On Tue, Apr 23, 2013 at 8:24 PM, Angus Scott-Fleming <[email protected]> wrote: >> Yah, that's scary enough. I mean, sure, if someone else can control >> the hardware, in theory they can do anything, but think about the >> implications. Is there some kind of hook in Windows that lets the >> BIOS run arbitrary code? > > My guess is that the software re-installs itself pre-boot
That's the assertion. My question is, what does the software do to "re-install itself" pre-boot? The BIOS is not magic. The BIOS is a chunk of software stored in ROM that the processor starts executing at power on or reset. Before it hands over control to the MBR, it can do anything it wants, but it has to actually do it. There's no "install Windows software" BIOS interrupt. While I suppose it could have an NTFS implementation, a registry implementation, plus whatever other code is needed to "install" something in to Windows, that strikes me as being halfway to just having Windows in the BIOS. I would expect it would be a lot easier to simply use something like System Management Mode to preempt the OS and then "borrow" the wifi (after sniffing the IP address the OS is using), but the theory seems to be that the communication is handled by an agent running on the OS. > (much like CHKDSK /F can be made to run before Windows loads). CHKDSK runs after the Windows kernel is running, boot start drivers are loaded, the filesystems are mounted, and the registry is opened. There's a registry key that tells the Windows startup code to invoke a program called AUTOCHK.EXE, which fires off CHKDSK if needed. This doesn't lead to anything of particular help for the above. I'm pretty sure you know this already. :) > http://www.zdnet.com/blog/security/researchers-find-insecure-bios-rootkit-pre-loaded-in-laptops/3828 Yah, as usual, the press gives so little information as to be useless. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
