Full Disclosure mailing list archives
RE: Culprit Bio: Short course on BIOS vulnerabi lity.
From: "Clairmont, Jan" <JMC13 () mail3 cs state ny us>
Date: Fri, 30 Jan 2004 08:25:40 -0500
Let's go into basic security, forth and assembler tsr(terminate stay resident programs). 1. Internet Protocols exits to tranfer data with very little code they involve services such as SMTP(HELO), tftp boot, and others, telent, etc. They require very little knowledge and since I teach network security, an unsecured service is hackable and cooptable to the extreme. Courses on this are available and every Security Person should at least take one course on basic hacking unsecured services and security. Even secure services are hackable with the right training and persistence. 2. Bios, DOS have assembler calls, especially using int 21, 20, that access devices, open files in a raw character mode that needs no other introduction. I have done this writing in C++, C and assembler to open ethernet in promiscuous mode or video, or memory. No device is unavailable to DOS or these same exploits work for the most part on UNIX. 3. It is very easy to scan in Promiscuous Mode for Ports, strings with out regard to CRC, short packets or anything else locally. Truncated packets are normally dropped they don't have to be if you are in promiscuous mode. Everything on the internet is open for inspection and transmission. 3. MAC address, IP and anything else can be spoofed with a sniffer, windump or tcpdump replayer and sent on any Port. This is no problem either on ethernet. I have done this to reverse engineer protocols for legitimate reasons, companies who lost the protocol specs. and need to port a protocol to another system. I have done this many times. 4. BIOS and reprogrammable eeproms have been around since the late 70's early 80's. They have a low addressability and again code and data are easily stored in them. 5. Forth well, in the old days, has a 50 line assembler interpreter, 50 lines translates to maybe 150 bytes of code more or less, depending on how tight it was written. An interpreter that small can be hidden in the cracks on an unused track on a harddisk, in flash memory in a stored email message, whatever. The Forth code is then small enough to open in promiscuous mode the default NIC card of any system and blast or receive away. Bios on Intel machines have all the drivers and calls necessary for forth, assembler or C to call. 6. A TSR(Terminate Stay Resident) program is a little program that exists in memory awaiting a key stroke sequence(cntrl alt F12) or a date, or a string of data on a NIC card open in promiscuous mode. This can be teeny tiny, a few line of assembler tucked away in a non-obvious TSR. How to program them is on-line and again anybody savvy can do it. 7. The question is not so much how to do it as why? What is the motive? Who would do it? Why SCO? Why now? We can all be forensic Computer Pathologists here. The challenge isn't so much the expertise of the hacker but finding them and shutting it down. Why, because the Internet is a democratic Highway for Change and Ideas. Maybe the last one on earth and if we want that last bastion of democracy taken away, then let this hacker, like others get away with it and then like the Borg menace, we will be assimulated. The internet will be clamped down. You won't be able to send an e-mail to Aunt Helen w/o out an RSA card and an eye scan. That would really burn us all, we must self-police. Or we will be policed brutally. It may happen anyway but this kind of stuff will surely shut it down more quickly. Again now upping the Ante is Billy Boy(The Gates of the New World Order are upon US - You will be Assimulated) offering another 250,000. Get down off soap box Jan, and let's have some fun: Watson, the Games A Foot, Maybe today Is a Good Day to Die, Cry Havoc! and unleash the Dogs of War! Whatever your favorite Sherlock Holmes, Star Trek or Shakespeare Psuedo Quote is, go get 'em Tiger. -----Original Message----- From: Helmut Hauser [mailto:helmut_hauser () hotmail com] Sent: Friday, January 30, 2004 4:07 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Culprit Bio: Perfect Storm Averted or Just It seems that the virus writer put his anagramm into his creation. If you view the malware with a hexeditor you can read the letters AU at the end of the file (beginning at 00007F20 end at 00007F70) according to my disassembling the virus writer used c++ with assembler includes and he has average skills, he used timers and sleep functions to conceal the presence of the active virus. Helmut _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Culprit Bio: Short course on BIOS vulnerabi lity. Clairmont, Jan (Jan 30)