Rootkits and the BIOS

[Daave]

There has been a *lot* of talk lately about KB977165!

Many of us have seen ANGELKISSES420's nearly incoherent ramblings. I'm
not 100% convinced she is attempting to boot off the CD correctly. But
in the event she *is* having the problems she is claiming to have,
specifically this one:

the inability to boot off the CD unless she removes the problematic hard
drive and replaces it with a new one

.... what might be going on? MowGreen seems to think that the interaction
of KB977165 along with malware already present on the old hard drive
(quite possibly the Win32/Alureon.A rootkit) is causing this occurence.
But I don't understand how this is possible. When a PC is first turned
on, Windows doesn't even load yet! So, assuming the keyboard is correct
and working, one *can* normally enter the BIOS! The malware-induced
situation should not prevent this unless the malware has somehow invaded
the BIOS (and I would imagine only certain BIOSes would be affected if
this were the case, no?).

Once one is in the BIOS, one can rearrange the boot order so the CD-ROM
drive is first. So the next time the PC is turned on, as long as there
is a bootable CD in the CD drive, the option to boot off the Windows
installation CD is presented, the "anykey" is pressed, and the boot from
the CD is successful.

So, if ANGELKISSES420 is correct and she is unable to the above, what
might be going on? If somehow the malware entered the BIOS, why can she
boot off the CD after swapping hard drives?

 

[David H. Lipman]

From: "Daave" <[email protected]>

< snip >

| So, if ANGELKISSES420 is correct and she is unable to the above, what
| might be going on? If somehow the malware entered the BIOS, why can she
| boot off the CD after swapping hard drives?

/* There is NO malware that infects the BIOS. */

 

[PA Bear [MS MVP]]

Without physical (or remote) access to ANGELKISSES420's computer, answering
your question would be a rhetorical exercise at best.

References:

<QP>
....Alureon is among the Top 10 threats that Microsoft’s various security
technologies — including its “malicious software removal tool” — regularly
detect on Windows systems. According Microsoft’s own Security Intelligence
Report, Microsoft’s security products removed nearly 2 million instances of
Alureon from Windows systems /in the first half of 2009 alone/, up from a
half million in the latter half of 2008.

Barnes said “atapi.sys” makes an attractive target for a rootkit because it
is a core Windows component that gets started up early as Windows is first
loading. “It’s started up every early in the boot process, and because of
that it makes these kinds of threats sometimes very hard to detect and
remove,” Barnes said in an telephone interview with krebsonsecurity.com.
</QP>
Source:
http://www.krebsonsecurity.com/2010/02/rootkit-may-be-culprit-in-recent-windows-crashes/

BIOS Rootkit talks….. | SophosLabs blog:
http://www.sophos.com/blogs/sophoslabs/v/post/5716

BIOS-level rootkit attack scary, but hard to pull off [March 2009]
http://arstechnica.com/security/news/2009/03/researchers-demonstrate-bios-level-rootkit-attack.ars

 

[20100214]

I wouldn't take any notice of Mo green because her knowledge of computers
per se is incomplete and anyone trying to correct her is likely to be
branded a troll and his or her messages deleted from these newsgroups. I
have always argued with her on many things under the name of ANONYMOUS and
now M$ have black listed me because I reported Mo Green is a fat smelly tart
and she didn't like this at all.!!

 

[Daave]

From: "Daave" <[email protected]>



/* There is NO malware that infects the BIOS. */

Assuming this is correct (and I believe that it is), is the following
assertion by MowGreen possible?:

<quote>
If you have entered the system's setup and configured it to boot from
the CD/DVD first and it still will not load the CD, it's a clear
indication that there is a root kit present.
What happened is that the update broke the root kit's 'functionality'
which in turn affected the CD player.
</quote>

(The above is from:
http://groups.google.com/group/microsoft.public.windowsupdate/msg/dfc513f1ecb625ed?hl=en )

Mow has consistently provided high-quality advice, but this particular
assertion confuses me. As long as the rootkit's damage is limited to
Windows and the hard drive, why couldn't a person successfully boot off
a CD?

 

[PA Bear [MS MVP]]

[BroMow had a sex change operation?]

I wouldn't take any notice of Mo green because her knowledge of computers
per se is incomplete and anyone trying to correct her is likely to be
branded a troll and his or her messages deleted from these newsgroups. I
have always argued with her on many things under the name of ANONYMOUS and
now M$ have black listed me because I reported Mo Green is a fat smelly
tart
and she didn't like this at all.!!

 

[PA Bear [MS MVP]]

Also see (cf.)
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Alureon

W32/Alureon variants keep appearing daily, if not hourly; cf.
http://www.google.com/search?source...te:microsoft.com/security/portal&aq=f&aqi=&oq

IN RE Alureon & atapi.sys, see
http://www.google.com/search?hl=en&safe=off&q=alureon+++"atapi.sys"&aq=f&aqi=&oq

Without physical (or remote) access to ANGELKISSES420's computer,
answering
your question would be a rhetorical exercise at best.

