Ping FTR: Mebromi BIOS Virus Out in the Wild

[FromTheRafters]

"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j6u832$in8$1@dont-email.me...
> FromTheRafters wrote:
>> "~BD~"<~BD~@nomail.afraid.org> wrote in message
>> news:j6sfd0$26j$1@dont-email.me...
>>> You've advised that this in impossible!
>>
>> No I haven't. I believe I told you that there was not yet enough room in the
>> BIOS for a virus *infection* in the BIOS. I also am the one that pointed you
>> to
>> several papers on PCI rootkits and such.
>
>
> Forgive me if I misunderstood. I have always valued your help and advice.
>
>
>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>>
>> I think that soon there will be a virus that infects the BIOS and have always
>> thought so, but it may not behave like your typical malware virus.
>
>
> Such a virus could render a computer more or less useless?

It could be benign as well.

> Would a cost-effective repair be possible do you think?

Of course, what can be done in software can be undone in software. This
is less about the virus aspect and more about persistence and stealth.

Once you know it is there, removing it is a breeze.

[...]

>> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
>> a guardian for that MBR rootkit (persistence). In addition, a kernel mode
>> rootkit that hides an additional downloader's actions. It infects two
>> specific
>> system PE files as a startup method for said stealth downloader.
>
> I know you like to be 'correct' in the use of terms, FTR (and rightly so) -
> but the *effect* is what *really* matters IMO!

And that *effect* depends entirely on what it *is* rather than what
people think it is.

[...]

>> Do you have any specific on topic questions for the spyware group?
>
> Yes. How would anyone know that they had been infected in this manner if their
> anti-malware programmes didn't flag same?

They wouldn't.

But these things don't exist in a vacuum. The chances are great that such
an infection would be used to persistently hide the activities of some
associated malware. That associated malware may well be detected
from outside the stealthed environment. Usually, there will be network
activity associated with the malware for instance.

[...]

[~BD~]

FromTheRafters wrote:
> "~BD~"<~BD~@nomail.afraid.org> wrote in message
> news:j6u832$in8$1@dont-email.me...
>> FromTheRafters wrote:
>>> "~BD~"<~BD~@nomail.afraid.org> wrote in message
>>> news:j6sfd0$26j$1@dont-email.me...
>>>> You've advised that this in impossible!
>>>
>>> No I haven't. I believe I told you that there was not yet enough room in the
>>> BIOS for a virus *infection* in the BIOS. I also am the one that pointed you
>>> to
>>> several papers on PCI rootkits and such.
>>
>>
>> Forgive me if I misunderstood. I have always valued your help and advice.
>>
>>
>>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>>>
>>> I think that soon there will be a virus that infects the BIOS and have always
>>> thought so, but it may not behave like your typical malware virus.
>>
>>
>> Such a virus could render a computer more or less useless?
>
> It could be benign as well.
>
>> Would a cost-effective repair be possible do you think?
>
> Of course, what can be done in software can be undone in software. This
> is less about the virus aspect and more about persistence and stealth.
>
> Once you know it is there, removing it is a breeze.


Ah! Right on the nail! :-)


> [...]
>
>>> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
>>> a guardian for that MBR rootkit (persistence). In addition, a kernel mode
>>> rootkit that hides an additional downloader's actions. It infects two
>>> specific
>>> system PE files as a startup method for said stealth downloader.
>>
>> I know you like to be 'correct' in the use of terms, FTR (and rightly so) -
>> but the *effect* is what *really* matters IMO!
>
> And that *effect* depends entirely on what it *is* rather than what
> people think it is.
>
> [...]

OK - I'll not argue that point.

>>> Do you have any specific on topic questions for the spyware group?
>>
>> Yes. How would anyone know that they had been infected in this manner if their
>> anti-malware programmes didn't flag same?
>
> They wouldn't.

*Exactly*!

> But these things don't exist in a vacuum. The chances are great that such
> an infection would be used to persistently hide the activities of some
> associated malware. That associated malware may well be detected
> from outside the stealthed environment. Usually, there will be network
> activity associated with the malware for instance.

Still not easy to detect, especially if one isn't looking for same!

Thanks for your answers, FTR. :-)

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in news:j73a2f$u7r$1@dont-email.me:


> We interpreted the given information differently, obviously.

You interpreted the information? David, I'm looking at the file you sent
me. How could you possibly interpret it any other way than as presented?

Why did you send me a jpeg of the conversation anyway? Why not a forwarded
email with the headers intact? *shrug*

Fact is, you based your implications on bad information. Tony Klein and
yourself both did. I was sure to be upfront about my history concerning
BugHunter, well before I was invited! to come work for malwarebytes.

They researched me, they chose to ask if I was interested. I chose to work
for them for a period of time. It's as simple as that. I wasn't let go due
to my past, bad ethics, or difficulty in working with peers. I wasn't "let
go."

My ethics have cost me money. I'd rather be upfront and honest with you
then make a buck selling you a part or service you don't need, or that I
know isn't really going to help you out for any real length of time. I'll
provide one measily example for you and the others, as both of you surely
need an education in manners yourselves...

I received a service call request for a system which isn't running anymore.
When I got there, I found the gfi had been tripped. I pressed the reset
button and restored power. Lo and behold, the computer came up fine. Since
I was there, I verified everything was working as it should be.

When she asked what she owed me, I explained that I couldn't take her money
for pushing a single button and turning the power back on. Please feel free
to call me when you do have a problem. This service call was 20 miles one
way. So I spent 40 miles worth of fuel. In this case, thats 10miles a
gallon. It was on me. We all know gas isn't cheap, nor is it free. I do
this in the interest of good customer relations and because I feel I have
reasonably sound morals and ethics which guide my day to day decision
making.

I've already stated that Malwarebytes knew of my past prior to hiring me.
It was *not* a factor in my parting ways with the company later on. In
fact, It is the reason I was hired in the first place.

Had I never been involved in VX, I'd have never felt guilty about it, and
would have never written BugHunter to try and make up for some of the
damage I caused. If I didn't write BugHunter, Malwarebytes would never have
noticed me and I would have missed an opportunity of a lifetime.

I got along fine with my peers. I wasn't difficult to get along with and I
did as I was told. We were never unprofessional towards one another,
regardless of the situation we found ourselves in. You'd be surprised how
busy the job of a fulltime researcher really is. It's a very daunting task.

I'm very grateful for the time I spent with the company, overall it was a
great experience. I parted ways with the company on good terms for my own
reasons which I wont' provide you.

I still maintain the status of expert on the malwarebytes forum. I have
held this title since joining the forum, several years before I became an
employee. Few know this, but another of my job titles and duties was that
of antipiracy. Head, of antipiracy.

Those persons who've been caught using keygens, yes.. it's my fault. Had
they implemented the entire system as I suggested, you wouldn't be
keygenning it again. (Nothing malicious) Just a mathematically sound way of
denying registered only features unless you really are a registered user
with a valid, non keygen key. But, they're more lenient than I, and that
was voted down. This is a step up from what they originally did tho.

Just so you know tho, they could easily implement the entire system;
nothing is preventing them from doing so except them. It would ensure
registered copies are (a) paid for or (b) running patched executables
(which can be checked too. lol). The internet is a double edged sword and
apps which rely on it for data updates.. well... Pir8ting isn't what it
used to be.

Tony and yourself speculated about me, You brought up my past activities,
because *I* chose to fully disclose who I was and what I was upto. I
*never* really had to do that. Prior to you telling him, He didn't even
know anything about it. Hmm..

I could have written and released BugHunter under an assumed name and
nobody would have been the wiser. We wouldn't even be having this
conversation if you didn't know I was Raid.

You're so damn desperate to get me to help you tho, you're willing to try
anything to accomplish it. The methods you've used to solicite my help have
all failed, David. Due to your methods and your methods alone, I will NOT
EVER intentionally help you to cause misery to anyone else.

--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[~BD~]

Dustin wrote:
> ~BD~<~BD~@nomail.afraid.org> wrote in news:j71q0u$o9v$1@dont-email.me:
>
>> *He has lied*.
>
> YOU have lied. I was finally able to extract your corrupted jpeg file from
> my pegasus inbox. ****ing jerk. Did you really think crashing my email
> client was going to amuse me? You didn't do any real harm either. More than
> one way to skin a cat.

