Rootkits and the BIOS
in [Windows XP]
|
From: Pegasus [MVP] on 14 Feb 2010 14:35 "Daave" <daave(a)example.com> said this in news item news:egscLQZrKHA.732(a)TK2MSFTNGP06.phx.gbl... > David H. Lipman wrote: >> From: "Daave" <daave(a)example.com> >> >> < snip > >> >>> So, if ANGELKISSES420 is correct and she is unable to the above, what >>> might be going on? If somehow the malware entered the BIOS, why can >>> she boot off the CD after swapping hard drives? >> >> /* There is NO malware that infects the BIOS. */ > > Assuming this is correct (and I believe that it is), is the following > assertion by MowGreen possible?: > > <quote> > If you have entered the system's setup and configured it to boot from > the CD/DVD first and it still will not load the CD, it's a clear > indication that there is a root kit present. No, it isn't - that's jumping to conclusions. There are numerous reasons why a machine might not boot from a CD, most of them extremely simple and basic. Having a root kit infection that causes this behaviour is at the very, very far end of the list of possible reasons. A few quick tests with different boot CDs and different CD drives would reveal the real cause within minutes.
From: Daave on 14 Feb 2010 19:38 (snipped and rearranged to show context) MowGreen had originally written: >>>>> If you have entered the system's setup and configured it to boot >>>>> from the CD/DVD first and it still will not load the CD, it's a >>>>> clear indication that there is a root kit present. >>>>> What happened is that the update broke the root kit's >>>>> 'functionality' which in turn affected the CD player. I later asked: >>>> Mow has consistently provided high-quality advice, but this >>>> particular assertion confuses me. As long as the rootkit's damage >>>> is limited to Windows and the hard drive, why couldn't a person >>>> successfully boot off a CD? David H. Lipman then added: >>> No, I do NOT believe that [that is, MowGreen's explanation] to be >>> true simply beacuse when you are this low level, NO RootKit could >>> have been loaded already. I responded with: >> That is the impression I was under all along. I welcome Mow to >> clarify in case I misunderstood him. Then MowGreen wrote: > This has nothing to do with the BIOS. > The CD's *driver* is non-functional. It's as simple as that, Daave. > That's why Angelkisses CD player will not function. > > This specific root kit can replace system drivers; it's not just > limited to atapi.sys. As with atapi.sys, the cd driver loads very > early on boot. > When the update was applied, the root kit's "functionality", for want > of a better term, was broken. > Angelkisses proved this by replacing the HD with a known clean HD and > the system could boot from CD as it contains the required CD driver. > > The HD containing the root kit will never allow the system to boot > from the CD as it no longer is functioning properly, is still > present, and is preventing the loading of the driver *from the CD*. Drivers are OS-sepcific, though. That is, there are Windows-specific drivers, Linux-specific drivers, etc. But even if the Windows-specific driver became non-functional, what would this matter? When you boot off the CD, the bad driver on the affected hard drive shouldn't even come into play. When you boot off the CD, Windows is bypassed altogether. I think this has a lot to do with the BIOS! The BIOS determines the boot order. Once we have established the CD is number one in the order, the Windows driver for it should be irrelevant. If ANGELKISSES420 is unable to boot off the CD, it must be because one of the following: 1. Something (some weird motherboard-specific malware) is not permitting the choice to boot off the CD to be honored (extremely highly unlikely!!!). 2. There is something wrong with the CD. 3. There is something wrong with the CD drive (the actual hardware, not a Windows driver that is located on the hard drive). 4. There is something wrong with the keyboard. 5. ANGELKISSES420 is exhibiting User Error (judging by the quality of her posts, this seems most likely). I'm pretty sure I'm covering all the bases. If I'm missing anything, I'm open to hearing about it. Sure, if ANGELKISSES420 has booted off the *hard drive* and is running Windows, I can understand how the CD player can become borked due to a changed Windows driver for it. But that is not what I am talking about! Once you take Windows out of the equation, unless there is firmware involved and its code has been altered, if the CD drive doesn't work, it can't be due to a faulty Windows driver on the hard drive.
From: Daave on 14 Feb 2010 21:42 MowGreen wrote: > This has nothing to do with the BIOS. <snip> Since Microsoft's news server has once again (!) filtered my post, here is a link to it: http://groups.google.com/group/microsoft.public.windowsxp.general/msg/5bca2d80a9f6db89?hl=en
From: 20100215 on 15 Feb 2010 02:43 You have been questioning Mow Green and so your messages are being filtered from these newsgroups. It is an unwritten rule of these newsgroups not to ever criticise, question or name call MVPs or else you will be black-listed on all Microsoft Newsgroups. There is a freedom of speech and open internet but only if you make MVPs your gods and always write good reviews of M$ products!. Kev "Daave" <daave(a)example.com> wrote in message news:eSl7XierKHA.732(a)TK2MSFTNGP06.phx.gbl... > Since Microsoft's news server has once again (!) filtered my post, here is > a link to it: > > http://groups.google.com/group/microsoft.public.windowsxp.general/msg/5bca2d80a9f6db89?hl=en
From: shawn on 15 Feb 2010 12:06 How can that be there is NO malware that infects the BIOS? There's programs to flash your BIOS nowadays from Windows, so what's to say someone doesn't modify or re-write the flashing software to work hidden, then make a modified BIOS. "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23ALeHGZrKHA.728(a)TK2MSFTNGP04.phx.gbl... > From: "Daave" <daave(a)example.com> > > /* There is NO malware that infects the BIOS. */ > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > >
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: Microsoft Compression Client Pack 1.0 for Windows XP Next: Search Results ?? |