References:

<QP>
...Alureon is among the Top 10 threats that Microsoft’s various security
technologies — including its “malicious software removal tool” — regularly
detect on Windows systems. According Microsoft’s own Security Intelligence
Report, Microsoft’s security products removed nearly 2 million instances
of
Alureon from Windows systems /in the first half of 2009 alone/, up from a
half million in the latter half of 2008.

Barnes said “atapi.sys” makes an attractive target for a rootkit because
it
is a core Windows component that gets started up early as Windows is first
loading. “It’s started up every early in the boot process, and because of
that it makes these kinds of threats sometimes very hard to detect and
remove,” Barnes said in an telephone interview with krebsonsecurity.com.
</QP>
Source:
http://www.krebsonsecurity.com/2010/02/rootkit-may-be-culprit-in-recent-windows-crashes/

BIOS Rootkit talks….. | SophosLabs blog:
http://www.sophos.com/blogs/sophoslabs/v/post/5716

BIOS-level rootkit attack scary, but hard to pull off [March 2009]
http://arstechnica.com/security/news/2009/03/researchers-demonstrate-bios-level-rootkit-attack.ars

There has been a *lot* of talk lately about KB977165!

Many of us have seen ANGELKISSES420's nearly incoherent ramblings. I'm
not 100% convinced she is attempting to boot off the CD correctly. But
in the event she *is* having the problems she is claiming to have,
specifically this one:

the inability to boot off the CD unless she removes the problematic hard
drive and replaces it with a new one

... what might be going on? MowGreen seems to think that the interaction
of KB977165 along with malware already present on the old hard drive
(quite possibly the Win32/Alureon.A rootkit) is causing this occurence.
But I don't understand how this is possible. When a PC is first turned
on, Windows doesn't even load yet! So, assuming the keyboard is correct
and working, one *can* normally enter the BIOS! The malware-induced
situation should not prevent this unless the malware has somehow invaded
the BIOS (and I would imagine only certain BIOSes would be affected if
this were the case, no?).

Once one is in the BIOS, one can rearrange the boot order so the CD-ROM
drive is first. So the next time the PC is turned on, as long as there
is a bootable CD in the CD drive, the option to boot off the Windows
installation CD is presented, the "anykey" is pressed, and the boot from
the CD is successful.

So, if ANGELKISSES420 is correct and she is unable to the above, what
might be going on? If somehow the malware entered the BIOS, why can she
boot off the CD after swapping hard drives?

 

[Pegasus [MVP]]

Assuming this is correct (and I believe that it is), is the following
assertion by MowGreen possible?:

<quote>
If you have entered the system's setup and configured it to boot from
the CD/DVD first and it still will not load the CD, it's a clear
indication that there is a root kit present.

No, it isn't - that's jumping to conclusions. There are numerous reasons why
a machine might not boot from a CD, most of them extremely simple and basic.
Having a root kit infection that causes this behaviour is at the very, very
far end of the list of possible reasons. A few quick tests with different
boot CDs and different CD drives would reveal the real cause within minutes.

 

[David H. Lipman]

From: "Daave" <[email protected]>


| Assuming this is correct (and I believe that it is), is the following
| assertion by MowGreen possible?:

| <quote>
| If you have entered the system's setup and configured it to boot from
| the CD/DVD first and it still will not load the CD, it's a clear
| indication that there is a root kit present.
| What happened is that the update broke the root kit's 'functionality'
| which in turn affected the CD player.
| </quote>

| (The above is from:
| http://groups.google.com/group/microsoft.public.windowsupdate/msg/dfc513f1ecb625ed?hl=
| en )

| Mow has consistently provided high-quality advice, but this particular
| assertion confuses me. As long as the rootkit's damage is limited to
| Windows and the hard drive, why couldn't a person successfully boot off
| a CD?


No, I do NOT believe that to be true simply beacuse when you are this low level, NO
RootKit could have been loaded already.

 

[Daave]

No, I do NOT believe that to be true simply beacuse when you are this
low level, NO RootKit could have been loaded already.

That is the impression I was under all along. I welcome Mow to clarify
in case I misunderstood him.

 

[MowGreen]

[BroMow had a sex change operation?]

X-Mailer: Microsoft Outlook Express 6.00.2900.5843
80-41-6-71.dynamic.dsl.as9105.com 80.41.6.71

inetnum: 80.41.0.0 - 80.41.255.255
netname: DSL-TISCALI-UK
descr: Tiscali UK Ltd
descr: Milton Keynes
descr: Dynamic DSL
descr:
==========================================================
descr: Concerning abuse and spam ... mailto: (e-mail address removed)

--------------------------------------------------------------------------------------------
Isn't the above info familiar, BroRo ?
Adieu, 20100214.
Just another pseudonym from this same wackjob to PLONK !!!


