Re: Bios programming...

[Ankush Kapoor <everbeeninlove () gmail com>]

Very interesting software indeed, though i am not sure how many people
would like you keeping them honest and nice! Also, i wont be surprised
if someone soon attacked your website for making something that ruined
one of the few businesses on the net that make real money, namely
porn. Not that I am a patron of porn, but you sure will have a lot of
people knocking on your company's network.

anyway, I hope you manage to make this great little utility. I would
love to lay my hands on something like this to install a backdoor! ;)
Now, why didn't anyone think of that?!!


regards

Ankush Kapoor


On Thu, 3 Mar 2005 15:33:09 -0500, Matt Marooney
<matt () dynamicanswers com> wrote:
> Thanks for the feedback Valdis!
>
> I've been doing some reading about custom BIOS chips that include
> security programs, so that may not be the way I want to go...
>
> I definatly want the program to behave like spyware, but not show up on
> scanners! :)
>
> The intent of the BIOS portion of the program was just to have a small
> bit of code that checked for the existence of the main monitoring
> program on the disk, and if it was not there, reload it somehow.
>
> The main program would run from the disk, not the BIOS.
>
>
> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
> Sent: Thursday, March 03, 2005 3:19 PM
> To: Matt Marooney
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Bios programming...
>
> On Thu, 03 Mar 2005 13:44:39 EST, Matt Marooney said:
>
> > 1. I would like the program to be "un-installable".  I've heard of a
>
> Did you mean "un-installable", as in "an inability to be installed", or
> "non-uninstallable", as in "not removable"? :)
>
> In any case, some time with Google will probably find you an Agobot or
> spyware that will give you lots of hints on how to create a
> hard-to-remove program. ;)
>
> > couple of hardware security tracking services that can load a very
> > small setup package in the CMOS and if a computer is stolen, and the
> > hard drive is replaced, the app reloads itself and the next time the
> > computer is on the internet, it sends out a beacon.  Does anyone have
> > any insight about how to do something like this?  I want the CMOS
> > program to run on boot, and check to see if the monitoring software is
>
> > still installed. If it is not, the boot process reloads it.
>
> Note that this would almost certainly require an additional PROM chip,
> and hooks into the BIOS to invoke it at the right points.  Note that
> about all it can probably do is "If the disk is different, toss a
> crafted packet out the Ethernet and hope for the best".  Note that
> you're probably screwed if they either reboot while not on the net, or
> re-flash the BIOS with the original vendor BIOS (which implies further
> hardware hacks to make the box not bootable with the original vendor
> BIOS image).
>
> If you want it to additionally run a program in the "background", you'll
> have to get the operating system to cooperate.
>
> > 2. obviously, the program does not need to be very large, so I want it
>
> > to run in the background and not be visible to the computer's user.
> > This is easy, I know, but I want the process to be completely
> > invisible. (even to super-geeks)
>
> Remember that in general, the BIOS is in control before boot, but after
> boot, the BIOS is not in any meaningful control anymore.
>
> Ask yourself what happens if your problem user boots a Knoppix CD that
> doesn't want to play nice with your CMOS?
>
> > 3. I would like to figure out a way to monitor traffic for multiple
> > protocols (HTTP, FTP, File Sharing, Chat, etc.) .  I'm wondering if
> > there is a way to figure out "bad" requests on a packet level.
>
> Take a look at Snort or other similar IDS, that tries to do that -
> particularly in terms of the size of the binary, and the system load
> impact.  And then ask yourself if something that big is easily hidden
> inside the BIOS functionality (and consider carefully how many vendors
> ship totally borked ACPI DSDT's or just broken BIOSes)....
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html