So, should I simply accept Mr Lipman's word that the subject is irrelevant?
I'd really like to know if there is *any* way that someone could identify
that the firmware on their machine had been infected (in other words, remain
infected even if a new hard disk was installed).
*Is* there a detection tool? That remains my question.
~BD~ wrote:
> I asked this question in the two 'security' newsgroups to which I now
> crosspost.
>
> "Is there *any* tool which can identify a rootkit on a ROM chip?"
If you are truly speaking of Read Only Memory that was installed at
assembly, there's no way that a rootkit could be there unless it was put
on when the ROM was "Burned"
In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com> , "nobody " wrote:
> ~BD~ wrote:
> > I asked this question in the two 'security' newsgroups to which I now
> > crosspost.
> >
> > "Is there *any* tool which can identify a rootkit on a ROM chip?"
>
> If you are truly speaking of Read Only Memory that was installed at
> assembly, there's no way that a rootkit could be there unless it was put
> on when the ROM was "Burned"
"nobody >" <usenetharvested@aol.com> wrote in message
news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
> ~BD~ wrote:
>> I asked this question in the two 'security' newsgroups to which I now
>> crosspost.
>>
>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>
> If you are truly speaking of Read Only Memory that was installed at
> assembly, there's no way that a rootkit could be there unless it was put
> on when the ROM was "Burned"
"攸hw不f" poses the question of 'flashing' the BIOS.
I'm suggesting that if/when this action is carried out, it might well be
possible to introduce malware to a system - which will remain for posterity.
If I am right, I'm asking if there is any way that ordinary folk could ever
find out the truth. *Is* there a way?
~BD~ wrote:
> "nobody >" <usenetharvested@aol.com> wrote in message
> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>> ~BD~ wrote:
>>> I asked this question in the two 'security' newsgroups to which I now
>>> crosspost.
>>>
>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>> If you are truly speaking of Read Only Memory that was installed at
>> assembly, there's no way that a rootkit could be there unless it was put
>> on when the ROM was "Burned"
>
> "攸hw不f" poses the question of 'flashing' the BIOS.
>
> I'm suggesting that if/when this action is carried out, it might well be
> possible to introduce malware to a system - which will remain for posterity.
>
> If I am right, I'm asking if there is any way that ordinary folk could ever
> find out the truth. *Is* there a way?
>
> --
> Dave
>
>
"Flashing the BIOS" means that the chip(s) in question are
erasable/reprogrammable. By long convention, ROM is static and can
only be written to ONCE. The term "burning" came from the original
design where you actually burnt elements of the chip away to store the
contents.
> "nobody >" <usenetharvested@aol.com> wrote in message
> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>> ~BD~ wrote:
>>> I asked this question in the two 'security' newsgroups to which I now
>>> crosspost.
>>>
>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>
>> If you are truly speaking of Read Only Memory that was installed at
>> assembly, there's no way that a rootkit could be there unless it was put
>> on when the ROM was "Burned"
>
> "攸hw不f" poses the question of 'flashing' the BIOS.
>
> I'm suggesting that if/when this action is carried out, it might well be
> possible to introduce malware to a system - which will remain for posterity.
>
> If I am right, I'm asking if there is any way that ordinary folk could ever
> find out the truth. *Is* there a way?
Dave,
I think the short answer is no, i believe (though it's always hard to
prove a negative). The technique is too new to have tamper detection
commercially available.
If you're worried, simply reflash your BIOS with an image from the
manufacturer. And hope they haven't trojaned it themselves.
| In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com> , "nobody " wrote:
>> ~BD~ wrote:
>> > I asked this question in the two 'security' newsgroups to which I now
>> > crosspost.
>> >
>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"
>> If you are truly speaking of Read Only Memory that was installed at
>> assembly, there's no way that a rootkit could be there unless it was put
>> on when the ROM was "Burned"
"~BD~" <BoaterDave@hotmail.co.uk> wrote in
news:h913fv$ou5$1@news.eternal-september.org:
>
> "nobody >" <usenetharvested@aol.com> wrote in message
> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>> ~BD~ wrote:
>>> I asked this question in the two 'security' newsgroups to
>>> which I now crosspost.
>>>
>>> "Is there *any* tool which can identify a rootkit on a
>>> ROM chip?"
>>
>> If you are truly speaking of Read Only Memory that was
>> installed at assembly, there's no way that a rootkit could
>> be there unless it was put on when the ROM was "Burned"
>
> "攸hw不f" poses the question of 'flashing' the BIOS.
>
> I'm suggesting that if/when this action is carried out, it
> might well be possible to introduce malware to a system -
> which will remain for posterity.
>
> If I am right, I'm asking if there is any way that ordinary
> folk could ever find out the truth. *Is* there a way?
