...most of the comments here are from ranters, idiotic know-it-alls, and smart ass', in reference to legit questions posted by lesser informed people that want to understand these things. I don't proclaim to understand this issue any more than the next person. I have just enough knowledge in this area to get into trouble myself. But unlike some of you, at least I'm honest about my knowledge or the lack thereof. I like ZDNet and their articles, but like the folks that are slammed for no-good-reason, ...I really despise butt-wipes like DarbyOhara and his/her response to a perfectly legitimate none provocative question by gretel111. Darby..., I hope your mouse bites you, and your keyboard has a stroke so you can't spew any more senseless insulting FUD on these posts (or any others you might infest with your FUD).
----------------------------------------------------------------
That said... the process to achieve this threat simply put, would have to be introduced by an outside source with extreme difficulty as described below by Scrat.
Posted by: Scrat on 03/01/07
Although a remote attack would take MANY steps to achieve...
...if it did, the computer would be an almost useless paperweight.
The attack would have to rely on a number of steps
1) Privelege escalation to LocalSystem*
2) Re-flash the device on-the-fly from within Windows*
3) Wait until a reboot
4) System BIOS will load the code in from the expansion ROMs
4) Get the code to survive real-mode to protected-mode switch
5) Use said code to modify key structures / files
Detection is now a nightmare:
Every devices firmware would need to be compared to a 'good', but if the rootkit was running at the time then this could alter the results of the comparison. A side-by-side comparison would seem the only way forward, maybe using another OS to boot into (providing the rk only looked for NT kernel locations, and not Linux 2.x ones as well).
The above is how I understand this attack would happen, researched from the NGSSoftware paper on rootkits of this nature. My knowledge of this is very basic, and I apologise for any errors in my interpretation.
*Why the hell does Windows allow IOPL to be raised to 3 anyway? I thought the whole point of NT's HAL (Hardware bloody ABSTRACTION LAYER) was to remove direct access ability to hardware...
****************************************************************
Although it wouldn't be impossible, ...it's not likely anything anyone should lose any sleep over, at least at the moment. The following post by Brent Eads describes 'my' sentiments better than I might have myself...
One way to make this work
Reader post by: Brent Eads
Posted on: March 1, 2007, 12:35 PM PST
Story: PC hardware can pose rootkit threat
Source = http://news.com.com/5208-7349_3-0.html?forumID=1&threadID=25377&messageID=243752&start=0
The only way I could see making this type of attack work would be to target an organization with many, many standard built machines. Your talking large corporations, government installs, etc. Lots of machines loaded with identical hardware and software. Why? Because one custom mod could theoretically throw off the hole routine. The goal here for the bad guys is money not bragging rights. Espionage, Spam or rentable Bot-Armies are what pay the bills (quite handsomely for the most part), today.
Going after the guy at home with broadband is already easily enough accomplished. One reported botnet has already been determined to contain over 1.2 Million machines - most of those home machines in Asia and Eastern Europe.
The other actual question brought up in these posts? How does Joe Homeuser protect themselves? You don't. Your Anti-Virus software makers just get to add yet another "wonderfull feature" to their product lines to scan all machine writable (thus readable as well) memory to check for things that go bump in the night. For every action there is a separate and equal reaction. No different with software.
There was a time when you could do nothing about removing boot sector virii as well. Well, not without damaging the boot sector first. Its just another obsticle to overcome. Frankly, I'd be much more worried about a foreign government using this technology than from a hacker out to take over my home machine. This all sounds much to detailed and time consuming to create enough varients for the home market at this time. Really, we'll need more analysis to fully understand how deep this can go and what this type of machine level rootkiting is really capable.
Also understand that much of the memory we are talking about is volitile not static. Remove the card from the slot or turn off the computer and the memory is effectively wiped out.
Enjoy!
****************************************************************
Now it would seem logical to me,... the most important thing any of us can do at this time, is make sure all software, system files, drivers, anti virus, and any other front line apps one uses as well for defense is kept up to date and used regularly. Be aware of who has access to your PC and install a software app to control who has access to your USB ports as well, and password protect them (something I recently picked up on and am looking for an app for this purpose myself). If you have to leave your PC in an environment where someone could have access while your away (such as an office setting or high traffic area where someone else could have access), lock your station or use a password protected screen-saver while your away (even if only for a moment, as that's all it would take for some malicious jerk/jacka** to muck-up your system).
That's my 2 cents worth, along with a little rant of my own about some of the insensitive morons that post here a ZDNet. Hope this puts a little perspective on the discussion and helps some that are concerned and wondering what to do about it. Certainly don't lose any sleep over it, but don't be foolish about your system(s) and their security either.
Regards,
BigThunder1
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
