A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8556  by EP_X0FF
 Wed Sep 14, 2011 8:22 am
Dr.Web didn't found this birus first :) Actually Dr.Web was one of the last AV who added it into DB. As predicted shitty AV PR campaigns overwhelms the bioskit itself.
 #8559  by rkhunter
 Wed Sep 14, 2011 9:09 am
Dr.Web was one of the first who wrote a technical description about Bioskit; and did so as soon as possible.
 #8584  by rkhunter
 Fri Sep 16, 2011 8:49 am
UEFI & Win 8 vs Bios-malware:

When you use a PC that supports UEFI-based Secure Boot (defined in the UEFI 2.3.1 specification), Windows secured boot will help ensure that all firmware and firmware updates are secure, and that the entire Windows boot path up to the antimalware driver has not been tampered with. It does this by loading only properly signed and validated code in the boot path. This helps ensure that malicious code can’t load during boot or resume, and helps to protect you against boot sector and boot loader viruses, as well as bootkit and rootkit malware that try to load as drivers.

http://blogs.msdn.com/b/b8/archive/2011 ... lware.aspx
 #8703  by rkhunter
 Fri Sep 23, 2011 8:06 am
Mr.Bojangles wrote:
rkhunter wrote:UEFI & Win 8 vs Bios-malware:

When you use a PC that supports UEFI-based Secure Boot (defined in the UEFI 2.3.1 specification), Windows secured boot will help ensure that all firmware and firmware updates are secure, and that the entire Windows boot path up to the antimalware driver has not been tampered with. It does this by loading only properly signed and validated code in the boot path. This helps ensure that malicious code can’t load during boot or resume, and helps to protect you against boot sector and boot loader viruses, as well as bootkit and rootkit malware that try to load as drivers.

http://blogs.msdn.com/b/b8/archive/2011 ... lware.aspx
Too bad it's just HWID encrypted SHA1 tables..

Big corporations and their strait out of the textbook employees think RCE is something only licensed employees can do..good for pirates and botnet capitalists I guess..
UEFI 'secure boot' could lock out Linux from Windows 8 PCs
Microsoft’s demand that ’secure boot’ is enabled on Windows 8 PCs means that you might not be able to install Linux.
http://www.zdnet.com/blog/hardware/yes- ... -pcs/14897
 #8709  by N3mes1s
 Fri Sep 23, 2011 11:20 am
rkhunter wrote:
Mr.Bojangles wrote:
rkhunter wrote:UEFI & Win 8 vs Bios-malware:

When you use a PC that supports UEFI-based Secure Boot (defined in the UEFI 2.3.1 specification), Windows secured boot will help ensure that all firmware and firmware updates are secure, and that the entire Windows boot path up to the antimalware driver has not been tampered with. It does this by loading only properly signed and validated code in the boot path. This helps ensure that malicious code can’t load during boot or resume, and helps to protect you against boot sector and boot loader viruses, as well as bootkit and rootkit malware that try to load as drivers.

http://blogs.msdn.com/b/b8/archive/2011 ... lware.aspx
Too bad it's just HWID encrypted SHA1 tables..

Big corporations and their strait out of the textbook employees think RCE is something only licensed employees can do..good for pirates and botnet capitalists I guess..
UEFI 'secure boot' could lock out Linux from Windows 8 PCs
Microsoft’s demand that ’secure boot’ is enabled on Windows 8 PCs means that you might not be able to install Linux.
http://www.zdnet.com/blog/hardware/yes- ... -pcs/14897
And the reply from Steven Sinofsky:

http://www.winrumors.com/microsoft-clea ... t-feature/

And more on UEFI from msdn blogs:

http://blogs.msdn.com/b/b8/archive/2011 ... -uefi.aspx
 #8721  by EP_X0FF
 Sat Sep 24, 2011 3:42 am
Mr.Bojangles wrote:There is already a know method for non-TPM systems that is basically deflate->keygen->decrypt->change->compress->write-range->write. Since TPM isn't secure the cert method which is only different by the crypto used, is most likely fail too. Like most tech that is mostly the result of greed for market shares, it's not high frequency enough for real malware authors to care about..
Please tell us your way or provide a solution how to make bootkits work impossible.
Rules: you can't use crutches like HIPS, you have to do this conceptually, your solution should be hardware-assisted, not impact on overall system performance and boot time.

If the computer runs an idiot - there is nothing can help.
 #8724  by PX5
 Sat Sep 24, 2011 1:05 pm
EP_X0FF wrote:If the computer runs an idiot - there is nothing can help.

Ah hahahahahahahaha.....never a truer statement made!......PEBKAC
 #10376  by supermino
 Thu Dec 15, 2011 12:29 pm
I have found in other forum this new Rootkit. He infected the Bios!!!

[url]http://www..com/file-scan/report.html?id=3b7e16e99823748f28abbb31d1ef4bc76e29371fcb6e42a527ebf584bf0a20e1-1323951651[/url]
Attachments
Pass: infected
(205.19 KiB) Downloaded 91 times
 #10377  by EP_X0FF
 Thu Dec 15, 2011 12:38 pm
supermino wrote:I have found in other forum this new Rootkit. He infected the Bios!!!

[url]http://www..com/file-scan/report.html?id=3b7e16e99823748f28abbb31d1ef4bc76e29371fcb6e42a527ebf584bf0a20e1-1323951651[/url]

Image

:)

Use search next time.