What on earth makes you think I was trying to crash your mail client?

I sent you an email with a jpeg attachment. I have no idea why you claim
it was corrupted - it looks fine here on my iMac.

Send it back, so I can see what you mean about 'corruption'.

> I checked out the jpeg you sent me. Allow me to put your and tony's notions
> to rest. Malwarebytes *KNEW* prior to hiring me of my past. I didn't hide
> who I was from anybody since releasing BugHunter, which is what got me the
> job. Lets see here.. Oh yea, I didn't have questionable ethics or an
> objectionable personality. I got along fine with my peers.
>
> You idiots want to keep guessing?

No. I accept what you say!

> According to this screenshot you sent me, Tony like you speculates I parted
> ways with malwarebytes over my past. Fact is, I didn't. Fact is, YOU
> ****ING LIED when you said Tony confirmed malwarebytes fired me.

I still do not recollect saying that, nor can find a relevant MID, which
substantiates your claim that I've ever said that Malwarebytes fired you.

>> That's why *you* are here, Dustin.
>
> Uhh, David, I've got you red handed, with evidence you sent me of the
> converation you had with Tony. You both speculated about me, but that's it.
> Tony isn't an insider as you led people to believe. I'll be having a
> conversation myself with Tony; as I now find him to be a bit two faced, and
> I really don't like that.
>
> I do believe this jpeg is showing me a real conversation between the two of
> you. It doesn't match his response to my inquiry; and no wonder, he's bad
> mouthing me right with you.

You read bad things into what was discussed when they aren't really
there. However, you cannot dispute that the words used in connection
with David Lipman were these "..., but they had to let him go .."

Tony did *not* say that about you.

>> You *could* help put this to bed.
>
> Let's get this discussion resolved before we tackle anything else. Tony and
> yourself have some explaining to do.
>
>
>
>

[~BD~]

Dustin wrote:
> ~BD~<~BD~@nomail.afraid.org> wrote in news:j73a2f$u7r$1@dont-email.me:
>
>
>> We interpreted the given information differently, obviously.
>
> You interpreted the information? David, I'm looking at the file you sent
> me. How could you possibly interpret it any other way than as presented?
>
> Why did you send me a jpeg of the conversation anyway? Why not a forwarded
> email with the headers intact? *shrug*

Now I'm puzzled. There never was any email correspondence!

I'm sure I told you that our discussion was in the Private Message
facility of Wilders Security Forums http://www.wilderssecurity.com

If you want to check for yourself exactly what transpired, respond to me
in a civil manner by email. I'll consider providing you with my Username
and password so you can look for yourself at Wilders. (You will probably
say that is unethical! <beg>)

> Fact is, you based your implications on bad information. Tony Klein and
> yourself both did. I was sure to be upfront about my history concerning
> BugHunter, well before I was invited! to come work for malwarebytes.
>
> They researched me, they chose to ask if I was interested. I chose to work
> for them for a period of time. It's as simple as that. I wasn't let go due
> to my past, bad ethics, or difficulty in working with peers. I wasn't "let
> go."

OK - I believe you.

> My ethics have cost me money. I'd rather be upfront and honest with you
> then make a buck selling you a part or service you don't need, or that I
> know isn't really going to help you out for any real length of time. I'll
> provide one measily example for you and the others, as both of you surely
> need an education in manners yourselves...
>
> I received a service call request for a system which isn't running anymore.
> When I got there, I found the gfi had been tripped. I pressed the reset
> button and restored power. Lo and behold, the computer came up fine. Since
> I was there, I verified everything was working as it should be.
>
> When she asked what she owed me, I explained that I couldn't take her money
> for pushing a single button and turning the power back on. Please feel free
> to call me when you do have a problem. This service call was 20 miles one
> way. So I spent 40 miles worth of fuel. In this case, thats 10miles a
> gallon. It was on me. We all know gas isn't cheap, nor is it free. I do
> this in the interest of good customer relations and because I feel I have
> reasonably sound morals and ethics which guide my day to day decision
> making.

