Malware burrows deep into computer BIOS to escape AV

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> David H. Lipman wrote:
>>>> From: "~BD~"<~BD~@nomail.afraid.org>
>>>>
>>>>> David H. Lipman wrote:
>>>>>> From: "~BD~"<~BD~@nomail.afraid.org>
>>>>>>
>>>>>>> Researchers have discovered one of the first pieces of malware ever used in the
>>>>>>> wild
>>>>>>> that modifies the software on the motherboard of infected computers to ensure the
>>>>>>> infection can't be easily eradicated.
>>>>>>>
>>>>>>> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to
>>>>>>> add
>>>>>>> malicious instructions that are executed early in a computer's boot-up sequence.
>>>>>>> The
>>>>>>> instructions, in turn, alter a computer's MBR, or master boot record, another
>>>>>>> system
>>>>>>> component that gets executed prior to the loading of the operating system of an
>>>>>>> infected
>>>>>>> machine. By corrupting the processes that run immediately after a PC starts, the
>>>>>>> malware
>>>>>>> stands a better chance of surviving attempts by antivirus programs to remove it.
>>>>>>>
>>>>>>> http://www.theregister.co.uk/2011/09...it_discovered/
>>>>>>>
>>>>>>
>>>>>> This is the FIRST malware to infiltrate the BIOS that's been in the wild, it is
>>>>>> targeting
>>>>>> Chinese computers in China and ONLY targets Phoenix/Award BIOS.
>>>>>>
>>>>>>
>>>>>
>>>>> Please explain exactly how you can be so certain about this, Mr Lipman.
>>>>
>>>>
>>>> Its called reading and understanding and it wasn't from reading TheRegister we page.
>>>>
>>>
>>> I think you are full of sh*t, Mr Lipman.
>>>
>>
>> Marco's writeup...
>> http://blog.webroot.com/2011/09/13/m...t-in-the-wild/
>>
>> Symantec's writeup...
>> http://www.symantec.com/connect/blog...-showing-again
>>
>> The sh!t is what spews from your fingertips.
>>
>>
>>
>
> I recall you saying that this was impossible. I simply cannot trust what you say. You
> are a fraud, Mr. Lipman.

You recall WRONG. I elaborated how difficult it was and all the obstacles there were to
overcome and said there was nothing in the wild at that time while you were creatiung FUD
trying to prove that there "could" and probably were cases in the wild.

NOW there is finally something in the wild yet this malware still has huge obstacles to
overcome making it a poor implementation form the POV of the malicious actor.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Peter Foldes]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:j4tc7t0489@news2.newsguy.com...
> From: "~BD~" <~BD~@nomail.afraid.org>

> You recall WRONG. I elaborated how difficult it was and all the obstacles there
> were to overcome and said there was nothing in the wild at that time while you
> were creatiung FUD trying to prove that there "could" and probably were cases in
> the wild.
>
> NOW there is finally something in the wild yet this malware still has huge
> obstacles to overcome making it a poor implementation form the POV of the
> malicious actor.



He is Trolling on purpose David. He is also extremely clueless and only believes
what he decides in his brain and wont let go from that just like the pit-bull.

JS

[David H. Lipman]

From: "Peter Foldes" <okf22@hotmail.com>

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:j4tc7t0489@news2.newsguy.com...
>> From: "~BD~" <~BD~@nomail.afraid.org>
>
>> You recall WRONG. I elaborated how difficult it was and all the obstacles there were
>> to overcome and said there was nothing in the wild at that time while you were
>> creatiung FUD trying to prove that there "could" and probably were cases in the wild.
>>
>> NOW there is finally something in the wild yet this malware still has huge obstacles to
>> overcome making it a poor implementation form the POV of the malicious actor.
>
>
>
> He is Trolling on purpose David. He is also extremely clueless and only believes what
> he decides in his brain and wont let go from that just like the pit-bull.
>
> JS

Unfortunately - yes
{ sigh }


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[FromTheRafters]

"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j4s9f0$83h$1@dont-email.me...
> Researchers have discovered one of the first pieces of malware ever used in
> the wild that modifies the software on the motherboard of infected computers
> to ensure the infection can't be easily eradicated.
>
> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it
> attacks to add malicious instructions that are executed early in a computer's
> boot-up sequence. The instructions, in turn, alter a computer's MBR, or master
> boot record, another system component that gets executed prior to the loading
> of the operating system of an infected machine. By corrupting the processes
> that run immediately after a PC starts, the malware stands a better chance of
> surviving attempts by antivirus programs to remove it.
>
> http://www.theregister.co.uk/2011/09...it_discovered/
>
> --
> Dave - exactly what *I've* suspected for years! ;-)

For years, you've been wrong. D

Now that it is ITW so they say, the naysayers will be silenced. But
you might want to consider that BIOS thing to be more like a
payload that *might* sink the roots deeper than was otherwise
possible. It is likely to owe more of its wilding ability to its being
a user-mode, kernel mode, *and* an MBR mode rootkit - plus a
virus - than to its being a BIOS modder. Just wait until some
wormable exploit is written to spread it or it gets adopted by evil
botnets.

TPM anyone?

[FromTheRafters]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:j4ssc102rsj@news2.newsguy.com...

> Its called reading and understanding and it wasn't from reading TheRegister we
> page.

LOL.

[FromTheRafters]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:j4stlc02snp@news2.newsguy.com...
[...]

> Symantec's writeup...
> http://www.symantec.com/connect/blog...-showing-again

Ugh!

CIH didn't *infect* the BIOS, it corrupted it.

Anyway, it is one more step now that mobile code has *infected* the BIOS.

Not a BIOS virus either, as the BIOS code is a guardian program rather
than a copy of the infecting program. Still, expect some misinformation
to spread faster than the malware itself.

[Peter Foldes]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:j4sofp01551@news6.newsguy.com...
> From: "~BD~" <~BD~@nomail.afraid.org>


Thanks David for catching it and removing it. Awful when he does that. It has no
business in the other group

[G. Morgan]

David H. Lipman wrote:

>You recall WRONG. I elaborated how difficult it was and all the obstacles there were to
>overcome and said there was nothing in the wild at that time

That's the way I remember it.

You said it was possible, but none had been seen in the wild yet.

[G. Morgan]

FromTheRafters wrote:

>TPM anyone?

Big Brother.

[~BD~]

G. Morgan wrote:
> FromTheRafters wrote:
>
>> TPM anyone?
>
> Big Brother.
>

?????????? An explanation will be appreciated!