Rootkits and the BIOS
in [Windows XP]
|
From: PA Bear [MS MVP] on 14 Feb 2010 12:22 Also see (cf.) http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Alureon W32/Alureon variants keep appearing daily, if not hourly; cf. http://www.google.com/search?source=ig&hl=en&rlz=&q=alureon+site%3Amicrosoft.com%2Fsecurity%2Fportal&aq=f&aqi=&oq IN RE Alureon & atapi.sys, see http://www.google.com/search?hl=en&safe=off&q=alureon+%2B+%22atapi.sys%22&aq=f&aqi=&oq PA Bear [MS MVP] wrote: > Without physical (or remote) access to ANGELKISSES420's computer, > answering > your question would be a rhetorical exercise at best. > > References: > > <QP> > ...Alureon is among the Top 10 threats that Microsoft�s various security > technologies � including its �malicious software removal tool� � regularly > detect on Windows systems. According Microsoft�s own Security Intelligence > Report, Microsoft�s security products removed nearly 2 million instances > of > Alureon from Windows systems /in the first half of 2009 alone/, up from a > half million in the latter half of 2008. > > Barnes said �atapi.sys� makes an attractive target for a rootkit because > it > is a core Windows component that gets started up early as Windows is first > loading. �It�s started up every early in the boot process, and because of > that it makes these kinds of threats sometimes very hard to detect and > remove,� Barnes said in an telephone interview with krebsonsecurity.com. > </QP> > Source: > http://www.krebsonsecurity.com/2010/02/rootkit-may-be-culprit-in-recent-windows-crashes/ > > BIOS Rootkit talks�.. | SophosLabs blog: > http://www.sophos.com/blogs/sophoslabs/v/post/5716 > > BIOS-level rootkit attack scary, but hard to pull off [March 2009] > http://arstechnica.com/security/news/2009/03/researchers-demonstrate-bios-level-rootkit-attack.ars > > > Daave wrote: >> There has been a *lot* of talk lately about KB977165! >> >> Many of us have seen ANGELKISSES420's nearly incoherent ramblings. I'm >> not 100% convinced she is attempting to boot off the CD correctly. But >> in the event she *is* having the problems she is claiming to have, >> specifically this one: >> >> the inability to boot off the CD unless she removes the problematic hard >> drive and replaces it with a new one >> >> ... what might be going on? MowGreen seems to think that the interaction >> of KB977165 along with malware already present on the old hard drive >> (quite possibly the Win32/Alureon.A rootkit) is causing this occurence. >> But I don't understand how this is possible. When a PC is first turned >> on, Windows doesn't even load yet! So, assuming the keyboard is correct >> and working, one *can* normally enter the BIOS! The malware-induced >> situation should not prevent this unless the malware has somehow invaded >> the BIOS (and I would imagine only certain BIOSes would be affected if >> this were the case, no?). >> >> Once one is in the BIOS, one can rearrange the boot order so the CD-ROM >> drive is first. So the next time the PC is turned on, as long as there >> is a bootable CD in the CD drive, the option to boot off the Windows >> installation CD is presented, the "anykey" is pressed, and the boot from >> the CD is successful. >> >> So, if ANGELKISSES420 is correct and she is unable to the above, what >> might be going on? If somehow the malware entered the BIOS, why can she >> boot off the CD after swapping hard drives?
