On Tue, Oct 14, 2003 at 12:44:20PM -0700, John Young wrote:
We received the note below about spyware allegedly created for a Maryland agency with code which needs to be tested. We'd appreciate feedback on the note and the code. Beware of a sting. The code:
So what? The code hooks into the bootstrap phase of the BIOS, decompresses some unspecified stuff (I have not verified whether it actually *CAN* successfully decompress anything and what algorithm it uses; just skimmed the code to see whether it tries something really spiffy) and executes the injected code at the end of the BIOS bootstrap. This is *NOT* the interesting part. The interesting part is the payload it is to deliver. The claim "This enables the software to spy on the user and remain hidden to the operating system." rather interests me. How do they achieve this in an OS-agnostic fashion? I know this may be passing premature judgement, but to be honest I think the code looks pretty amateurish and has at most beta quality. Most Romanian virus writers should be able to come up with something better in less than a day. Give them a week and they have something that works on a *MUCH* wider range of hardware than just two types of mobos/machines. Thanks for the demonstration though. Does this agency seriously think we believe they might be using the above mentioned code in a "production environment" some day? Tsk tsk tsk... Cheers, Ralf -- Ralf-P. Weinmann <rpw@uni.de>