Identifying flashed BIOS rootkits.
Deeeeeeee
the Americas
Rootkits suck.
BIOS malware is even worse. This is the serious stuff.
Persistent "obfuscation-ware"-type behavior of a machine, weirdness that goes on from one OS to another,,,all symptoms
I bring this up b/c I scan regularly (AVG) and watch the processes. I use sandboxes when I can.
So I thought simple rootkit. BUT--this morning my machine auto-flashed the BIOS from the second ROM BIOS after having issues starting, dealing with I/O, etc. It said the flash BIOS was corrupted.
Why did this not get found before?! This behavior has gone on longer than just today.
What is the check that's performed? Is it CRC or something that the malware gets around with junk chars? Why did it get found now?
Anyone know of a way to dump the BIOS chip data? It would also be useful to (1000x) a day check the pristine dump from the ROM chip against the flashable chip, if your (physical) system has two BIOS chips.
BIOS malware is even worse. This is the serious stuff.
Persistent "obfuscation-ware"-type behavior of a machine, weirdness that goes on from one OS to another,,,all symptoms
I bring this up b/c I scan regularly (AVG) and watch the processes. I use sandboxes when I can.
So I thought simple rootkit. BUT--this morning my machine auto-flashed the BIOS from the second ROM BIOS after having issues starting, dealing with I/O, etc. It said the flash BIOS was corrupted.
Why did this not get found before?! This behavior has gone on longer than just today.
What is the check that's performed? Is it CRC or something that the malware gets around with junk chars? Why did it get found now?
Anyone know of a way to dump the BIOS chip data? It would also be useful to (1000x) a day check the pristine dump from the ROM chip against the flashable chip, if your (physical) system has two BIOS chips.
Comments
What is your CPU? https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
As we have a heavy protection on our tools (at least I think so, real crackers might not agree) we also have a lot false detection and constantly have to deal with the inproper virus scanners. Its a pain and you better rethink about how you surf the web, what you click and how you are online. Thats a better protection than a scanner.
Anyway, back to your rootkit problem. Do you really think its one? I got that as well some months ago and all it was was a weak battery on my motherboard corrupting things. No big thing (at least so I think).
And check for loose power cables that may have vibrated partially out, or are pulling.
I think it may well have been a rootkit b/c my machine has been acting weird. And this is even pre-Windows loading.
I don't visit any sites that are malicious...or at least that's what I had thought. AVG does flag many as malware infested, but I do think it can miss something.
By that, I don't visit p**n sites, ever.
But I do read news and ideas, and I guess I am open-minded and so the range of ideas I am willing to read is the full spectrum of people's thoughts. Just b/c I read something doesn't mean I agree, anyway! Maybe some of such sites are themselves of issue?
I use a sandbox, but I do not use proxies to browse.
AVG is OK. I know it gives false positives, as well as I've had some legit files (text files, personal pics of my family(!?), and more) moved to quarantine. But the routine scan would never even find a rootkit, and their rootkit scanner probably does little to detect anything, either. lol