Technical advice

Käyttäjän kuva

PLZ Take a Look at this !!

ma 13. huhtikuuta 2009 22:47:25 — Athlonite

I have been asked to look at a thread in PCW to somehow try and help. Well , I did what I could but, in the End we had to resort to a Re-Install. To our surprise , the same problem came back and No it wasn't caused by SP3. it was a infection that wasn't taken are of properly.
I receive a daily newsletter from : http://www.technibble.com/ . I wasn't able to read them lately well, because of work and Easter. But I am sitting down for some interesting reading when , I come across this article :

http://www.technibble.com/rootkits-that-survive-hd... . Now, this made me think of the that poor fellow I just suggested to reformat and re-install. I will try and make it right but, for now, all of you should be aware of these new tactics.

This is the whole article from The Register :

http://www.theregister.co.uk/2009/03/24/persistent... .

Are we ever going to stay on top ?.

Athlonite.

Käyttäjän kuva

Holy Sh**

ma 13. huhtikuuta 2009 23:16:45 — cotojo

This is not good news!
If the malware creators find a way of injecting it into the BIOS of an infected machine there would have to be a complete rethink on the way that users are advised, and that in itself will be no mean feat either.
I dealt with a machine over the weekend that had Conficker and the new variant had been installed. Backed up clean folders to an external drive and then used dban and reinstalled the OS, fortunately it worked.
The user now has an external drive with the system fully backed up with an image, but if the BIOS get injected that will be a dead end at the moment!

Colin
http://freepcsecurity.co.uk

Käyttäjän kuva

That's horrible

ma 13. huhtikuuta 2009 23:32:39 — wehaveitall

Again, this shows the drawbacks of working together and apart. Spammers and malicious coders work together, while computer security companies do not.

We rate the websites, the WOT staff creates, and advertises the add-on, and together, we make it all happen.

Käyttäjän kuva

Agree !!!

ma 13. huhtikuuta 2009 23:44:16 — Athlonite

I'm afraid it's here . If the experts can re-create this sort of infection then, it certainly won't be long before we have to deal with this "Sh*t . I'm afraid that the Motherboard will have to be replaced , depending How it's infected. If they can disconnect you from the net , I guess they can stop you from restoring the default Bios.
I sure hope we don't have to go back to school to learn How to deal with this kind of nastiness .

Here's another one for Conficker. The UK Parliament :

http://www.technibble.com/conficker-worm-hits-a-pa... .

athlonite.

Your help is always needed.

Käyttäjän kuva

+1

ma 13. huhtikuuta 2009 23:52:20 — cotojo

If the experts can do it then we know the criminals are close behind them.

If the BIOS were injected with the ability to block connection to the internet, restoring the default BIOS would mean that users would need to have a copy of the original defaults and the ability to flash the BIOS.

As pointed out in an earlier paper is the ability to affect a computer's flash memory with a rootkit, the BIOS would need to be configured to disable writing to flash memory.
Quote: "We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on Windows."
Source: http://www.theregister.co.uk/2006/01/27/rootkits_b...

It's always a steep learning curve and the hill just got steeper!

The UK parliament computers infected with Conficker they tried to keep quiet, but it soon leaked LOL.

Over 1000 infected machines used by our not so illustrious leaders and MP's. With such high disregard for security the problem lies on the inside and not on the outside.

Colin
http://freepcsecurity.co.uk

Käyttäjän kuva

BIOS Virus

ti 14. huhtikuuta 2009 01:41:24 — evilfantasy

I have seen many the argument on this topic. It seems to be reality in a controlled environment, just to prove it can be done, but pure myth anywhere else.

If the BIOS were a target I'm sure antivirus would boast "BIOS Protection" in their descriptions.

I could be wrong, not the first time, but I just don't believe that there is a virus out there that targets the BIOS.

Käyttäjän kuva

bios

ti 14. huhtikuuta 2009 02:27:39 — g7w

This injection is true for systems that are "open" and I quote from the article:
Of course, injecting code into the BIOS is no easy feat. It requires physical access to the machine or an exploit that hands an attacker unfettered root access

unfettered root access = ability to make changes to the bios, aka: Flash BIOS

Some Mainboards have Jumpers to protect before erroneously Flashing. The Position of the Jumper is nearby the Flash-Eeprom.

Other Mainboards have a BIOS-Setup-Option called "Flash Bios Protection", "Firmware Write Protect", "Bios Guardian" or "BIOS-ROM Flash-Protect", which must be disabled. Quote Flash BIOS Protection
The Flash BIOS Protection feature is a software toggle that controls write access to the BIOS. When it is enabled, the BIOS code is write-protected and cannot be changed. This protects it from any attempt to modify it, including BIOS updates and virus attacks. Therefore, if you intend to update the BIOS, you'll need to disable this feature first.

It is highly recommended that you enable this feature at all times. You should only disable it when you intend to update the BIOS. After updating the BIOS, you should immediately re-enable it to protect the BIOS against viruses.

Whether via jumper or BIOS setting, they are generally enabled to protect you, though it doesn't hurt to check for yourself to make sure.

Also
There is the option to gain access to your BIOS initially, meaning you can (should) password it's access from boot. By entering an Administration Password for "Setup" Here's an article from Tom's Hardware

A good BIOS resource, for a long time, is Wim's BIOS

I've kept my BIOS password protected since... my first 386DX and with some of my PC's I have the Password set for "System" meaning the OS will not load until the password is entered.

Setup Password is especially helpful if you have your PC repaired via computer shop like *cough* Geek Squad *cough* or even the friend down the street who knows everything, but in reality doesn't know much.. LOL
Just don't forget it if you set one!
There is no email reminder or other "hint" here. Once set, it stays set unless you know how to manually reset via mainboard without frying your board/BIOS.
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/

Käyttäjän kuva

BIOS Wizard

ti 14. huhtikuuta 2009 08:06:12 — g7w

I forgot to include a very old and useful (free) tool for identifying your BIOS make/version and a quick scan of it's abilities:
BIOS Wizard
------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/

Käyttäjän kuva

Bios Wizard !

ti 14. huhtikuuta 2009 05:39:22 — Athlonite

Thanks for the info. g7w ! You don't want to make it too complicated when you see someone about maintenance of their PC. First of all , all they want is for you to do your job so they don't have to worry about it.Second , they don't have the time or are just not interested in knowing more than they have to.
I , OTH , do appreciate the info. you listed. BUT, PLZ. next time you suggest a tool, Make sure to post it's compatibility. Every tool or program I suggest will be for the specific thread I am posting to. I also test all tool and program in both well, three OS I am currently running but, what fits Vista will also fit W7.
So, with that in mind , could you tell us which OS it is compatible with. The WIZARD just crashed Vista. I looked the site over to see if I couldn't find the compatibility chart and didn't find one so, I took a chance . I can definitely say, it is NOT compatible with Vista and most likely not with W7 either.
But, thanks for the other information

Athlonite..

Your help is always needed.

Käyttäjän kuva

System Requirements

ti 14. huhtikuuta 2009 07:55:40 — g7w

BIOS Wizard
System Requirements: Windows 98/Me/NT/2000/XP

Alternate would be: BIOS Agent Plus
Support For:

Windows: Vista, XP-Home, XP-Pro, 2000, 2003 Server, ME, 98 and 95
Browsers: Internet Explorer, FireFox, Opera, Mozilla, Netscape, Google Chrome, Avant, SeaMonkey, AOL, Flock, K-Melon and more...
All Major Manufacturers:
Dell, HP, Compaq, Acer, Toshiba, Asus, Gigabyte and more...
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/

Käyttäjän kuva

PC Wizard

ti 14. huhtikuuta 2009 08:04:53 — g7w

Another good choice is PC Wizard by www.cpuid.com
Operating Systems
* 32-bit (x86-32) : Windows 95, 98, 98 SE, Me, NT SP4, 2000, XP
Home/Professional, XP (SP1/SP2/SP3), Vista (SP1), WinPE 2.0.
* 64-bit (x86-64, IA-64) : Windows XP/2003, Server 2003,Server 2003R2, Vista.

(view the author's page for other support information)
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/

Käyttäjän kuva

PC Wizard works on XP and Vista

ti 14. huhtikuuta 2009 08:17:44 — YoKenny

It is good for looking at the internal information of the motherboard.

Käyttäjän kuva

Worked on XP but not on Vista

ti 14. huhtikuuta 2009 08:09:29 — YoKenny

Worked on XP but not on Vista

I put the BIOS Wizard on a floppy and it ran OK on my XP Pro system but on my Vista system the floppy would open but I could not check nor run it as the drive was accessed for about a minute then stopped and I could not even check the Properties of the file as the same thing happened.

