Re: Flashing the BIOS - and maybe the EEPROM
From: Matt Braverman [MSFT] (mattbrav_at_online.microsoft.com)
Date: 09/20/05
- Previous message: David H. Lipman: "Re: Flashing the BIOS - and maybe the EEPROM"
- Maybe in reply to: Phil Weldon: "Re: Flashing the BIOS - and maybe the EEPROM"
- Next in thread: David H. Lipman: "Re: Flashing the BIOS - and maybe the EEPROM"
- Reply: David H. Lipman: "Re: Flashing the BIOS - and maybe the EEPROM"
- Reply: David H. Lipman: "Re: AMI, Trojanized, M82C498 Evaluation BIOS v1.55"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Sep 2005 20:57:55 -0700
This is a completely theoretical and academic infection vector (note the
"may hide" part of that segment). There are no known cases of malware that
infect the BIOS and / or EEPROM.
Finding such an infection on your system would not only be an amazing case
of luck but would also strongly imply that you have something of incredibly
high value on that machine such that someone would craft a specific, complex
attack .... just for you.
"Chana C" <ChanaC@discussions.microsoft.com> wrote in message
news:797752C9-87DA-4B40-A623-9B5DD7CC62E3@microsoft.com...
> To those who feel that flashing the BIOS is ludicrous since it "can't be
> infected" ...
>
> Please see quote below from Microsoft Research Strider Rootkit Project
> publication called:
>
> "Detecting Stealth Software with Strider GhostBuster "
>
> http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=875
>
> As we pointed out in the Introduction, the problem
> space of stealth software is broader than that of ghostware,
> which has been our focus so far. Stealth software may hide
> their persistent state in a form for which current OS does
> not provide query/enumeration APIs or does not provide
> common utilities that make use of such APIs. Examples
> include hiding executable code inside the BIOS [YB],
> video card EEPROM, boot sectors [D], bad disk sectors,
> Alternate Data Streams (ADS), etc.
>
> Stealth software can
> also hide their active running code in a form that cannot be
> revealed by the process/module query APIs; they can
> inject code into an existing process and hijack a thread to
> execute that code. Detection of these advanced hiding
> resources is to intercept system calls to the kernel via a
> Loadable Kernel Module (LKM) [ZK,YJ,J01]. For
> example, some rootkits are known to hook read, write,
> close, and the getdents (get directory entries) system calls.
> More advanced rootkits can directly patch the kernel in
> memory [YC98,YL01].
>
> You will notice that video card EEPROM is also a potential target...so, I
> guess you wouldn't try
> flashing those either???
>
> Cheers,
>
> Chana
>
>
>
> You will notice that video card EEPROM is also a potential target...so, I
> guess you wouldn't try
> flashing those either???
>
> Cheers,
>
> Chana
>
- Previous message: David H. Lipman: "Re: Flashing the BIOS - and maybe the EEPROM"
- Maybe in reply to: Phil Weldon: "Re: Flashing the BIOS - and maybe the EEPROM"
- Next in thread: David H. Lipman: "Re: Flashing the BIOS - and maybe the EEPROM"
- Reply: David H. Lipman: "Re: Flashing the BIOS - and maybe the EEPROM"
- Reply: David H. Lipman: "Re: AMI, Trojanized, M82C498 Evaluation BIOS v1.55"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