I just happen to have a rom.bin BIOS file handy and I just
checked wit with ESET NOD32. No problems. It came from the
computer manuf. Now if someone wants to "stick" a virus into one
and THEN run it through an A-V program again, we'll know if A-V
programs can "do" BIOS ROM files.
--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:h91e3s01tdq@news3.newsguy.com:
> From: "攸hw不f" <snuhwolf@netscape.net>
>
>| In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com> , "nobody
>| " wrote:
>>> ~BD~ wrote:
>>> > I asked this question in the two 'security' newsgroups to which I
>>> > now crosspost.
>>> >
>>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"
>
>>> If you are truly speaking of Read Only Memory that was installed at
>>> assembly, there's no way that a rootkit could be there unless it was
>>> put on when the ROM was "Burned"
>
>| Really? Have you ever flashed a BIOS?
>
> That's not ROM that's a form of EEPROM.
>
While you're worrying, you might want to worry about *other* BIOSes
besides the motherboard one. For instance, video cards have a BIOS and
many ethernet cards do as well (as do SCSI cards and other less common
possibilities). In principle any of these could harbour malware.
> I just happen to have a rom.bin BIOS file handy and I just
> checked wit with ESET NOD32. No problems. It came from the
> computer manuf. Now if someone wants to "stick" a virus into one
> and THEN run it through an A-V program again, we'll know if A-V
> programs can "do" BIOS ROM files.
Writing signatures for a known issue in a BIOS ROM would be relatively
straightfoward with current signature based file AV technology.
That's not the same, however, as testing for malware in the system's
current BIOS.
comphelp@toddh.net (Todd H.) wrote in
news:841vm360jc84zl8r4lyw__84y6ob4lyw@yahoo.com:
> thanatoid <waiting@the.exit.invalid> writes:
>
>> I just happen to have a rom.bin BIOS file handy and I just
>> checked wit with ESET NOD32. No problems. It came from the
>> computer manuf. Now if someone wants to "stick" a virus
>> into one and THEN run it through an A-V program again,
>> we'll know if A-V programs can "do" BIOS ROM files.
>
> Writing signatures for a known issue in a BIOS ROM would be
> relatively straightfoward with current signature based file
> AV technology.
>
> That's not the same, however, as testing for malware in the
> system's current BIOS.
Well, you can SAVE your /current/ BIOS and then scan THAT,
right?
Unless an "entirely different and not detectable by normal AV
programs type of malware" applies to BIOS chips.
--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:h91e3s01tdq@news3.newsguy.com:
>> From: "攸hw不f" <snuhwolf@netscape.net>
>>| In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com> , "nobody
>>| " wrote:
>>>> ~BD~ wrote:
>>>> > I asked this question in the two 'security' newsgroups to which I
>>>> > now crosspost.
>>>> >
>>>> > "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>> If you are truly speaking of Read Only Memory that was installed at
>>>> assembly, there's no way that a rootkit could be there unless it was
>>>> put on when the ROM was "Burned"
>>| Really? Have you ever flashed a BIOS?
>> That's not ROM that's a form of EEPROM.
| While you're worrying, you might want to worry about *other* BIOSes
| besides the motherboard one. For instance, video cards have a BIOS and
| many ethernet cards do as well (as do SCSI cards and other less common
| possibilities). In principle any of these could harbour malware.
David H. Lipman <DLipman~nospam~@Verizon.Net> pinched out a steaming
pile of<h92dgn02n5b@news3.newsguy.com>:
>From: "nemo_outis" <abc@xyz.com>
>
>| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
>| news:h91e3s01tdq@news3.newsguy.com:
>
>>> From: "攸hw不f" <snuhwolf@netscape.net>
>
>>>| In message <BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.com> ,
"nobody
>>>| " wrote:
>>>>> ~BD~ wrote:
>>>>> > I asked this question in the two 'security' newsgroups to which
I
>>>>> > now crosspost.
>>>>> >
>>>>> > "Is there *any* tool which can identify a rootkit on a ROM
chip?"
>
>>>>> If you are truly speaking of Read Only Memory that was installed
at
>>>>> assembly, there's no way that a rootkit could be there unless it
was
>>>>> put on when the ROM was "Burned"
>
>>>| Really? Have you ever flashed a BIOS?
>
>>> That's not ROM that's a form of EEPROM.
>
>
>| While you're worrying, you might want to worry about *other* BIOSes
>| besides the motherboard one. For instance, video cards have a BIOS
and
>| many ethernet cards do as well (as do SCSI cards and other less
common
>| possibilities). In principle any of these could harbour malware.
>
>| Regards,
>
>
>In principle but not yet in actuality.
