Monday, November 24, 2014

How to experiment and learn about BIOS malware

While trying to make VMWare Workstation work with new kernel in Fedora 20, on the link where I found solution there is a section about extracting BIOS. This section has a subsection in which it is shown how to use custom BIOS for some virtual machine. Because lately I'm all in malware analysis stuff, it occurred to me that this is actually a great opportunity to experiment with BIOS malware for educational and research purposes. Using real hardware for that purpose would be very problematic because it's not easy to modify BIOS just like that. So, in essence, what we would like to do is:
  1. Extract BIOS used by VMWare.
  2. Decompile it.
  3. Modify.
  4. Compile.
  5. Install and use.
So, while searching how to do that I stumbled on PHRACK magazine's article that describes just that, how to infect BIOS. It also describes how to instruct VMWare to stop in BIOS and allow gdb to be attached for BIOS debugging! In the end, it turned out that this topic is well studied already. Here are some interesting resources I found:

Lately, UEFI is much more interesting to experiment with because gradually all the manufacturers are switching from old BIOS to a new boot method that has additional protections. It turns out that VMWare Workstation, starting with version 8 supports UEFI boot, too. All that is necessary is to add the following line to vmx configuration file of a virtual machine:
firmware="efi"
So, this is a great research and learning opportunity. Yet, it is very hard to find information on how to manipulate UEFI BIOS. One reason might be that it is relatively new and not many people know what it does and how it works.

While searching for information on how to infect and manipulate UEFI, I found the following URLs to be interesting:
  1. http://www.projectosx.com/forum/index.php?showtopic=3018
  2. http://wiki.osdev.org/UEFI
  3. http://uefi.org/learning_center/presentationsandvideos
  4. http://linuxplumbers.ubicast.tv/videos/uefi-tutorial-part-1/
  5. http://tianocore.sourceforge.net/wiki/Welcome
  6. http://vzimmer.blogspot.com/2012/12/accessing-uefi-form-operating-system.html

Sunday, November 9, 2014

Fedora 20 update to kernel 3.17.2-200 and VMWare Workstation

Well, here we go again. After recent update which brought kernel 3.17 to Fedora 20, VMWare Workstation 10.0.4 had problems with kernel modules. Luckily, after some short googling I found a solution. That solution works. There are two things that might confuse you though:

  1. After cd command and before for loop you have to switch to root account (that is indicated by prompt sign change from $ to #).
  2. The substring kernel-version in patch command should be replaced with a string "3.17". That is actually the name you gave to a file while executing curl command at the beginning of the process.
Anyway, that's it.

Wednesday, September 24, 2014

Anonymous paper reviews and threat of a legal action

I just stumbled on a news story in which scientist claims that his career was severely damaged by anonymous comments on some of his works published on PubPeer. This is very interesting story to follow for several reasons.

For a start, PubPeer is a site for a post publication review. I strongly support such a practice because I believe that everything has to be scrutinized and tested, and it helps authors who can get the best possible feedback, but also helps society in general, too because there is ever increasing problem with scientific ethic. As a side note, I was, and I'm still a big proponent of doing review process in public. That, in my opinion, significantly increases transparency. Anyway, PubPeer fulfils my wishes, but unfortunately for me, it is only concerned with papers from medicine, chemistry and related fields, not from computer science.

In this particular case, the problem is that the author was offered a job on the University of Mississippi, with quite a large annual salary, and for that purpose he quitted his current job. University then revoked the offer and so he lost both the new job, and his current job. Now, he claims that the reason for this are some anonymous negative comments on PubPeer and threatens with a lawsuit asking for identities of those who made those negative claims.

While, as I said, it is very good to have such a site, it doesn't mean that everything should be allowed, more specifically:
  1. Any claims made have to be justified. Unfortunately, anonymity also allows people to make damaging or unjustified claims by being certain that there will be no repercussions.
  2. Unfortunately, negative claim even if not justified casts doubts, so that might be a problem.
  3. In this particular case it is also unknown why the author didn't respond to presented claims about problems in his paper. PubPeer claims they invite first and last author to comment on comments.
  4. Finally, no one should take lightly claims about some paper being invalid, not good, etc. In this particular case, I hope that University of Mississippi verified negative claims and that they didn't take lightly what some anonymous commenters said.
In any case, we'll see what will happen with this particular case.

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)