Re: MyDoom bios infection

[Frank Knobbe <frank () knobbe us>]

On Thu, 2004-01-29 at 12:09, Ben Nelson wrote:
> > Although code in BIOS could interact with your network card, it would
> > require the correct driver routines for your particular card. Does the
> > virus come with network card drivers for a variety of cards? No? Then
> > BIOS code won't open a TCP port.
> It would need a TCP stack too, would it not?

That would be supplied with the code injected into the BIOS.

The BIOS code of PXE systems contains what is needed to get DHCP
addresses, etc. Likewise, viral code that written itself into BIOS has
enough potential to get an IP address and listen on a port. Just very
rudimentary stuff, nothing pretty in form library functions other apps
can use. Remember the old BOOT ROMs on NICs? That type of stuff.

The gotcha is that different cards have different IO port ranges,
registers, interrupts, etc, and require different code (read driver) for
the particular card. The virus would have to carry all that driver code
with it. The more cards it were to support, the more code it has to
schlepp along.

It's doubtful that all of that would fit into 600-some bytes. :)

I don't want to drag this into a "is a BIOS network worm possible"
thread. Theoretically yes, but there are a lot of practical limits. Even
if a NIC-code carrying worm made itself a home in the BIOS, you would
have issues with concurrent access to the NIC once the OS gets loaded.
(But it might be able to spread before Windows is up...).


Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part