>
Dont worry, we're working on it ;)
nobody > <usenetharvested@aol.com> pinched out a steaming pile
of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com> :
>~BD~ wrote:
>> "nobody >" <usenetharvested@aol.com> wrote in message
>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>>> ~BD~ wrote:
>>>> I asked this question in the two 'security' newsgroups to which I
now
>>>> crosspost.
>>>>
>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>> If you are truly speaking of Read Only Memory that was installed at
>>> assembly, there's no way that a rootkit could be there unless it
was put
>>> on when the ROM was "Burned"
>>
>> "攸hw不f" poses the question of 'flashing' the BIOS.
>>
>> I'm suggesting that if/when this action is carried out, it might
well be
>> possible to introduce malware to a system - which will remain for
posterity.
>>
>> If I am right, I'm asking if there is any way that ordinary folk
could ever
>> find out the truth. *Is* there a way?
>>
>> --
>> Dave
>>
>>
>
>"Flashing the BIOS" means that the chip(s) in question are
>erasable/reprogrammable. By long convention, ROM is static and can
>only be written to ONCE. The term "burning" came from the original
>design where you actually burnt elements of the chip away to store the
>contents.
>
Firmware Upgrade.
Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
So when I downloaded a "flash modem tool" from USR and upgraded a modem
with linux (it was pretty exciting btw and made me feel like I was a
smarty) I bet it wasnt an EEPROM chip but a ROM chip.
Or was I mistaken?
Hmmmm...
| nobody > <usenetharvested@aol.com> pinched out a steaming pile
| of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com> :
>>~BD~ wrote:
>>> "nobody >" <usenetharvested@aol.com> wrote in message
>>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>>>> ~BD~ wrote:
>>>>> I asked this question in the two 'security' newsgroups to which I
| now
>>>>> crosspost.
>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>> If you are truly speaking of Read Only Memory that was installed at
>>>> assembly, there's no way that a rootkit could be there unless it
| was put
>>>> on when the ROM was "Burned"
>>> "攸hw不f" poses the question of 'flashing' the BIOS.
>>> I'm suggesting that if/when this action is carried out, it might
| well be
>>> possible to introduce malware to a system - which will remain for
| posterity.
>>> If I am right, I'm asking if there is any way that ordinary folk
| could ever
>>> find out the truth. *Is* there a way?
>>> --
>>> Dave
>>"Flashing the BIOS" means that the chip(s) in question are
>>erasable/reprogrammable. By long convention, ROM is static and can
>>only be written to ONCE. The term "burning" came from the original
>>design where you actually burnt elements of the chip away to store the
>>contents.
| Firmware Upgrade.
| Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
| So when I downloaded a "flash modem tool" from USR and upgraded a modem
| with linux (it was pretty exciting btw and made me feel like I was a
| smarty) I bet it wasnt an EEPROM chip but a ROM chip.
| Or was I mistaken?
| Hmmmm...
Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
by actually causing leads within the microchip to be burnt away like a burned out
lightbulb. Then there were the EPROMS where ultraviolet light was used to "erase" what
was stored in ROM. These are noted by there glass windows which would then be covered by
a label indicating its function and application. Then there is the Electrically Erasable
Programmable ROM which is more like the Flashable ROM we know Today.
BoaterDave is and idiot and he introduced FUD when he replied to someone in
alt.computer.security with "However, have you considered that your BIOS may have
been/could be infected? A whole new ball-game!"
That's what started this because I replied...
"Pure FUD.
The BIOS is NOT infected and should not be considered tobe infected or become possibly
infected!"
To date NO ONE has "infected" a BIOS. There have been malware attempts and when it comes
to Motherboard BIOS at best the BIOS is corrupted or deleted rendering the system
incapable of booting. This subject matter has been dicussed to death in alt.comp.virus
and alt.comp.anti-virus long before BoaterDave posted to Usenet.
To infect a BIOS there are just too many variables from which chip-set used, entry points
for code insertion, CRC checks, etc. Even if one particular module can be infected it
would be an extremely small niche as there is no way a programmer is going to program a
dictionary of chip-sets and systems into the code.
Just consider the idea of dlashing a BIOS. Whose BIOS ? Phoenix, Award ??? For what
system ?
Take an Award BIOS for motherboard X. If you try to flash Motherboard X with Award BIOS
for motherboard Y, you'll have a dead system.
Now extrapolate that to BIOS chips on periphery. It becomes exponentially more difficult.
Thus the idea of infecting BIOS (at this time) is pure FUD and BoaterDave is showing his
trolling nature.
禮簽羹hw瞻瞿f wrote:
> nobody > <usenetharvested@aol.com> pinched out a steaming pile
> of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com> :
>
>> ~BD~ wrote:
>>> "nobody >" <usenetharvested@aol.com> wrote in message
>>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>>>> ~BD~ wrote:
>>>>> I asked this question in the two 'security' newsgroups to which I
> now
>>>>> crosspost.