My Vista has Dual BIOS as I see that during power on but I have no idea what this does or how to access it as I have not needed to so I guess it is in the manual that came with the system somewhere but I hope I don't have to investigate that as that sounds dangerous to me.

I would have to know what the current settings are and what the Default setting are set to and from last experiences with diddling with BIOS settings after looking up what each setting means and trying to understand what benefit of diddling the setting then rebooting to see if it worked.
I think I would rather find a copy of War and Peace and warm up some instant coffee in the microwave and become a hermit for a few days.

Käyttäjän kuva

Coupla' questions and a comment

ti 14. huhtikuuta 2009 14:19:17 — BobJam

First, is there currently ANY antivrus that will scan the BIOS and catch something like this when the malware writers release their version of it?

And second, is a BIOS password sufficient to prevent this type of infection?

And third and finally, siw and Everest Home Edition are also utilities that will give info on your chipset and BIOS. I don't have the URL's handy but I think Major Geeks have both. I've found both of them much less resource intense than PCWizard, and siw in particular is much more comprehensive. They are FREE also.

Käyttäjän kuva

links first

ti 14. huhtikuuta 2009 16:17:39 — g7w

SIW - System Information for Windows

Everest Home Edition - development stopped in 2005; it's now pay or pay more.
any downloads, such as Major Geeks, would be, at best, for Windows XP and below.

Now...
is a BIOS password sufficient to prevent this type of infection?
No
The BIOS Password prevent access to the BIOS during boot-up.
example:
Your BIOS access key is "F-1" during initial boot.
You press F-1, you're in the BIOS menu
If you have a password set, you need to enter it to get into:
Administrator PW
set for SETUP = BIOS Access
set for SYSTEM = Operating System and BIOS
User PW = Operating System only
(removing the CMOS Batter will clear the BIOS password - watch )

is there currently ANY antivrus that will scan the BIOS
No, or at least none that I am aware of.
As stated previously, BIOS protection is enabled by default, so you have no worries about a virus flashing your BIOS, aka: firmware rootkit.

However, Master Boot Record (MSB) corruption is another story, and requires a bit more work to restore.

Let's not go any further, this is way out of scope for WOT and most general PC Users. I've found that if a MBR becomes damaged, it's best to low-level reformat the hard drive, use the disk manager utility to check the HD sectors for damage, then reformat, which create a new MBR and reinstall the OS.

-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/

Käyttäjän kuva

RE-Comments.

ti 14. huhtikuuta 2009 18:14:20 — Athlonite

g7w is right , this is too complicated an issue for the intermediate user. Suffice it to say that, if and when this affliction sees the light , there will probably be some antivirus solution already devised to recognize it before it has time to reach the Bios.

As for the PCWizard , I'm surprised to see that no one mentioned Belarc Advisor!

http://www.belarc.com/free_download.html .

System Requirements :
# Operating Systems: Runs on Windows Vista, 2003, XP, 2000, NT 4, Me, 98, and 95.
# Browsers: Requires IE 3 or Netscape 3, and higher versions. Also runs on Opera, Mozilla, and Firefox.
# File size: 1863 KB.
# License: The license associated with this product allows for free personal use only. Use on multiple PCs in a corporate, educational, military or government installation is prohibited. See the license agreement for details.

Can also be found on MajorGeeks and Not just for XP and previous :

http://majorgeeks.com/download1385.html .

As far as I know , the New Avira version 9 is the only Antivirus that has an option to load Before the OS does. So , I guess they are, in a way , getting ready for just this kind of attack.

Athlonite,

Your help is always needed.

Käyttäjän kuva

Before the OS does

ke 15. huhtikuuta 2009 03:44:14 — g7w

They have an option to "Load first" = safer, but slower loading (trying to recall exact wording here, I might be wrong)

But the OS has to load first, otherwise drivers are not loaded and PC doesn't function too well. After all, Avira is like any other program and requires the environment the Operating System provides... to function.

{EDIT}
err...
Actually the first software to load on any PC is the BIOS, our current topic of discussion.
:-)
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/

Käyttäjän kuva

Another good article

ke 15. huhtikuuta 2009 10:40:43 — BobJam

http://blogs.zdnet.com/security/?p=2962