funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Latest Dell bug--a hardware trojan

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 22 Jul 2010 12:41:24 +1200
Rob Slade wrote:


http://bit.ly/9nZxbn+


Before everyone gets their knickers in a twist...

   http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx

Read in particular the second post by "DELL-Matt M".

Of particular note is this gem:

   3.  The W32.Spybot worm was discovered in flash storage on the
       motherboard during Dell testing. The malware does not reside in
       the firmware.

   ...

   7.  Remaining systems can only be exposed if the customer chooses to
       run an update to either Unified Server Configurator (USC) or 32-
       bit Diagnostics.


The malware name in point 3 links to:

    http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99

So NOT a "hardware Trojan" (ala New Scientist) but a common or garden 
variety Win32 bot stored in flash ROM/RAM on the motherboard 
(presumably to facilitate system diagnosis and/or recovery).

Now the hardcore speculation...

Assuming that it is not a false positive -- reasonable if Dell has a 
good reason for this:

   4.  All industry-standard antivirus programs on the market today
       have the ability to identify and prevent the code from infecting
       the customerĀ“s operating system.

this the odds are that someone updated the contents to put in the 
aforementioned "flash storage" _only for the replacement parts stock_ 
of the mentioned motherboards, on a machine infected by said common bot 
and did so either on a flash drive, or using such a device to transfer 
the collection of files from the PC being used to wherever and the bot 
copied itself to said device, _or_ siad device was plugged into such an 
infected machine somewhere down the line but before the files on such 
device were finally copied to the replacement stock motherboards.



Regards,

Nick FitzGerald



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: