Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

whats the meaning of all this?


  • Please log in to reply
9 replies to this topic

#1 bigrobifer

bigrobifer

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 February 2015 - 03:13 AM

Not very long ago i was convinced (sorry mods   :guitar: ) that i had a firmware infection of some kind. Thankfully my ol' lady spilled a full cup of joe on the bleepin thing before i lost mind, not to mention more time. Anyway i found this blog entry titled "Exploiting UEFI boot script table vulnerability" i wont pretend i understood even a quarter of what i read - i read the whole page. But seem to get the general gist of it and wanted to know what the professionals thought about it.

http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 07 February 2015 - 02:40 PM

Hello there,

Firmware infection is very impractical for malware writers as far as I know.

Quoting from Malware Study Hall Admin Elise...

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.


Regards,
Alex

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 AM

Posted 07 February 2015 - 04:56 PM

It's highly unlikely you will encounter a firmware infection as it is not practical for attackers to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 08 February 2015 - 12:50 AM

 i'm aware firmware infections are impractical from a conventional viewpoint. I always wondered though about a simple infection with a  script that could read a computers hardware/firmware config then transmit that particular systems config back somewhere and the bad guy at the other end could modify code already written if he doesnt already have a database of prewritten code for generic configs and in this way the actual infection could morph from bad to worse. Thats why i cant  understand about how dismissive people who clean/ write antimalware programs are about it. I dont know technicals enough to understand that blog past the main point of it- proof of firmware backdoor- but i've seen well over a dozen in the past year where proof of concept exploits arent just proven - granted i'm taking this proof on faith since i dont understand the code - but actually puplished as open source.  Am i just paranoid or hardheaded or both? And i'll donate the old laptop to BC if ya'll want it. 



#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 08 February 2015 - 01:06 AM

Hello there,

i'm aware firmware infections are impractical from a conventional viewpoint. I always wondered though about a simple infection with a  script that could read a computers hardware/firmware config then transmit that particular systems config back somewhere and the bad guy at the other end could modify code already written if he doesnt already have a database of prewritten code for generic configs and in this way the actual infection could morph from bad to worse. Thats why i cant  understand about how dismissive people who clean/ write antimalware programs are about it. I dont know technicals enough to understand that blog past the main point of it- proof of firmware backdoor- but i've seen well over a dozen in the past year where proof of concept exploits arent just proven - granted i'm taking this proof on faith since i dont understand the code - but actually puplished as open source.  Am i just paranoid or hardheaded or both? And i'll donate the old laptop to BC if ya'll want it.

Modifying the code is not a small task, as then the attacker will still have to account for the variety of firmware out there.

Not all proof-of-concept malware are successful as in-the-wild malware - for example, there is one BIOS infector out there (Mebromi) but it has plenty of signs and is easy to detect, which defeats the purpose of infecting the BIOS (to hide the malware and make it difficult to remove).

IMO, attackers using rootkits to hide their malicious payload is more effective in both costs and time than trying to rip their way into firmware, which both lowers the chance of infection and ability to hide.

Regards,
Alex

#6 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,562 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:10:45 PM

Posted 08 February 2015 - 01:14 AM

Protecting the pre-OS environment with UEFI - MSDN Blogs

 

I agree with quietman and alex



#7 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 08 February 2015 - 04:37 AM

I feel dense again because the concept to me seems to be a circular verification regardless of how its done, like a dog checkin his dogness by chasin his tail i suppose. Maybe i'm not understanding how the firmware code is executed different from software code. Great article you linked to Nick, i was about to install my first linux system on here so i could teach myself c programming using the gnu compiler. Gonna get back on task an go open a thread on that wall. I'll probably come back to this general topic later. Thanks ya'll.  



#8 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 08 February 2015 - 04:45 AM

Hello there,

Firmware infection is very impractical for malware writers as far as I know.

Quoting from Malware Study Hall Admin Elise...

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.


Regards,
Alex

 

After readin this all again i see that the quote from Elise actually answers the question perfectly. I AM paranoid. I can just imagine a group of hackers workin together to maintain an expand a db of just that. Sry. and thx an kudos - or fig newtons - for all you free help, effort and advice.



#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 08 February 2015 - 04:52 AM

Glad to know we could help :)

Alex

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 AM

Posted 08 February 2015 - 07:13 AM

With all the threats users face these days, it's hard not to be paranoid to some degree but that is much better than not having any awareness of security.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users