Most folk in business cannot take such a stance.

> I've already stated that Malwarebytes knew of my past prior to hiring me.
> It was *not* a factor in my parting ways with the company later on. In
> fact, It is the reason I was hired in the first place.

Alrighty! :-)

> Had I never been involved in VX, I'd have never felt guilty about it, and
> would have never written BugHunter to try and make up for some of the
> damage I caused. If I didn't write BugHunter, Malwarebytes would never have
> noticed me and I would have missed an opportunity of a lifetime.
>
> I got along fine with my peers. I wasn't difficult to get along with and I
> did as I was told. We were never unprofessional towards one another,
> regardless of the situation we found ourselves in. You'd be surprised how
> busy the job of a fulltime researcher really is. It's a very daunting task.

I expect the stress and strain took it's toll.

> I'm very grateful for the time I spent with the company, overall it was a
> great experience. I parted ways with the company on good terms for my own
> reasons which I wont' provide you.

Why not just give a simple and honest answer? I really do not understand
your need to complicate matters, Dustin.

> I still maintain the status of expert on the malwarebytes forum. I have
> held this title since joining the forum, several years before I became an
> employee. Few know this, but another of my job titles and duties was that
> of antipiracy. Head, of antipiracy.
>
> Those persons who've been caught using keygens, yes.. it's my fault. Had
> they implemented the entire system as I suggested, you wouldn't be
> keygenning it again. (Nothing malicious) Just a mathematically sound way of
> denying registered only features unless you really are a registered user
> with a valid, non keygen key. But, they're more lenient than I, and that
> was voted down. This is a step up from what they originally did tho.
>
> Just so you know tho, they could easily implement the entire system;
> nothing is preventing them from doing so except them. It would ensure
> registered copies are (a) paid for or (b) running patched executables
> (which can be checked too. lol). The internet is a double edged sword and
> apps which rely on it for data updates.. well... Pir8ting isn't what it
> used to be.

I've never been involved in 'pir8ting'!

> Tony and yourself speculated about me, You brought up my past activities,
> because *I* chose to fully disclose who I was and what I was up to. I
> *never* really had to do that. Prior to you telling him, He didn't even
> know anything about it. Hmm..

Ah!

You are not as well known in security circles as you thought, eh?!! ;-)

> I could have written and released BugHunter under an assumed name and
> nobody would have been the wiser. We wouldn't even be having this
> conversation if you didn't know I was Raid.
>
> You're so damn desperate to get me to help you tho, you're willing to try
> anything to accomplish it. The methods you've used to solicit my help have
> all failed, David. Due to your methods and your methods alone, I will NOT
> EVER intentionally help you to cause misery to anyone else.

You know in your heart that BD has never wanted to 'cause misery' to
anyone, Dustin. Some here (on SE anyway) have had ... ummm ... 'reason
to fear' law enforcement agencies, of various kinds - quite the opposite
of me. In fact, at times in my past I *was* the law! :-)

[~BD~]

Gramsterdam wrote:
> Dustin wrote:
>
>> I received a service call request for a system which isn't running anymore.
>> When I got there, I found the gfi had been tripped. I pressed the reset
>> button and restored power. Lo and behold, the computer came up fine. Since
>> I was there, I verified everything was working as it should be.
>>
>> When she asked what she owed me, I explained that I couldn't take her money
>> for pushing a single button and turning the power back on. Please feel free
>> to call me when you do have a problem. This service call was 20 miles one
>> way. So I spent 40 miles worth of fuel. In this case, thats 10miles a
>> gallon. It was on me. We all know gas isn't cheap, nor is it free. I do
>> this in the interest of good customer relations and because I feel I have
>> reasonably sound morals and ethics which guide my day to day decision
>> making.
>
> In this case, your "morals and ethics" are in conflict with the #1 rule
> in business, to make a profit.
>
> I would have charged her for knowing 'which' button to press; its
> knowledge they are paying for, not labor. You also "verified everything
> was working as it should be", which I assume also means you made sure
> her AV and antimalware were up-to-date and you showed her some things.
>
> Always take the money, unless it is an established repeat customer. In
> a way, you devalued your services in her mind by NOT charging anything.
> In cases like that, I charge for a "service call", $60. I stay an hour
> or so to check for updates, AV/antiMW, backups, crap software removal,
> and file organization. Oh, and physical blow-out of dust if needed.
> Then I put a sticker on the case with my phone number!
>
> Often, after gathering a list of things that I think should be done
> (taking longer than the 1 hour service call) I present it with a quote,
> on-site, and off-site. I almost always get the up-sell that way, and its
> honest, and it is a win-win for both parties.
>
> BTW: The $60 gets rolled into the final bill as less if they let me take
> it back to the bench to do the rest of the work. That way, you can work
> on as many machines as you want -simultaneously- later that night. Its
> the damn updates, scans, and backups that take the most time (waiting on
> the PC), and that's time wasted in the field. A couple of monitors and
> KVM switches come in handy on the bench. Then I go check on them every
> hour or so to see who's ready for the next task.


You are correct with all you say here, Graham! You should do well! :-)

*However* .......

Dustin has advised us that he has recently become a relatively rich
young man and he can now afford to act charitably as he described above.
I'm not rich in a monetary sense, but have *free time* and often spend
many hours trying to fix computer problems for friends and neighbours -
without charge! It's nice, though, when they sometimes reward me with a
decent bottle of whisky! ;-)

[Bullwinkle.]

Liar.

Acting like law enforcement to your child does not count.


"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j75ur7$3ls$1@dont-email.me...
- quite the opposite
of me. In fact, at times in my past I *was* the law! :-)

[Bear Bottoms]

~BD~ <~BD~@nomail.afraid.org> wrote in news:j71d9r$t8f$1@dont-email.me:

> ~BD~ wrote:
> [....]
>
>> I'll see if I can find anything regarding TechAngel on WayBack Machine.
>> It was a great place to play that I found on the Annexcafe User2User
>> web site when I first went there some five years ago.
>
> No success as yet, but she did exist!
>
> http://www.google.co.uk/search?clien...chAngel%22+%3C
> NoAsk@NoTell.com%3E&ie=UTF-8&oe=UTF-8&redir_esc=&ei=9jeUTtiEOcSW8QOFqvj3B
> g

What account name and pass?

--
Bear
http://bearware.info

[~BD~]

Bear Bottoms wrote:
> ~BD~<~BD~@nomail.afraid.org> wrote in news:j71d9r$t8f$1@dont-email.me:
>
>> ~BD~ wrote:
>> [....]
>>
>>> I'll see if I can find anything regarding TechAngel on WayBack Machine.
>>> It was a great place to play that I found on the Annexcafe User2User
>>> web site when I first went there some five years ago.
>>
>> No success as yet, but she did exist!
>>
>> http://www.google.co.uk/search?clien...chAngel%22+%3C
>> NoAsk@NoTell.com%3E&ie=UTF-8&oe=UTF-8&redir_esc=&ei=9jeUTtiEOcSW8QOFqvj3B
>> g
>
> What account name and pass?
>

BoaterDave 063561

HTH

[Peter Foldes]

~BD~ <~BD~@nomail.afraid.org> wrote in news:j71d9r$t8f$1@dont-email.me:

> ~BD~ wrote:
> [....]
>
>> I'll see if I can find anything regarding TechAngel on WayBack Machine.
>> It was a great place to play that I found on the Annexcafe User2User
>> web site when I first went there some five years ago.
>
> No success as yet, but she did exist!
>
> http://www.google.co.uk/search?clien...chAngel%22+%3C
> NoAsk@NoTell.com%3E&ie=UTF-8&oe=UTF-8&redir_esc=&ei=9jeUTtiEOcSW8QOFqvj3B
> g



>>>>>>>What account name and pass?<<<<<<<<<<<<<

David do not even attempt to give out the name and password. If you think you will
get away with that then think twice. You can be charged in the UK for this just as
in the US. This is called thieving with bad intent. Carries either a fine or a term.
Just a friendly heads up.

JS

cc: Gregory Gooden (US),Bert Campongela (UK) Ray Banana (Deutchland)