[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: everbeeninlove at gmail.com (Ankush Kapoor)
Subject: Bios programming...
Very interesting software indeed, though i am not sure how many people
would like you keeping them honest and nice! Also, i wont be surprised
if someone soon attacked your website for making something that ruined
one of the few businesses on the net that make real money, namely
porn. Not that I am a patron of porn, but you sure will have a lot of
people knocking on your company's network.
anyway, I hope you manage to make this great little utility. I would
love to lay my hands on something like this to install a backdoor! ;)
Now, why didn't anyone think of that?!!
regards
Ankush Kapoor
On Thu, 3 Mar 2005 15:33:09 -0500, Matt Marooney
<matt@...amicanswers.com> wrote:
>
> Thanks for the feedback Valdis!
>
> I've been doing some reading about custom BIOS chips that include
> security programs, so that may not be the way I want to go...
>
> I definatly want the program to behave like spyware, but not show up on
> scanners! :)
>
> The intent of the BIOS portion of the program was just to have a small
> bit of code that checked for the existence of the main monitoring
> program on the disk, and if it was not there, reload it somehow.
>
> The main program would run from the disk, not the BIOS.
>
>
> -----Original Message-----
> From: Valdis.Kletnieks@...edu [mailto:Valdis.Kletnieks@...edu]
> Sent: Thursday, March 03, 2005 3:19 PM
> To: Matt Marooney
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Bios programming...
>
> On Thu, 03 Mar 2005 13:44:39 EST, Matt Marooney said:
>
> > 1. I would like the program to be "un-installable". I've heard of a
>
> Did you mean "un-installable", as in "an inability to be installed", or
> "non-uninstallable", as in "not removable"? :)
>
> In any case, some time with Google will probably find you an Agobot or
> spyware that will give you lots of hints on how to create a
> hard-to-remove program. ;)
>
> > couple of hardware security tracking services that can load a very
> > small setup package in the CMOS and if a computer is stolen, and the
> > hard drive is replaced, the app reloads itself and the next time the
> > computer is on the internet, it sends out a beacon. Does anyone have
> > any insight about how to do something like this? I want the CMOS
> > program to run on boot, and check to see if the monitoring software is
>
> > still installed. If it is not, the boot process reloads it.
>
> Note that this would almost certainly require an additional PROM chip,
> and hooks into the BIOS to invoke it at the right points. Note that
> about all it can probably do is "If the disk is different, toss a
> crafted packet out the Ethernet and hope for the best". Note that
> you're probably screwed if they either reboot while not on the net, or
> re-flash the BIOS with the original vendor BIOS (which implies further
> hardware hacks to make the box not bootable with the original vendor
> BIOS image).
>
> If you want it to additionally run a program in the "background", you'll
> have to get the operating system to cooperate.
>
> > 2. obviously, the program does not need to be very large, so I want it
>
> > to run in the background and not be visible to the computer's user.
> > This is easy, I know, but I want the process to be completely
> > invisible. (even to super-geeks)
>
> Remember that in general, the BIOS is in control before boot, but after
> boot, the BIOS is not in any meaningful control anymore.
>
> Ask yourself what happens if your problem user boots a Knoppix CD that
> doesn't want to play nice with your CMOS?
>
> > 3. I would like to figure out a way to monitor traffic for multiple
> > protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if
> > there is a way to figure out "bad" requests on a packet level.
>
> Take a look at Snort or other similar IDS, that tries to do that -
> particularly in terms of the size of the binary, and the system load
> impact. And then ask yourself if something that big is easily hidden
> inside the BIOS functionality (and consider carefully how many vendors
> ship totally borked ACPI DSDT's or just broken BIOSes)....
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists