Test of BIOS Spyware
Ralf-P. Weinmann
rpw at uni.de
Tue Oct 14 14:32:34 PDT 2003
On Tue, Oct 14, 2003 at 12:44:20PM -0700, John Young wrote:
> We received the note below about spyware allegedly created for
> a Maryland agency with code which needs to be tested.
> We'd appreciate feedback on the note and the code. Beware
> of a sting. The code:
>
> http://cryptome.org/ExpCode.ASM
So what? The code hooks into the bootstrap phase of the BIOS, decompresses some
unspecified stuff (I have not verified whether it actually *CAN* successfully
decompress anything and what algorithm it uses; just skimmed the code to see
whether it tries something really spiffy) and executes the injected code at the
end of the BIOS bootstrap.
This is *NOT* the interesting part. The interesting part is the payload it is
to deliver. The claim "This enables the software to spy on the user and remain
hidden to the operating system." rather interests me. How do they achieve this
in an OS-agnostic fashion?
I know this may be passing premature judgement, but to be honest I think the
code looks pretty amateurish and has at most beta quality. Most Romanian virus
writers should be able to come up with something better in less than a day.
Give them a week and they have something that works on a *MUCH* wider range
of hardware than just two types of mobos/machines.
Thanks for the demonstration though. Does this agency seriously think we
believe they might be using the above mentioned code in a "production
environment" some day? Tsk tsk tsk...
Cheers,
Ralf
--
Ralf-P. Weinmann <rpw at uni.de>
More information about the cypherpunks-legacy
mailing list