[Stoner]

Link

A cashed Wikipedia link to showcase the topic...firmware rootkits.

excerpt>>

Quote:

Detection in firmware can be achieved by computing a cryptographic hash of firmware and comparing hash values to a whitelist of expected values, or by extending the hash value into TPM configuration registers, which are later compared to a whitelist of expected values. Code that performs hash, compare, and/or extend operations must itself not be compromised by the rootkit. The notion of an immutable (by a rootkit) root-of-trust ensures that the rootkit does not compromise the system at its most fundamental layer. Rootkit detection using a TPM is further described in Stopping Rootkits at the Network Edge, January 2007.

None of my detection apps currently do that.

[1002richards]

I do all my online sessions via Sandboxie in addition to a firewall, Zone Alarm and others I have seen recommended at TSG. It adds an extra layer of security, plus you can run new progs 'Sandboxed' - to try them out- without installing them.

http://www.sandboxie.com/

Richard.

[valis]

Quote:

Originally Posted by Stoner

Something to think about today..........from some of the discussions from the 'experts' I've read, it's now possible for malicious script to be injected into a web site that can add code to the firm ware of a connected computer's hardware.

this is not only a possibility, this is a very common issue. Skype is currently suffering from stuff that dumps rootkits via scripts, which is obviously a huge problem for Skype; running malicious scripts on pages is pretty common; keep your security high on your browsers and that will eliminate that.

That, and safe surfing.

[Stoner]

Hi Tim

Yeah......it gets down to how safe a persons usage is and how much risk they are willing to accept.
As someone in Civ Debate presented....there is no absolute certainty to certain things ( ) and this is one of them. We do the best we can.

Thanks richards....I've thought about giving sandboxie a try.
Maybe on my next re-install..........
Did you notice any degradation of performance?

[neos1]

Quote:

Originally Posted by Stoner

I agree that a fire wall that only allows what you designate ...is the best choice.
Something to consider, though.......I've heard that some malware/spyware/trojans have the ability to turn off that firewall or alter the rule sets with out the owner being aware. So if you are infected, there exists the possibility of outbound security being compromised. And you won't know this in a leak test against your router.

Have you changed the default password in your router?

I have changed the user id and password for the router.

If I understand it correctly, that is the reason Microsoft's Firewall is useless - does not stop anything from leaving the computer.

[neos1]

Quote:

Originally Posted by valis

this is not only a possibility, this is a very common issue. Skype is currently suffering from stuff that dumps rootkits via scripts, which is obviously a huge problem for Skype; running malicious scripts on pages is pretty common; keep your security high on your browsers and that will eliminate that.

That, and safe surfing.

I was not disagreeing with Stoner. I guess it was a stick my fingers in my ears sort of reaction. I thought I was well informed and here is something that I hadn't even heard of that was more insidious than all of the other things combined.

[Stoner]

Quote:

Originally Posted by neos1

I have changed the user id and password for the router.

If I understand it correctly, that is the reason Microsoft's Firewall is useless - does not stop anything from leaving the computer.

Personally, I want control over all connections, so that includes outbound.

I have seen the argument presented that if a computer already has unauthorized outbound traffic, the system is already compromised and relying on any filtering is a risk.
If un-compromised....all outbound traffic is legit.

Not my argument....just repeating what I've heard.

[Stoner]

Quote:

Originally Posted by neos1

I was not disagreeing with Stoner. I guess it was a stick my fingers in my ears sort of reaction. I thought I was well informed and here is something that I hadn't even heard of that was more insidious than all of the other things combined.

Better to learn about it this way than by experience

[valis]

Quote:

Originally Posted by Stoner

Better to learn about it this way than by experience

which is precisely how I learned. an alternate member of my family d/l about 106k trojans in about 10 seconds onto my machine.....

if you a rather cursory scan of your machine for security purposes, you can use gibson's site (http://www.grc.com/default.htm, cilck on 'shieldsup', follow the prompts) and you'll get a rough idea of how secure your machine is. For instance, my wife has a few ports open on her rig; then again, she uses wireless, so that's not entirely uncommon. Wireless likes to be heard. My rig is registered as 'invisible', which is very good, but again, this is just gibson's security site, and while he's good, he's not as good as some of the folks out there writing malicious code.

Always keep your security settings for the internet on high. Any site that wants to write something to my pc has to have my express written authorization (sorta like MLB ) or I don't let it. As stoner put it, better to learn this way than through experience, and this is why I don't let sites write to my machine.

But see what gibson's tells you; that's as good a starting point as any. Curious to see the results, then we can begin closing whatever doors are open.