>>>>>
>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>> If you are truly speaking of Read Only Memory that was installed at
>>>> assembly, there's no way that a rootkit could be there unless it
> was put
>>>> on when the ROM was "Burned"
>>> "禮hw瞻f" poses the question of 'flashing' the BIOS.
>>>
>>> I'm suggesting that if/when this action is carried out, it might
> well be
>>> possible to introduce malware to a system - which will remain for
> posterity.
>>> If I am right, I'm asking if there is any way that ordinary folk
> could ever
>>> find out the truth. *Is* there a way?
>>>
>>> --
>>> Dave
>>>
>>>
>> "Flashing the BIOS" means that the chip(s) in question are
>> erasable/reprogrammable. By long convention, ROM is static and can
>> only be written to ONCE. The term "burning" came from the original
>> design where you actually burnt elements of the chip away to store the
>> contents.
>>
>
> Firmware Upgrade.
>
> Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
> So when I downloaded a "flash modem tool" from USR and upgraded a modem
> with linux (it was pretty exciting btw and made me feel like I was a
> smarty) I bet it wasnt an EEPROM chip but a ROM chip.
> Or was I mistaken?
> Hmmmm...
>
ROM is Read-Only Memory which is taken to refer to the fact that the CPU
can't routinely write to it by a simple memory operation as it can to
RAM. If the ROM can be written by an electrical programming procedure,
then it is PROM - programmable ROM. EPROM, EEPROM and Flash are all
types of PROM. Writing PROMs requires some sort of arcane programming
procedure carried out by dedicated software, it is not like writing to
RAM, so cannot happen accidentally.
The type of ROM which can only be written once is called OTP, (One Time
Programmable), which also includes the 'burnable' fuse ROMs mentioned
above. There is also "true ROM" or "mask ROM" which is programmed at
manufacture by the data actually being incorporated into the etching
mask of the chip.
EEPROM (Electrically Erasable Programmable ROM) refers to devices which
can be written both to binary ones or zeroes bye by byte. These are
expensive (per byte), usually small, and are typically used for
non-volatile storage of parameters.
Most ROM used for BIOSes, and firmware in routers and modems is Flash,
which can be written only to binary zeroes byte by byte, but can be
electrically 'erased' (written to binary ones) in large blocks (or the
whole chip). This has largely replaced EPROM, which was written in a
similar way and the entire chip erased by ultraviolet light.
The obvious way to confirm the integrity of programmable firmware in
anything is to make a copy of it (before going online) and from time to
time to compare the contents with the copy, or to re-flash it from a
master copy.
Exploits in flash BIOS, while possible are unlikely to be popular in the
wild because there is a large variety of BIOSes and programming methods
out there and it would be lengthy work to write something that would
work on the majority of PCs. Some devices would require physical access
to install an exploit because they have a physical write-protection
switch (jumper). Malware writers will always be drawn to a monoculture
like Windows because the target population for any given exploit is so
much bigger. Terrorist don't set off bombs in the countryside.
On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
24hoursupport.helpdesk, 攸hw不f <snuhwolf5150@hotmail.com> got double
secret probation for writing:
>nobody > <usenetharvested@aol.com> pinched out a steaming pile
>of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com >:
>
>>~BD~ wrote:
>>> "nobody >" <usenetharvested@aol.com> wrote in message
>>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>>>> ~BD~ wrote:
>>>>> I asked this question in the two 'security' newsgroups to which I
>now
>>>>> crosspost.
>>>>>
>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>> If you are truly speaking of Read Only Memory that was installed at
>>>> assembly, there's no way that a rootkit could be there unless it
>was put
>>>> on when the ROM was "Burned"
>>>
>>> "攸hw不f" poses the question of 'flashing' the BIOS.
>>>
>>> I'm suggesting that if/when this action is carried out, it might
>well be
>>> possible to introduce malware to a system - which will remain for
>posterity.
>>>
>>> If I am right, I'm asking if there is any way that ordinary folk
>could ever
>>> find out the truth. *Is* there a way?
>>>
>>> --
>>> Dave
>>>
>>>
>>
>>"Flashing the BIOS" means that the chip(s) in question are
>>erasable/reprogrammable. By long convention, ROM is static and can
>>only be written to ONCE. The term "burning" came from the original
>>design where you actually burnt elements of the chip away to store the
>>contents.
>>
>
>Firmware Upgrade.
>
>Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>So when I downloaded a "flash modem tool" from USR and upgraded a modem
>with linux (it was pretty exciting btw and made me feel like I was a
>smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>Or was I mistaken?
>Hmmmm...
VERY BASIC:
ROM - Data fixed in silicon - expensive in small quantity.
PROM - Write Once - Read Many - Much less expensive but not eraseable.