From: David H. Lipman on 14 Feb 2010 14:52 From: "Daave" <daave(a)example.com> | David H. Lipman wrote: >> From: "Daave" <daave(a)example.com> >> < snip > >>> So, if ANGELKISSES420 is correct and she is unable to the above, what >>> might be going on? If somehow the malware entered the BIOS, why can >>> she boot off the CD after swapping hard drives? >> /* There is NO malware that infects the BIOS. */ | Assuming this is correct (and I believe that it is), is the following | assertion by MowGreen possible?: | <quote> | If you have entered the system's setup and configured it to boot from | the CD/DVD first and it still will not load the CD, it's a clear | indication that there is a root kit present. | What happened is that the update broke the root kit's 'functionality' | which in turn affected the CD player. | </quote> | (The above is from: | http://groups.google.com/group/microsoft.public.windowsupdate/msg/dfc513f1ecb625ed?hl= | en ) | Mow has consistently provided high-quality advice, but this particular | assertion confuses me. As long as the rootkit's damage is limited to | Windows and the hard drive, why couldn't a person successfully boot off | a CD? No, I do NOT believe that to be true simply beacuse when you are this low level, NO RootKit could have been loaded already. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Daave on 14 Feb 2010 16:16 David H. Lipman wrote: > From: "Daave" <daave(a)example.com> > >> David H. Lipman wrote: >>> From: "Daave" <daave(a)example.com> > >>> < snip > > >>>> So, if ANGELKISSES420 is correct and she is unable to the above, >>>> what might be going on? If somehow the malware entered the BIOS, >>>> why can she boot off the CD after swapping hard drives? > >>> /* There is NO malware that infects the BIOS. */ > >> Assuming this is correct (and I believe that it is), is the following >> assertion by MowGreen possible?: > >> <quote> >> If you have entered the system's setup and configured it to boot from >> the CD/DVD first and it still will not load the CD, it's a clear >> indication that there is a root kit present. >> What happened is that the update broke the root kit's 'functionality' >> which in turn affected the CD player. >> </quote> > >> (The above is from: >> http://groups.google.com/group/microsoft.public.windowsupdate/msg/dfc513f1ecb625ed?hl= >> en ) > >> Mow has consistently provided high-quality advice, but this >> particular assertion confuses me. As long as the rootkit's damage is >> limited to Windows and the hard drive, why couldn't a person >> successfully boot off a CD? > > > No, I do NOT believe that to be true simply beacuse when you are this > low level, NO RootKit could have been loaded already. That is the impression I was under all along. I welcome Mow to clarify in case I misunderstood him.
From: MowGreen on 14 Feb 2010 16:50 This has nothing to do with the BIOS. The CD's *driver* is non-functional. It's as simple as that, Daave. That's why Angelkisses CD player will not function. This specific root kit can replace system drivers; it's not just limited to atapi.sys. As with atapi.sys, the cd driver loads very early on boot. When the update was applied, the root kit's "functionality", for want of a better term, was broken. Angelkisses proved this by replacing the HD with a known clean HD and the system could boot from CD as it contains the required CD driver. The HD containing the root kit will never allow the system to boot from the CD as it no longer is functioning properly, is still present, and is preventing the loading of the driver *from the CD*. MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked Daave wrote: > David H. Lipman wrote: >> From: "Daave"<daave(a)example.com> >> >>> David H. Lipman wrote: >>>> From: "Daave"<daave(a)example.com> >> >>>> < snip> >> >>>>> So, if ANGELKISSES420 is correct and she is unable to the above, >>>>> what might be going on? If somehow the malware entered the BIOS, >>>>> why can she boot off the CD after swapping hard drives? >> >>>> /* There is NO malware that infects the BIOS. */ >> >>> Assuming this is correct (and I believe that it is), is the following >>> assertion by MowGreen possible?: >> >>> <quote> >>> If you have entered the system's setup and configured it to boot from >>> the CD/DVD first and it still will not load the CD, it's a clear >>> indication that there is a root kit present. >>> What happened is that the update broke the root kit's 'functionality' >>> which in turn affected the CD player. >>> </quote> >> >>> (The above is from: >>> http://groups.google.com/group/microsoft.public.windowsupdate/msg/dfc513f1ecb625ed?hl= >>> en ) >> >>> Mow has consistently provided high-quality advice, but this >>> particular assertion confuses me. As long as the rootkit's damage is >>> limited to Windows and the hard drive, why couldn't a person >>> successfully boot off a CD? >> >> >> No, I do NOT believe that to be true simply beacuse when you are this >> low level, NO RootKit could have been loaded already. > > That is the impression I was under all along. I welcome Mow to clarify > in case I misunderstood him. > >
From: 20100214 on 14 Feb 2010 17:29 Still sucking c0ck5 eh? Have you done anything about your obesity and that pungent odour of your body? Haven't you been taught about hygiene & cleanliness? Kev "MowGreen" wrote: > X-Mailer: Microsoft Outlook Express 6.00.2900.5843 > 80-41-6-71.dynamic.dsl.as9105.com 80.41.6.71 > > inetnum: 80.41.0.0 - 80.41.255.255 > netname: DSL-TISCALI-UK > descr: Tiscali UK Ltd > descr: Milton Keynes > descr: Dynamic DSL > descr: >
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: Microsoft Compression Client Pack 1.0 for Windows XP Next: Search Results ?? |