Re: Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BIOS, Video card EEPROM"

From: Art (null_at_zilch.com)
Date: 09/20/05


Date: Tue, 20 Sep 2005 00:40:50 GMT

On Mon, 19 Sep 2005 23:58:01 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>http://research.microsoft.com/rootkit/
>
>States the following...
>"Note: there will be some false positives. Also, this does not detect stealth software that
>hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. "
>
>We have discussed the possibility of infecting a BIOS over and over and the consensus has
>been that is not possible.

I thought the consensus was that no known malware infects the BIOS.

>Based upon my studying both viruses and hardware I can't see how
>it is possible.

Why? You can download BIOS updates and reflash.

>Yet the above Microsoft web site on a RootKit Detector indicates
>"...stealth software that hides in BIOS, Video card EEPROM".

Maybe they've seen POCs. There probably are BIOS reflashing
malwares that simply haven't surfaced.

Art

http://home.epix.net/~artnpeg