EPROM - UV Eraseable data - Erase was slow and required UV lamps
EEPROM - Electrically Eraseable - Essentially a RAM with retention.
(Multiple types of flash & rom fit here)
FLASH - An EEPROM with higher density, faster write speeds and more
write cycles. Different technology than the original EEPROM. Multiple
types now NAND/NOR.
A flash modem tool would have been used on any of the "electrically
erasable" devices that could be reprogrammed under software control.
Anything before that technology would require removal of the memory.
On Sat, 19 Sep 2009 11:24:11 -0400, in the land of
24hoursupport.helpdesk, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> got double secret probation for writing:
>From: "攸hw不f" <snuhwolf5150@hotmail.com>
>
>| nobody > <usenetharvested@aol.com> pinched out a steaming pile
>| of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com> :
>
>>>~BD~ wrote:
>>>> "nobody >" <usenetharvested@aol.com> wrote in message
>>>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>>>>> ~BD~ wrote:
>>>>>> I asked this question in the two 'security' newsgroups to which I
>| now
>>>>>> crosspost.
>
>>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>>> If you are truly speaking of Read Only Memory that was installed at
>>>>> assembly, there's no way that a rootkit could be there unless it
>| was put
>>>>> on when the ROM was "Burned"
>
>>>> "攸hw不f" poses the question of 'flashing' the BIOS.
>
>>>> I'm suggesting that if/when this action is carried out, it might
>| well be
>>>> possible to introduce malware to a system - which will remain for
>| posterity.
>
>>>> If I am right, I'm asking if there is any way that ordinary folk
>| could ever
>>>> find out the truth. *Is* there a way?
>
>>>> --
>>>> Dave
>
>
>
>>>"Flashing the BIOS" means that the chip(s) in question are
>>>erasable/reprogrammable. By long convention, ROM is static and can
>>>only be written to ONCE. The term "burning" came from the original
>>>design where you actually burnt elements of the chip away to store the
>>>contents.
>
>
>| Firmware Upgrade.
>
>| Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>| So when I downloaded a "flash modem tool" from USR and upgraded a modem
>| with linux (it was pretty exciting btw and made me feel like I was a
>| smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>| Or was I mistaken?
>| Hmmmm...
>
>Go back to the first chips. As noted you would "burn" code on a "Read Only Memory" chip
>by actually causing leads within the microchip to be burnt away like a burned out
>lightbulb.
Err, no, ROM were masked devices where data was etched in the raw
material. No "leads" burnt. Early ROM were not even "chips" but blocks
of laminate with hardwired address.
PROM were the first that used a high voltage to disable one of two
paths within the silicon. Later as technology changed they reoriented
the junctions rather than use destructive means which changed the
location from a 1 to a 0.
EPROM used a high frequency light to reset the juction to its original
1 state and allow reprogramming.
On Sat, 19 Sep 2009 16:58:25 +0100, in the land of
24hoursupport.helpdesk, Tim Jackson <tim@tim-jackson.co.uk> got double
secret probation for writing:
>攸hw不f wrote:
>> nobody > <usenetharvested@aol.com> pinched out a steaming pile
>> of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com> :
>>
>>> ~BD~ wrote:
>>>> "nobody >" <usenetharvested@aol.com> wrote in message
>>>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>>>>> ~BD~ wrote:
>>>>>> I asked this question in the two 'security' newsgroups to which I
>> now
>>>>>> crosspost.
>>>>>>
>>>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>>>> If you are truly speaking of Read Only Memory that was installed at
>>>>> assembly, there's no way that a rootkit could be there unless it
>> was put
>>>>> on when the ROM was "Burned"
>>>> "??hw?f" poses the question of 'flashing' the BIOS.
>>>>
>>>> I'm suggesting that if/when this action is carried out, it might
>> well be
>>>> possible to introduce malware to a system - which will remain for
>> posterity.
>>>> If I am right, I'm asking if there is any way that ordinary folk
>> could ever
>>>> find out the truth. *Is* there a way?
>>>>
>>>> --
>>>> Dave
>>>>
>>>>
>>> "Flashing the BIOS" means that the chip(s) in question are
>>> erasable/reprogrammable. By long convention, ROM is static and can
>>> only be written to ONCE. The term "burning" came from the original
>>> design where you actually burnt elements of the chip away to store the
>>> contents.
>>>
>>
>> Firmware Upgrade.
>>
>> Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>> So when I downloaded a "flash modem tool" from USR and upgraded a modem
>> with linux (it was pretty exciting btw and made me feel like I was a
>> smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>> Or was I mistaken?
>> Hmmmm...
