Flashed with a virus?

Printable View

March 3rd, 2007, 02:23 PM
nihil

Flashed with a virus?

This is not exactly a new concept, but it came up again at the recent BlackHat.

The idea is that you could be attacked by a virus that flashed the firmware associated with peripheral devices via their ROM.

It is certainly possible, but I don't think it is anything to get too concerned about at the moment. It is difficult to do, and would only be effective against specific targets.

That said, If you encounter suspicious activity that you cannot trace to conventional vectors it might be worth considering flashing your firmware? assuming, of course that the new firmware is larger or the flash includes blank space to fill the entire EPROM.

Article:
http://www.securityfocus.com/brief/447

:)
March 3rd, 2007, 07:23 PM
morganlefay

Previously posted ;)

http://antionline.com/showthread.php?t=274831

Yes...it is very scarey

MLF
March 3rd, 2007, 09:06 PM
nihil

Actually Morgana~ I was aware of the link to the BlackHat conference, I was inviting some conversation on the matter.

The first bit is only relevant to AMD 64 bit technology.......... probably dual core, I cannot remember as it came out about 9 months or more ago?

The newer issue is what about attacks on your video cards? There is spare EPROM memory on those, soundcards and stuff?........................ what would you do............. trash your PC? .............trash your PCI cards?

:)

PS: Will you be able to see tonight's total eclipe of the moon from where you are?
March 4th, 2007, 09:08 PM
morganlefay

No eclipse for me...was cloudy and snowy

Although I have seen them before.

I am not a hardware spurt...so my answer to your question as to what would I do...could I not just flash it back with the manufacturers settings using the same method it got infected.......instead of trashing the PC\hardware??

MLF
March 4th, 2007, 10:05 PM
nihil

Hey Morgana~ better luck on August 28th. !!! we have two of them this year :D

Well, on with the subject:

If I have an infected card, how do I know which one? I would guess that my approach would be to re-flash all my PCI stuff.

That brings me to my logical problem:confused:

Would a re-flash actually overwrite the malware?

1. If prepended then the answer = yes
2. If appended, then it would depend on the size of the flash? if it were bigger, then that should be OK?
3. Does the flash write to the whole of the EPROM space?....this is very important as if it doesn't and the re-flash is exactly the same size, then the appended malware will remain exactly where and how it was?

I personally am not aware of anything that scans EPROM memory, or looks at firmware?
March 6th, 2007, 11:24 AM
Aardpsymon

hmmm.....if the overwrite came short of the virus or was the same size as before, I suspect you would still be ok as there would be no pointers to the virus to execute it and there would be some sort of "End of File" marker at the end of the valid code, once again stopping the virus running.

Like when you wreck LILO because windows somehow clobbered the start of the partition, Linux is still there, but theres no pointer to it.