lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1075400375.429.42.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: MyDoom bios infection

On Thu, 2004-01-29 at 12:09, Ben Nelson wrote:
> > Although code in BIOS could interact with your network card, it would
> > require the correct driver routines for your particular card. Does the
> > virus come with network card drivers for a variety of cards? No? Then
> > BIOS code won't open a TCP port.
> > 
> It would need a TCP stack too, would it not?

That would be supplied with the code injected into the BIOS.

The BIOS code of PXE systems contains what is needed to get DHCP
addresses, etc. Likewise, viral code that written itself into BIOS has
enough potential to get an IP address and listen on a port. Just very
rudimentary stuff, nothing pretty in form library functions other apps
can use. Remember the old BOOT ROMs on NICs? That type of stuff.

The gotcha is that different cards have different IO port ranges,
registers, interrupts, etc, and require different code (read driver) for
the particular card. The virus would have to carry all that driver code
with it. The more cards it were to support, the more code it has to
schlepp along.

It's doubtful that all of that would fit into 600-some bytes. :)

I don't want to drag this into a "is a BIOS network worm possible"
thread. Theoretically yes, but there are a lot of practical limits. Even
if a NIC-code carrying worm made itself a home in the BIOS, you would
have issues with concurrent access to the NIC once the OS gets loaded.
(But it might be able to spread before Windows is up...).


Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040129/7e6dea72/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