>>
>
>ROM is Read-Only Memory which is taken to refer to the fact that the CPU
>can't routinely write to it by a simple memory operation as it can to
>RAM. If the ROM can be written by an electrical programming procedure,
>then it is PROM - programmable ROM. EPROM, EEPROM and Flash are all
>types of PROM. Writing PROMs requires some sort of arcane programming
>procedure carried out by dedicated software, it is not like writing to
>RAM, so cannot happen accidentally.
Umm, no. Early EEPROM worked exactly like RAM.
Enable (nCS/nCE low usually)
Outputs off (nOE low usually)
Address (A0-Ax to address location to be programmed)
Data (D0-Dx with datat to be programmed)
Write (nWE low usually)
End (either nCS or nWE returns to 1)
IIRC the original 28C devices all worked like that.
The later devices included a very simple 3 cycle write algorithm
Something on the order of:
#AAAA #55
#5555 #AA
#AAAA #90
The erase algorithm was a bit more complex and took 5 cycles and you
could cycle through the whole device and erase each individual
location (reset 0 to 1). Later they actually added full chip and
sector erase fuctions that remved the need to address each location
and verify each location. Early flash could be damamged if you tried
to write a 0 to a 0.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:h92dgn02n5b@news3.newsguy.com:
....
>| While you're worrying, you might want to worry about *other* BIOSes
>| besides the motherboard one. For instance, video cards have a BIOS
>| and many ethernet cards do as well (as do SCSI cards and other less
>| common possibilities). In principle any of these could harbour
>| malware.
>
> In principle but not yet in actuality.
We agree on my qualification: in principle. To my knowledge there's
nothing "in the wild." Yet!
However, if I were targetting a BIOS for malware insertion a graphics
card would have considerable appeal.
For instance, nVidia has for a long time supported direct programming of
the GPU (that's "G" not "C") through CUDA (and ATI more recently with
Stream) using high-level languages such as C. The GPU is a very
powerful processor and, to my knowledge, no anti-virus (or other
anti-malware) program even looks at it as a threat source. Very likely
a compromise of the graphics BIOS could be leveraged to use this
separate processor.
Vaguely redolent of how a fireware DMA attack completely bypasses the
CPU and therefore any anti-virus programs.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:h92t2v0dm@news3.newsguy.com:
....
> BoaterDave is and idiot and he introduced FUD when he replied to
> someone in alt.computer.security with "However, have you considered
> that your BIOS may have been/could be infected? A whole new
> ball-game!"
>
> That's what started this because I replied...
> "Pure FUD.
>
> The BIOS is NOT infected and should not be considered tobe infected or
> become possibly infected!"
>
> To date NO ONE has "infected" a BIOS. ....
You're not quite right: the Chernobyl virus of a few years back could -
and did! - trash the motherboard BIOS of many machines.
But as you go on to describe this was simple trashing, NOT the insertion
of workable code.
Moreover, your core point, that BIOS malware is, at present, only a
theoretical possibility and not a live threat, is well-taken.
Accordingly, BoaterDave raising the issue to be considered by the OP when
protecting his system was pure bullshit.
> The obvious way to confirm the integrity of programmable firmware in
> anything is to make a copy of it (before going online) and from time to
> time to compare the contents with the copy, or to re-flash it from a
> master copy.
As a practical matter, yes. But, in principle (although there are very
considerable barriers to achieving it) a compromised BIOS could "lie" and
give you the "original contents" when queried.
This risk (that a compromised system can lie and prevent you detecting
the compromise) is a "very real" possibility in some contexts (contexts
which again, in principle, could extend to the compromised BIOS case).
Joanna Rutkowska (my heroine!) has demonstrated that a rootkit in memory
can dick with the memory map to hide even from an active outside hardware
probe! See: Beyond The CPU: Defeating Hardware Based RAM Acquisition
Tools (Part I: AMD case) - February 2007
In fact, if you wish to scare the willies out of yourself regarding
rootkits have a read of some of the rest of Rutkowska's papers at: http://www.invisiblethings.org/papers.html
If there are "black hats" out there with even half Rutkowska's skills
(and, believe me, there are!) we're in very deep doo-doo.
>> "Flashing the BIOS" means that the chip(s) in question are
>> erasable/reprogrammable. By long convention, ROM is static and can
>> only be written to ONCE. The term "burning" came from the original
>> design where you actually burnt elements of the chip away to store the
>> contents.
>>
>
> Firmware Upgrade.
>
> Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
> So when I downloaded a "flash modem tool" from USR and upgraded a modem
> with linux (it was pretty exciting btw and made me feel like I was a
> smarty) I bet it wasnt an EEPROM chip but a ROM chip.
> Or was I mistaken?
> Hmmmm...
>
It's really just a semantics question.
ROM, EPROM, and EEPROM chips all provide the same function; to store code.
ROM (Read Only Memory)came first, and as I said is a "one time" write-to
technology.
(actually, you could write to it again if there was "unburnt space" but
that would be in addition to what was origninally burnt)
Since it took special equipment to do the "burn", it was pretty
impervious to tampering.
EPROM (Erasable Read Only Memory) came next and was erasable by exposing
a clear window to strong UV light, then programmed with new code. As
again, the special equipment needed precludes tampering.
EEPROM (Electronically Erasable Read Only Memory) came in two flavors.
The early stuff needed a higher voltage applied to erase it, so it's
fairly impervious as well, as the higher voltage was usually only
available from an outside programming device.
The later stuff (BIOS and "firmware") can be reprogrammed (flashed)
in-circuit if the support circuitry supports it.
Theoretically, the last could attacked and rewritten with malicious
code, but the malware involved would have to have to code needed to
access and flash it.
It's been done, but the stuff needed to do the deed tends to be very
obvious and spotted quickly.
Aratzio wrote:
> On Sat, 19 Sep 2009 16:58:25 +0100, in the land of
> 24hoursupport.helpdesk, Tim Jackson <tim@tim-jackson.co.uk> got double
> secret probation for writing:
>
>> ROM is Read-Only Memory which is taken to refer to the fact that the CPU
>> can't routinely write to it by a simple memory operation as it can to
>> RAM. If the ROM can be written by an electrical programming procedure,
>> then it is PROM - programmable ROM. EPROM, EEPROM and Flash are all
>> types of PROM. Writing PROMs requires some sort of arcane programming
>> procedure carried out by dedicated software, it is not like writing to
>> RAM, so cannot happen accidentally.
>
> Umm, no. Early EEPROM worked exactly like RAM.
>
> Enable (nCS/nCE low usually)
> Outputs off (nOE low usually)
> Address (A0-Ax to address location to be programmed)
> Data (D0-Dx with datat to be programmed)
> Write (nWE low usually)
> End (either nCS or nWE returns to 1)
>
> IIRC the original 28C devices all worked like that.
>
> The later devices included a very simple 3 cycle write algorithm
>
> Something on the order of:
> #AAAA #55
> #5555 #AA
> #AAAA #90
>
> The erase algorithm was a bit more complex and took 5 cycles and you
> could cycle through the whole device and erase each individual
> location (reset 0 to 1). Later they actually added full chip and
> sector erase fuctions that remved the need to address each location
> and verify each location. Early flash could be damamged if you tried
> to write a 0 to a 0.
>
That's only half the story. Writing a byte to EEPROM, EPROM or Flash is
a slow process taking hundreds or thousands of machine cycles and
totally unlike RAM.
Yes you could initiate a write to *one byte* like you say, but that is
because the rest of the work is done by internal logic. Where you say
"end" that is not the end for the device, nor should it be for the
programmer if he wants to keep his job. In both 28C64 and Flash, the
algorithm then has to go into a loop checking a 'busy' flag (for several
milliseconds per byte in a 28C64) until the internal write process
completes. An attempt to write successive addresses as if it were RAM
would not succeed. A read access during an internal write cycle would
read the flags, not memory contents. So an 'accidental' write to a BIOS
in an unlocked 28C64 (see below) would not overwrite it, it would
corrupt one byte and then crash on the next BIOS call.
I accept early 28xx EEPROMs did not have had have any accidental (or
malicious) write protection. On recent devices (eg Atmel AT28C64B) it
is optional, you *can* leave them open to unanticipated write (like you
describe) if you are careless enough; or you can 'lock' them to require
a command sequence to enable writing. However it would be a poor
designer who used an unprotected device for firmware, which is the
context we are discussing.
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:h92dgn02n5b@news3.newsguy.com:
| ...
>>| While you're worrying, you might want to worry about *other* BIOSes
>>| besides the motherboard one. For instance, video cards have a BIOS
>>| and many ethernet cards do as well (as do SCSI cards and other less
>>| common possibilities). In principle any of these could harbour
>>| malware.
>> In principle but not yet in actuality.
| We agree on my qualification: in principle. To my knowledge there's
| nothing "in the wild." Yet!
| However, if I were targetting a BIOS for malware insertion a graphics
| card would have considerable appeal.
| For instance, nVidia has for a long time supported direct programming of
| the GPU (that's "G" not "C") through CUDA (and ATI more recently with
| Stream) using high-level languages such as C. The GPU is a very
| powerful processor and, to my knowledge, no anti-virus (or other
| anti-malware) program even looks at it as a threat source. Very likely
| a compromise of the graphics BIOS could be leveraged to use this
| separate processor.
| Vaguely redolent of how a fireware DMA attack completely bypasses the
| CPU and therefore any anti-virus programs.
| Regards,
I remember reading about the FireWire exploitation,
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:h92t2v0dm@news3.newsguy.com:
| ...