[neos1]

So according to the SubVirt PDF (Samuel T. King and Peter M. Chen) "The only time the VMBR loses control of the system is in the period of time after the system powers up until the VMBR starts Any code that runs in this period can access the VMBR's state directly. The first code that runs in this period is the system BIOS. The system BIOS initializes devices and chooses which medium to boot from. In a typical scenario, the BIOS will booth the VMBR, after which the VMBR regains control of the system. However, if the BIOS boots a program on an alternative medium, that program can access the VMBR's state.
Because VMBR's lose control when the system is powered off, they may try to minimize the number of times full system power-off occurs. The events that typically cause power cycles are reboots and shut-downs. VMBRs handle reboots by restarting the virtual hardware rather than resetting the underlying physical hardware. By restarting the virtual hardware, VMBRs provde the illusion of resetting the underlying physical hardware without relinquishing control."

So I bought this computer used from a company that takes corporate leases that have expired, refurbishes said machine and sells them to the highest bidder. It is possible that this computer came to me infected with a Virtual Machine Bios Rootkit already installed and there is no way for a regular guy to be able to detect or remove it.

[valis]

even if it's a vm rootkit, it should be able to be removed. if you think that your machine is infected, click the red triangle next to one of your posts (upper right) and have it moved to security where they will be able to tell you if you are, indeed, infected. I've had to deal with exactly one vm rootkit, and it wasn't that difficult to get rid of, so I know that they can be removed; this was back in december, though, and things may have stepped up a bit since then.

[neos1]

There are four leds A,B,C,D, that light an amber green and for the life of me I cannot remember if when I powered down, all of them went dark. Lately I've noticed that C stays
lit after power down. The one tell that a machine may be infected with a bios level rootkit
is that the led's do not go out when powered down.

I have GRC bookmarked. I'll head over there and let you know the results.

[lotuseclat79]

Quote:

Originally Posted by neos1

I'm behind a router, and when I do a leak test it shows all of my ports in stealth mode, and I'm using a firewall called Netveda which requires rules to be set up. When first installed in is in learning mode but then eventually the firewall quits asking for instructions until an update changes a program in some significant way, i.e., I updated to Firefox 2.0.0.4 and got flags asking if I wanted to trust the newly updated version.

To be honest I'm not savvy enough to know if I have my Firewall configured well. I've read that Firewalls that require rules to be written are not only the more personally configurable but are better at stopping attacks - that is if the rules are written correctly. What say you?

When the leak test you run indicates all of your ports in stealth mode - is that all of your ports from 0-1024 or all of your ports from 0-65535?

The leak tests at http://www.firewallleaktester.com are considered fairly complete though there are others cited at Wilders Security Forums at: http://www.wilderssecurity.com

Rootkits that infect the BIOS, and Polymorphic trojans (able to morph their identity which makes it about impossible to identify) are definitely to be reckoned with, however, they are very rarely found in the wild on the Internet - esp. the Polymorphic trojans which you would expect.

Since most nefarious rootkits are placed for the motive of profit these days, the home user is not a big target like corporations with industrial secrets.

I would recommend using a USB based OS browser combo that creates a fake file system in memory the same as a Linux Live CD (which is what I use). When I surf, my disks are unmounted. And anything that gets into memory is wiped when I power down. If the rootkits and trojans require saving to a file system, memory is as far as they get on my computer - and then el wipo when I shutdown! That does not mean that the BIOS could not be compromised, however, I would probably have to visit a website that cannot be trusted to get the compromising software loaded onto my system because my iptables firewall is very restrictive regarding ports and dumps anything that is not first requested.

-- Tom

P.S. I would also go with NOD32 which is probably the best heuristic malware detector, however, I also recommend visiting the http://www.av-comparatives.org website to see the testing data on the best AVs available today. Also highly recommend using Watcher from: http://www.donationcoders.com/kubicl...her/index.html which saved my butt after I had unknowingly downloaded and installed some malware - and on the next reboot, it gave me a chance to recind the installation - whew! that was close.

[1002richards]

Quote:

Originally Posted by Stoner

Hi Tim
Thanks richards....I've thought about giving sandboxie a try.
Maybe on my next re-install..........
Did you notice any degradation of performance?

IE & Firefox perhaps a tiny bit slower to load, but nothing irritating.
Hope it suits your needs. Here's an independent review at Tech Support Alert, it's #4 on this list:

http://www.techsupportalert.com/best..._utilities.htm

Richard

[neos1]

Quote:

When the leak test you run indicates all of your ports in stealth mode - is that all of your ports from 0-1024 or all of your ports from 0-65535?

The first 1024 ports.

I downloaded all the leak tests at http://www.firewallleaktester.com and did the AWFT test
- that one first because I downloaded them into a folder and XP alphabetizes except for test number 1 I failed the other 4.

I had to shut down my anti-virus to down load a couple of the tests.

I cannot remember what happened, but a few weeks ago every time that I would log on to TSG and then make the jump to a forum page I would lose my log in and even if I logged into that page it would jump back to the TSG welcome page and when I made the jump, say to tips and tricks, I would lose my log in again. It is happening again and I cannot figure out what has changed. Cookies are enabled. I cleared the cookie cache. I've reset the firewall back as it was. I've rebooted. I rebooted the router. Can't figure it out. Oh I'm on another computer, only reason why I can post. I've been working on this for the past two hours. Anybody got any ideas?