Beware of new bios rootkits/keyloggers

Galdorf · Apr 29, 2009

There is a whole new bunch of rootkits out there that now exploit your bios and reinstall rootkit/keylogger tojans to a new formatted system.

Problem is its very hard to spot and only way is to re-flash your bios more info on this here:

http://www.wilderssecurity.com/showthread.php?t=138839

In the wild report here:

http://www.broadbandreports.com/forum/remark,13853178

I have seen 2 cases myself on customers that play world of warcraft and click bad links, problem is formatting alone will not remove it!.

Blues · Apr 30, 2009

Now Im not sure but I think you could slave the drive to wipe it and then flash the BIOS on the machine to fix it. Can anyone confirm or correct me on this here the slaving is the part I am unsure of.

RNR-IT · Apr 30, 2009

Am I missing something here?, the two links point to threads in different forums, both of which have not been updated or posted to for over two years?

Im not saying that the information is not revelent, but classing them as 'New' Threats or rootkits if obviously not correct.

Galdorf · Apr 30, 2009

They are not new just now more common, and very hard to detect and hard to remove.

No antivirus, malware scanner has the ability to find it that is what makes it a huge threat and this is where conflicker could dump this into people's machines and no matter what security you have you would not detect it.

No antivirus or malware software could remove it, i am beginning to see it more and more with people who play online games and that have kids that click on bad links.

rusty.nells · Apr 30, 2009

Most, perhaps all, BIOS code must be verified by the hardware before loading. The only way this could work is if the code is hardware-specific.

Galdorf · Apr 30, 2009

rusty.nells said:
Most, perhaps all, BIOS code must be verified by the hardware before loading. The only way this could work is if the code is hardware-specific.

Not really there is an area in bios you can patch to that can be exploited via ACPI.

More on this and how it works:

http://www.ngssoftware.com/research/papers/BH-DC-07-Heasman.pdf

Whats really funny is 1st time i encountered it, i removed machine from network, removed there hd formatted and installed xp loaded av from bootdisk and found it again, then i thought to myself only way this could have happened is if it was in bios, i removed hd flashed mb put in another new fresh hd and did a scan from my av boot disk twice and it was clean.

It can be defeated by turning off ACPI in bios before catching it.

iptech · Apr 30, 2009

If the rootkit is sitting in the BIOS and you subsequently kill it off by flashing, then there should be no need to nuke the OS - just clean it up as you should with any other virus infection.

CPCR · Apr 30, 2009

I read this a few weks back on this very subject
http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1246533,00.html

Galdorf · May 4, 2009

What is worse is Blue Pill variants out there only ONE rootkit detector out there can find it , its called Hypersight rootkit detector.

There are rootkits now taking advantage of source code of Blue Pill to hide spyware and malware.

http://en.wikipedia.org/wiki/Blue_Pill_(malware)

Beware of new bios rootkits/keyloggers

Galdorf

Well-Known Member

Blues

Well-Known Member

RNR-IT

New Member

Galdorf

Well-Known Member

rusty.nells

New Member

Galdorf

Well-Known Member

iptech

Banned

CPCR

New Member

Galdorf

Well-Known Member

Similar threads