I'm not to sure Earth, but from reading the article this doesn't look like it's made by cyber criminals trying to make money. It's one very, very! nasty malware.
Hi,
I'm the author of the article metioned in the first post, today I saw this malware first on Dutch fora but I don't now of this kind of malware is spreading around the world in other country's as well.
This is indeed a very nasty malware infection, and so far as I know it will flash the BIOS and the system is not able to boot / start on the normal way.
Because I have not more information than only a file name and some information placed by the topic starters, I can't test or reverse things by myself.
Beside this I will look further to can catch some samples from the users machines.
regards,
Maxstar
I'm the author of the article metioned in the first post, today I saw this malware first on Dutch fora but I don't now of this kind of malware is spreading around the world in other country's as well.
This is indeed a very nasty malware infection, and so far as I know it will flash the BIOS and the system is not able to boot / start on the normal way.
Because I have not more information than only a file name and some information placed by the topic starters, I can't test or reverse things by myself.
Beside this I will look further to can catch some samples from the users machines.
regards,
Maxstar
Thank you, and sorry for the pour English because it is not my native language.
Reading is not a problem but writing is sometimes a little bit dificult with a lot of grammar faults.
Reading is not a problem but writing is sometimes a little bit dificult with a lot of grammar faults.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
If you add an Admin password to your BIOS then this kind of malware can not effect it. You can't even update or flash your BIOS if it has a password lock.
Thanks.
Thanks.
Littlebits said:If you add an Admin password to your BIOS then this kind of malware can not effect it. You can't even update or flash your BIOS if it has a password lock.
Thanks.
I can't remember where I read this but I did read somewhere about bootkits that have been bypassing bios passwords for a while now. I'll try and find where I read this. Also there is a manufacturer back door on a lot of bios' these would be the same password so that's another way the password could be bypassed.
Under the assumption, it's a double extension (ie. not-a-virus.mp3.exe).
Running Windows Vista or higher, when you execute UAC should prompt, because as far as I'm aware flashing the BIOS requires admin privileges.
If it's not cyber-criminals, it must be the music industry or some moron who supports no file sharing.
Running Windows Vista or higher, when you execute UAC should prompt, because as far as I'm aware flashing the BIOS requires admin privileges.
If it's not cyber-criminals, it must be the music industry or some moron who supports no file sharing.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
ZeroDay said:Littlebits said:If you add an Admin password to your BIOS then this kind of malware can not effect it. You can't even update or flash your BIOS if it has a password lock.
Thanks.
I can't remember where I read this but I did read somewhere about bootkits that have been bypassing bios passwords for a while now. I'll try and find where I read this. Also there is a manufacturer back door on a lot of bios' these would be the same password so that's another way the password could be bypassed.
Some of the newer BIOS are locked by default, the only way you can flash the BIOS is use the tool from the BIOS vendor.
This applies to both my ASUS motherboard, you have to use the ASUS flash utility and my Acer laptop, you must use the Acer BIOS update.
The files have to be digitally signed by the vendor and the flash BIOS update must be compatible or it will fail (no changes will be made).
It is very unlikely that any malware can bypass these locking features.
Of coarse first you would have to manually download the malicious file which should be block by most AV's and some browser protection, then manually run the malicious file which would prompt a notifications from both UAC and Windows digital file checker.
The worse case, you can remove your BIOS battery, wait a few minutes and put it back in then your BIOS will be reset to default settings.
This malware is not widespread according to the info from AV vendors so the chances of actually getting infected with it are extremely rare.
Novice users who don't have AV real-time protection, don't pay attention to what they download and install and don't utilize UAC are more acceptable to getting infected with it.
So as long as you watch which files you download and only use trusted sources then you will not be vulnerable to this type of malware.
Since it is not stated how old the BIOS was that was infected with this malware, it is not know if it can even effect modern BIOS. I'm suspecting the BIOS must have been pretty old and probably still running Windows XP.
Thanks.
Some of the newer BIOS are locked by default, the only way you can flash the BIOS is use the
tool from the BIOS vendor.
This applies to both my ASUS motherboard, you have to use the ASUS flash utility and my Acer
laptop, you must use the Acer BIOS update.
The files have to be digitally signed by the vendor and the flash BIOS update must be
compatible or it will fail (no changes will be made).
It is very unlikely that any malware can bypass these locking features.
Of coarse first you would have to manually download the malicious file which should be block
by most AV's and some browser protection, then manually run the malicious file which would
prompt a notifications from both UAC and Windows digital file checker.
The worse case, you can remove your BIOS battery, wait a few minutes and put it back in then
your BIOS will be reset to default settings.
This malware is not widespread according to the info from AV vendors so the chances of
actually getting infected with it are extremely rare.
Novice users who don't have AV real-time protection, don't pay attention to what they
download and install and don't utilize UAC are more acceptable to getting infected with it.
So as long as you watch which files you download and only use trusted sources then you will
not be vulnerable to this type of malware.
Since it is not stated how old the BIOS was that was infected with this malware, it is not
know if it can even effect modern BIOS. I'm suspecting the BIOS must have been pretty old
and probably still running Windows XP.
Thanks.
I am sorry , but i really cant agree to the things you claim.
Lets start with your biggest misconception
.
THAT IS ABSOLUTELY NONSE!!
You dont seem to understand the difference between the BIOS and the CMOS , the 2 are
DIFFERENT. The BIOS is software , needed to start your computer and is located in FLASHABLE
ROM. The CMOS is a collection of data (settings) that can be changed both by the user and by
windows and is used by the BIOS program .
This CMOS is located in RAM (thats why it needs a CMOS battery to keep the settings) . This
malware does NOT overwrite the CMOS data , but overwrites (flashes) the BIOS . Thus Removing
your CMOS battery will ONLY clear your cmos settings and will not have any effect on the
BIOS (wich was overwritten).
This malware is brandnew , there is no way of telling how widespread it will become.
Absolutely true.
No one knows where this malware comes from , no 1 knows how these people got infected , it
might be from a driveby download from a "trusted" website , but you own a crystal ball ? you
know what no one else knows ? i doubt that , so dont speculate about things you dont know
about and certainly dont post your speculations as if it were facts.
Why would you suspect that the BIOS's that were infected were pretty old , what information
do you base that on ? as has been said , it is not known if the BIOS's that were infected
were old or new , so again dont speculate about that . And if you speculate ,
plz share with us how you would come to a conclusion that it had to be an old BIOS.
I personally dont have much faith in your speculations , specially because you're certainly
not an expert on the topic (as shown in your confusion between the BIOS and CMOS)
Again those speculations , you have no idea how those people got infected , so stop
acting like you know.Keep to the facts plz . Neither do you know if A/V can currently
protect against this threath , in fact since it is brand new it is very likely that the a/v
companies dont have a working sample yet and therefor cant protect against it . Same goes
for the browser protection you mention , it is so new that i dont think they would be able
to protect against this .
- Jan 27, 2013
- 661
If you consider littlebits advice as ridiculous then please do give us your full expert opinion on this then please.
Because all you have done is criticize what i consider pretty good advice.
carry on and give us all the lowdown on how this malware can be prevented seeing as you seem to know it all.
Thanks.
Because all you have done is criticize what i consider pretty good advice.
carry on and give us all the lowdown on how this malware can be prevented seeing as you seem to know it all.
Thanks.
im not really which side is right or wrong. Both have valid points (in terms of explanation). However I will just say this. There is a spelling mistake in LittleBits post: coarse, since it should be course; while there are a few on mvh69.
Amiga500 said:
That's the point It's brand new no one know for sure how it can be prevent, no ones analyzed it yet.
Looks like it could be a hoax guys see - http://www.wilderssecurity.com/showpost.php?p=2248065&postcount=32
I think many knew something weren't right about this.
So as you know, If it's too good to be true, then it probably is.
So as you know, If it's too good to be true, then it probably is.
Similar threads