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

 

[MowGreen]

This has nothing to do with the BIOS.
The CD's *driver* is non-functional. It's as simple as that, Daave.
That's why Angelkisses CD player will not function.

This specific root kit can replace system drivers; it's not just limited
to atapi.sys. As with atapi.sys, the cd driver loads very early on boot.

When the update was applied, the root kit's "functionality", for want of
a better term, was broken.
Angelkisses proved this by replacing the HD with a known clean HD and
the system could boot from CD as it contains the required CD driver.

The HD containing the root kit will never allow the system to boot from
the CD as it no longer is functioning properly, is still present, and is
preventing the loading of the driver *from the CD*.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

 

[20100214]

Still sucking c0ck5 eh?

Have you done anything about your obesity and that pungent odour of your
body? Haven't you been taught about hygiene & cleanliness?

Kev


:

 

[Daave]

(snipped and rearranged to show context)

MowGreen had originally written:

I later asked:

David H. Lipman then added:

No, I do NOT believe that [that is, MowGreen's explanation] to be
true simply beacuse when you are this low level, NO RootKit could
have been loaded already.

I responded with:

This has nothing to do with the BIOS.
The CD's *driver* is non-functional. It's as simple as that, Daave.
That's why Angelkisses CD player will not function.

This specific root kit can replace system drivers; it's not just
limited to atapi.sys. As with atapi.sys, the cd driver loads very
early on boot.
When the update was applied, the root kit's "functionality", for want
of a better term, was broken.
Angelkisses proved this by replacing the HD with a known clean HD and
the system could boot from CD as it contains the required CD driver.

The HD containing the root kit will never allow the system to boot
from the CD as it no longer is functioning properly, is still
present, and is preventing the loading of the driver *from the CD*.

Drivers are OS-sepcific, though. That is, there are Windows-specific
drivers, Linux-specific drivers, etc. But even if the Windows-specific
driver became non-functional, what would this matter? When you boot off
the CD, the bad driver on the affected hard drive shouldn't even come
into play. When you boot off the CD, Windows is bypassed altogether.

I think this has a lot to do with the BIOS! The BIOS determines the boot
order. Once we have established the CD is number one in the order, the
Windows driver for it should be irrelevant. If ANGELKISSES420 is unable
to boot off the CD, it must be because one of the following:

1. Something (some weird motherboard-specific malware) is not permitting
the choice to boot off the CD to be honored (extremely highly
unlikely!!!).

2. There is something wrong with the CD.

3. There is something wrong with the CD drive (the actual hardware, not
a Windows driver that is located on the hard drive).

4. There is something wrong with the keyboard.

5. ANGELKISSES420 is exhibiting User Error (judging by the quality of
her posts, this seems most likely).

I'm pretty sure I'm covering all the bases. If I'm missing anything, I'm
open to hearing about it.

Sure, if ANGELKISSES420 has booted off the *hard drive* and is running
Windows, I can understand how the CD player can become borked due to a
changed Windows driver for it. But that is not what I am talking about!
Once you take Windows out of the equation, unless there is firmware
involved and its code has been altered, if the CD drive doesn't work, it
can't be due to a faulty Windows driver on the hard drive.

 

[Daave]

This has nothing to do with the BIOS.

<snip>

Since Microsoft's news server has once again (!) filtered my post, here
is a link to it:

http://groups.google.com/group/microsoft.public.windowsxp.general/msg/5bca2d80a9f6db89?hl=en

 

[20100215]

You have been questioning Mow Green and so your messages are being filtered
from these newsgroups.

It is an unwritten rule of these newsgroups not to ever criticise, question
or name call MVPs or else you will be black-listed on all Microsoft
Newsgroups. There is a freedom of speech and open internet but only if you
make MVPs your gods and always write good reviews of M$ products!.

Kev

 

[shawn]

How can that be there is NO malware that infects the BIOS?

There's programs to flash your BIOS nowadays from Windows, so what's to say
someone doesn't modify or re-write the flashing software to work hidden,
then make a modified BIOS.

 

[David H. Lipman]

From: "shawn" <[email protected]>

| How can that be there is NO malware that infects the BIOS?

| There's programs to flash your BIOS nowadays from Windows, so what's to say
| someone doesn't modify or re-write the flashing software to work hidden,
| then make a modified BIOS.

You need to study electronics MORE.

There is NO malware that 'infects' the BIOS.

Whose BIOS (Award, Phoenix, etc) ?
Whose motherbaord ?
What is the size of the BIOS ?
What chip-set ?

Too many variables and obsticles and even if you can do one, it will be very specific to a
particular system. Malware authors do NOT target a specific system, they target broad
spectrum.