Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

The End Game… again….

January 30th 2006 in Uncategorized

Yes, I know I’ve said it before….

Back in April 2005 I attended a very private session in Singapore about Rootkits and their potential for harm.  Way back then the guy giving the presentation mentioned the possibility of infecting a computer’s BIOS.

I remember those of us in that session left with a global sense of “we’re screwed” (I know some of you who were at that session are reading this…feel free to chime in). 

I had hoped that the bad guys on the net would not start using such tricks and, more importantly, that the rest of the net would not realise that the BIOS trick was possible.  If they did realise, I hoped and prayed they would not talk about it or publicise it.

Ok, so now its out :o(   A few days ago I was sent this URL at securityfocus.com:

I had really really really hoped that this trick would not see the light of day. 

The URL predicts that it will be a month before malware purveyors start experimenting with this trick.

We have a few things in our favour… the most important of all being BIOS diversity – the bad guys will only succeed if they happen to target the BIOS on your system.  The second protection is write protection of the BIOS.  Some boxes require hardware jumpers to be set correctly to enable a flash of the BIOS to succeed.

Important point: our idea of “succeed” is different to *their* idea.  To suceed, malware purveyors only need to infect a system… if the infection leaves a system unbootable… if it constantly blue screens… if nobody actually buys anything advertised in those damn popups… they don’t care.  The fact of infection is all that is important.

What is seriously scary is that a failed BIOS flash can leave your computer so damaged it will be no more than an overpriced paperweight.  The only fix is to replace the BIOS chip (*if* it is available and *if* it is replaceable).

Those who know me well know that I have never been alarmist, and I know that this sounds like pretty extreme stuff, and that there are a lot of obstacles standing in the way of those who would want to use the BIOS for malware, but I can tell you this… two years ago I did not anticipate rootkits being used for malware – it is inherently difficult to write kernel mode code… it is very easy to get things wrong, causing the infamous “blue screen”, therefore I surmised that that malware purveyors wouldn’t bother…after all, what’s the use of using rootkits if they are more likely than not to crash a system… I assumed that, in the end, the number one goal for the bad guys was sales – I was wrong.

You see, the worst malware purveyors don’t care about system stability.  They don’t care about whether or not their pop-ups actually appear on screen.. they play the odds, just like the spam kings play the odds… in reality, may be one in 10,000 spam recipients will click on the link or buy something from spammers, but that 1 in 10,000 is enough to make spamming cost effective, because the cost of spamming is so low.

The same goes for malware.. the cost of spreading malware is so small it may as well be free.

The malware purveyors don’t care about a 100% success rate.  If they happen to fry your PC because your BIOS doesn’t match what they’re trying to flash they won’t care, any more than the spammers care about those whose inboxes they fill, any more than malware purveyors care about the PCs that are crippled by malware infections so severe PCs grind to a halt under the load. The old school didn’t care about the stability of your system. If your computer slowed to a crawl and was completely unusable under the load of spyware, they didn’t care.

They will target the most common BIOS in the marketplace… AMI, Award, Phoenix… and they will target the BIOS according to default settings for the most common PC manufacturers out there… Dell, HP, Gateway, Toshiba etc etc etc. 

Have you set a password to protect your BIOS?  No?  I didn’t think so. Are your motherboard jumpers set so that the BIOS cannot be flashed?  You don’t know? Nor do most other people.  We’re getting in an area of PC maintenance that only the most experienced of technicians should venture.

BTW, MAC users.. you are not safe from the bad guys:

You’ll note I mentioned the “old school” of malware pushers.  There’s a reason for that.  Recently I have seen popular press and various experts starting to acknowledge that the bad guys are getting more subtle.. instead of infecting as many machines as possible, and damn stability, they are writing their malware so that their presence has as little effect as possible on system performance, and they keep the infection count low enough that they fall under the radar of the anti-spyware and anti-virus products.  I agree that this is what is happening; The guy behind HackerDefender, for example, has been offering for sale unique rootkits that are not detected by classic antivirus and antispyware products for a long time now.

It is a reality of life that antivirus products will not detect a virus or other infection unless and until a certain number of PCs are infected.  It is not commercially viable to track down and create protection for an infection that may only infect a few hundred, or few thousand, PCs.  But, a few thousand PCs can do a lot of damage if they are recruited into a bot-net for targeted DDoS attacks.  I discussed the problem of library and heuristic detection back in May last year:

So, where do we go from here? I honestly don’t know.

Comments are closed.

The Title of my Blog says it all.
A big area of concern for me recently has been Google Ads.  Far too many people are being directed to sponsored advertisements, and far too often these sponsored advertisements are for malware.
Let’s look at the recent complaint laid by the State of Washington against “Secure Computer LLC” (what […]

Previous Entry

Anybody who embedded Robin Schuil’s graphic into their blogs.
Info about the graphic:http://news.com.com/2061-10789_3-6031795.html
<Cue Rick Springfield singing “Don’t talk to strangers….”> No!!  No Springstein!!  Springfield!!
Seriously people… think about this… how hard would it be to replace an innocuous animated GIF with… say, a WMF exploit???
Have a look at the spread of this allegedly innocent prank:http://www.moox.nl/blogworm/
For heavens sake […]

Next Entry