>> BoaterDave is and idiot and he introduced FUD when he replied to
>> someone in alt.computer.security with "However, have you considered
>> that your BIOS may have been/could be infected? A whole new
>> ball-game!"
>> That's what started this because I replied...
>> "Pure FUD.
>> The BIOS is NOT infected and should not be considered tobe infected or
>> become possibly infected!"
>> To date NO ONE has "infected" a BIOS. ....
| You're not quite right: the Chernobyl virus of a few years back could -
| and did! - trash the motherboard BIOS of many machines.
| But as you go on to describe this was simple trashing, NOT the insertion
| of workable code.
| Moreover, your core point, that BIOS malware is, at present, only a
| theoretical possibility and not a live threat, is well-taken.
| Accordingly, BoaterDave raising the issue to be considered by the OP when
| protecting his system was pure bullshit.
| Regards,
Right. It trashed it. It did not replace the code nor infect the BIOS. It rendered the
motherboard useless.
The Chrnobyl was not the only one as there were copycats. None however could replace the
code nor infect the BIOS.
There was one case but that was unusual. It was the case of a disgruntled employee who
modified the BIOS code at the factory.
In message <bu0ab5d7ntv6pkm67sae1sr9ve1o1iq1sb@4ax.com>, Aratzio wrote:
> On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
> 24hoursupport.helpdesk, 攸hw不f <snuhwolf5150@hotmail.com> got double
> secret probation for writing:
>
> >nobody > <usenetharvested@aol.com> pinched out a steaming pile
> >of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com >:
> >
> >>~BD~ wrote:
> >>> "nobody >" <usenetharvested@aol.com> wrote in message
> >>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
> >>>> ~BD~ wrote:
> >>>>> I asked this question in the two 'security' newsgroups to which I
> >now
> >>>>> crosspost.
> >>>>>
> >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
> >>>> If you are truly speaking of Read Only Memory that was installed at
> >>>> assembly, there's no way that a rootkit could be there unless it
> >was put
> >>>> on when the ROM was "Burned"
> >>>
> >>> "攸hw不f" poses the question of 'flashing' the BIOS.
> >>>
> >>> I'm suggesting that if/when this action is carried out, it might
> >well be
> >>> possible to introduce malware to a system - which will remain for
> >posterity.
> >>>
> >>> If I am right, I'm asking if there is any way that ordinary folk
> >could ever
> >>> find out the truth. *Is* there a way?
> >>>
> >>> --
> >>> Dave
> >>>
> >>>
> >>
> >>"Flashing the BIOS" means that the chip(s) in question are
> >>erasable/reprogrammable. By long convention, ROM is static and can
> >>only be written to ONCE. The term "burning" came from the original
> >>design where you actually burnt elements of the chip away to store the
> >>contents.
> >>
> >
> >Firmware Upgrade.
> >
> >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
> >So when I downloaded a "flash modem tool" from USR and upgraded a modem
> >with linux (it was pretty exciting btw and made me feel like I was a
> >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
> >Or was I mistaken?
> >Hmmmm...
>
> VERY BASIC:
> ROM - Data fixed in silicon - expensive in small quantity.
> PROM - Write Once - Read Many - Much less expensive but not eraseable.
> EPROM - UV Eraseable data - Erase was slow and required UV lamps
> EEPROM - Electrically Eraseable - Essentially a RAM with retention.
> (Multiple types of flash & rom fit here)
> FLASH - An EEPROM with higher density, faster write speeds and more
> write cycles. Different technology than the original EEPROM. Multiple
> types now NAND/NOR.
>
>
> A flash modem tool would have been used on any of the "electrically
> erasable" devices that could be reprogrammed under software control.
> Anything before that technology would require removal of the memory.
In message <h92s4m0319g@news3.newsguy.com>, "David H. Lipman" wrote:
> From: "攸hw不f" <snuhwolf5150@hotmail.com>
>
>
>
>
> >>In principle but not yet in actuality.
>
> | Dont worry, we're working on it ;)
>
> I doubt you are :-)
>
Hire a chinese kid to do it.
> But... I am sure some malcious actor is but to date, nothing.
>
Patience is a virture.
> Accordingly, BoaterDave raising the issue to be considered by the OP when
> protecting his system was pure bullshit.
Maybe you didn't read the whole thread ......
.. started by the OP - Albert - 17/9/09 23:27 in alt.computer.security
Had you done so you would have/will appreciate that 'Albert' was in no
way the naive poster he pretended to be (in my opinion anyway). My
comment regarding BIOS rootkits was proffered somewhat tongue-in-cheek;
the OP did not return to answer/question my comment. I wonder why!
Firmware Rootkits - detection 'tool' available? 
Linear Mode
