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[eeyore]

On Fri, 16 Sep 2011 14:35:46 -0400, David H. Lipman wrote:

> From: "~BD~" <~BD~@nomail.afraid.org>
>
>> G. Morgan wrote:
>>> David H. Lipman wrote:
>>>
>>>> You recall WRONG. I elaborated how difficult it was and all the
>>>> obstacles there were to
>>>> overcome and said there was nothing in the wild at that time
>>>
>>> That's the way I remember it.
>>>
>>> You said it was possible, but none had been seen in the wild yet.
>>
>>
>> LoJack can *already* do it!!!
>>
>> Just because Mr Lipman hasn't seen versions 'in the wild' does *NOT*
>> mean that there aren't such malware scenarios.
>>
>> I'll wager the bad guys are *way* ahead of those who try to catch them!
>
> LoJack is a different animal altogether and CAN NOT be lumped together
> with mebromi trojan.
>
> Mebromi is malware. LoJack is not.
>
> LoJack is loaded in an area of extra ROM at the factory and is designed
> to be there. For malware to be loaded in ROM at the factory we would
> have a whole different scenario which is called the Insider Threat.
>
> Mebromi uses a cludgy method of ROM injection based upon the IceLord
> proof of concept.
>
> LoJack in no way injects itself into ROM.
>
> You have a *bad* reading and comprehension problem!

you might as well be talking to a wall...
--
max
Registered Linux User #393236

[JD]

David H. Lipman wrote:
> From: "~BD~"<~BD~@nomail.afraid.org>
>
>> G. Morgan wrote:
>>> David H. Lipman wrote:
>>>
>>>> You recall WRONG. I elaborated how difficult it was and all the obstacles there were
>>>> to
>>>> overcome and said there was nothing in the wild at that time
>>>
>>> That's the way I remember it.
>>>
>>> You said it was possible, but none had been seen in the wild yet.
>>
>>
>> LoJack can *already* do it!!!
>>
>> Just because Mr Lipman hasn't seen versions 'in the wild' does *NOT* mean that there
>> aren't such malware scenarios.
>>
>> I'll wager the bad guys are *way* ahead of those who try to catch them!
>
> LoJack is a different animal altogether and CAN NOT be lumped together with mebromi
> trojan.
>
> Mebromi is malware. LoJack is not.
>
> LoJack is loaded in an area of extra ROM at the factory and is designed to be there. For
> malware to be loaded in ROM at the factory we would have a whole different scenario which
> is called the Insider Threat.
>
> Mebromi uses a cludgy method of ROM injection based upon the IceLord proof of concept.
>
> LoJack in no way injects itself into ROM.
>
> You have a *bad* reading and comprehension problem!
>

A characteristic of a troll. Which you and Peter keep feeding.

--
JD..

[David H. Lipman]

From: "JD" <JD@example.invalid>

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> G. Morgan wrote:
>>>> David H. Lipman wrote:
>>>>
>>>>> You recall WRONG. I elaborated how difficult it was and all the obstacles there
>>>>> were
>>>>> to
>>>>> overcome and said there was nothing in the wild at that time
>>>>
>>>> That's the way I remember it.
>>>>
>>>> You said it was possible, but none had been seen in the wild yet.
>>>
>>>
>>> LoJack can *already* do it!!!
>>>
>>> Just because Mr Lipman hasn't seen versions 'in the wild' does *NOT* mean that there
>>> aren't such malware scenarios.
>>>
>>> I'll wager the bad guys are *way* ahead of those who try to catch them!
>>
>> LoJack is a different animal altogether and CAN NOT be lumped together with mebromi
>> trojan.
>>
>> Mebromi is malware. LoJack is not.
>>
>> LoJack is loaded in an area of extra ROM at the factory and is designed to be there.
>> For
>> malware to be loaded in ROM at the factory we would have a whole different scenario
>> which
>> is called the Insider Threat.
>>
>> Mebromi uses a cludgy method of ROM injection based upon the IceLord proof of concept.
>>
>> LoJack in no way injects itself into ROM.
>>
>> You have a *bad* reading and comprehension problem!
>>
>
> A characteristic of a troll. Which you and Peter keep feeding.
>

You must realize that I am trying to get the facts straight for those who may read this
news group or pick it up on one of theose web forums that make believe they have forums
but really just link to Usenet.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp