Could this be used as a rootkit vector?

Discussion in 'Windows Vista' started by gz1, May 9, 2007.

  1. gz1

    gz1 MDL Novice

    May 7, 2007
    10
    0
    0
  2. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340
    I don´t know much about rootkits and its code and the size needed, but I know to mod some of the bioses.

    Generally it´s possible to flash code containing new modules on bios chip via software. (e.g. winflasher do). It could happen without the notice of the user. It has not to be a new modified acpi module, so it depends only on the manufacturer of bios (mainly AMI and AWARD). This means the differences of bioses (almost) don´t matter cause there is no need to modify a module, just to add one. (Like ISA.BIN method of Gkend).

    BUT:

    The code will AND MUST be always loaded into ram on bootup to be executed
    And:
    The code that flashes bios is detectable, too.

    Any detector such as antivir is able to scan ram. If the sequence of the malicious code is known it will be detected. The only problem is that removing it from eeprom is a bit complex (for unexperienced users).
    Antivir: Your PC is infected with blahhkit. Could not remove malicious code. It is stored on eeprom, please reflash:rolleyes:
    There is no reason to care just a good story for the writers of headlines.
    Any comments?

    Yen
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. shaba230

    shaba230 MDL Novice

    May 13, 2007
    19
    0
    0
    ps. i'll put a TWO HUNDRED DOLLARS in an escrow account if you can show me a p5wdh deluxe bios, that HAS a virus in it (an actual bios virus, not just bogous code in the rom file so that a virus detector says it is infected), that GETS FLASHED NORMALLY with EZ-BIOS and doesn't corrupt my system, that antivir catches.

    You know what, if you can do it by tomorrow, I'll make it four hundred dollars...thats how confident i am that what you're saying is BS
     
  4. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. daxanadu

    daxanadu MDL Novice

    May 12, 2007
    5
    0
    0
    Hi Yen,

    The file you uploaded to Rapidshare is gone. Any chance to upload again somewhere else?

    Thanks!
    daxanadu
     
  6. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340
    Link should work now. It´s google translated from Chinese.

    Yen
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. gz1

    gz1 MDL Novice

    May 7, 2007
    10
    0
    0
    Hi Guys,
    Before I start a flame war, it was never my intention to imply that these bios mods contain a virus. Apologies if I have given that impression.
    For a start the tools are available to see what the mods done are.
    My original question was simply to ask if it is *possible* for a root kit to be carried in the bios. A root kit is not a virus, it is quite different. and a root kit running from bios will not be detectable by any of todays means since it is in RAM first and therefore has a chance to hide before any scanners are loaded.
    My presumption for this is that the bios can carry executable code and if this is the right code it can subvert the running OS. This is certainly the thinking behind some, and claims of such a rootkit prototype already existing seem to back that up.
    cheers.
     
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340
    @gz1
    No problem, I know that and I aswered your question with best of my knowledge.
    Shaba230 seems to be a person, who has got a problem with peoples who spent time to make others happy and even charge nothing for it. To misstrust seems to be an american (U.S.A.) attribute.


    Yen
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. heffe2001

    heffe2001 MDL Novice

    May 8, 2007
    42
    2
    0
    Hey, easy now on the American thing :). Not everybody here is as paranoid as that guy... Just do a google search for his handle and read some of his threads on other forums... Looks to me like he tries to get folks to be afraid of using the different Vista hacks out there.

    And if he's got so much cash hanging around that he can drop 400 on a proof-of-code type thing, why not just friggin buy Vista and not have to worry about it?
     
  10. sloozer

    sloozer MDL Member

    Apr 25, 2007
    112
    2
    10
    what i think, he's must be trying to spread the paranoia disorder virus.

    Sign: An unmistakable sign of paranoia is continual mistrust. People with paranoid personality disorder are constantly on their guard because they see the world as a threatening place. They tend to confirm their expectations by latching on to any speck of evidence that supports their suspicions and ignore or misinterpret any evidence to the contrary. They are ever watchful and may look around for signs of a threat.