uk-netmarketing Archive
[Previous] [Next] - [Index] [Thread Index] - [Previous in Thread] [Next in Thread]
Subject: | UKNM: Alarming |
From: | James Tarin |
Date: | Tue, 1 Sep 1998 18:16:57 +0100 |
LAA03311
Sender: ownerchinwag [dot] com
Precedence: bulk
Reply-To: uk-netmarketingchinwag [dot] com
[Moderator's Note: I wouldn't normally post this type of email onwards,
however as James is willing to vouch for its authenticity...]
Sorry to post non-marketing related material, but this seems important - I
have a confirmed report of this hitting the Chicago office of a large
multinational organisation the day before yesterday. It seems about as
serious as it gets.
james
_______________________
James Tarin
Director of Strategy, Clarity
Tel: +44 171 397 2911
Fax: +44 171 397 2939
http://www.marketing.co.uk
> Win95/CIH
>
> It used to be the case that a computer virus hitting your machine was simply
> a 'software problem'. Viruses are just computer programs and thus seemed
> limited to affecting other programs and/or data stored on your machine.
> There are many wild claims about software damaging hardware, but most fall
> into one of two categories on closer analysis - overuse leading to failure
> (where it is fundamentally irrelevant that the overuse was driven by a
> software process), and 'friend of a friend' stories (FOAFs are, by nature,
> all but unverifiable).
>
> Software cannot damage (well-designed) hardware. About the worst payload
> that most people imagined was a complete hard drive reformat.
>
> This was the na�ve view. Fortunately, it was also what we saw in 'everyday'
> viruses. The afternoon of 25 June 1998 changed our view of things.
>
> Late that afternoon, researchers at UK-based anti-virus developer Sophos and
> I finally confirmed our worst fears. The payload of a virus Sophos had
> received from a US customer a few days earlier was designed to, and could
> successfully, overwrite part of the BIOS code stored in common Flash BIOS
> chips.
>
> Even worse than that this payload had been implemented, two of the four
> variants were due to trigger that payload on 26 June - the next day. (Two
> variants trigger on 26 April, one on 26 June and one the 26th of every
> month.)
>
> The payload also overwrites the first 1 MB of information on every hard
> drive in the system. This happens regardless of the effectiveness of the
> attack on the Flash BIOS.
>
> The virus is indisputably in the wild. In fact, since being first reported
> little more than a month ago, one of its variants made it onto the July
> WildList! Several anti-virus developers that VB staff are in regular
contact
> with have confirmed receiving samples of at least two variants from
> customers and most have received field samples of at least one variant.
> Across those contacts and from samples sent to VB, we have confirmed field
> reports of all four currently known variants that have the BIOS flashing
> payload.
>
> The BIOS is a special program in an IBM-compatible PC that 'gets the PC up
> on its feet'. More accurately, it finds the PC's feet, then gets it up on
> them. The payload of the Win95/CIH family, if successful in messing with the
> Flash BIOS of an infected PC, will leave the machine unbootable. The part of
> the BIOS that is overwritten is the very first part of the BIOS program that
> runs at power-up or system reset.
>
> PCs on which the Win95/CIH payload has triggered require the BIOS to be
> replaced. This is where a rash of Win95/CIH infections within a company can
> quickly become expensive.
>
> With many PCs this involves opening the case, removing the current chip and
> inserting a replacement one. Obviously the BIOS has to match the
> motherboard: BIOSes tend to be designed for a range of CPUs and for
> particular 'chipsets' (all the other logic circuitry needed to make your
> expensive CPU co-ordinate with all the other components inside your PC).
>
> Alternately, a BIOS chip that has been flashed by the virus is not actually
> damaged. However, it requires a fairly specialized piece of equipment to
> reprogram it with the correct BIOS image. This is an option for people with
> the right contacts and a backup copy of their BIOS' contents. (Admit it -
> you seldom backup your data often enough and have never heard of
> backing-up your BIOS!)
>
> These first two fixes assume that your BIOS is installed in a socket.
> Unfortunately, it is increasingly common (and almost universal in laptops)
> that the Flash ROM chip holding your BIOS is soldered to the motherboard.
> In such machines, a motherboard replacement is effectively necessary.
> Although surface mount Flash ROM chips may be able to be removed and
replaced by a
> suitably skilled technician, it is unlikely to be cheaper and likely to be
> slower to effect this kind of repair. With some laptops it may be more
> economic to buy a new machine.
>
> Who needs to worry about this virus? If you run Windows 95 or 98 you are at
> risk. The virus infects PE format executable files ('programs'). This
> includes Windows NT programs, but the virus will not run and its payload
> cannot trigger under NT. Should you be running Windows 95 on a 386 or early
> 486 your are most likely safe - storing the machine's BIOS in Flash ROM
> became popular towards the tail end of the 486 era. Most, if not all,
> Pentium-based machines will have Flash ROM.
>
> We are still working with the chipset and motherboard designers to ascertain
> exactly which combinations of chipset and Flash ROM are susceptible to this
> payload. We know some Flash ROMs cannot be overwritten because the payload
> uses activation sequences known to not work with them. We hope to make more
> details available as we piece things together.
>
> What should you do in the meantime? If from the above you suspect that you
> may be susceptible to this virus, please download (or obtain through your
> standard means) the very latest update to your anti-virus software, install
> it and scan your PC. Most major anti-virus vendors have updates that detect
> this virus. The safest way to scan is from Dos only mode using a DOS
> scanner.
>
> That is not the same as running a scanner at a DOS Prompt under Windows
> 9x. To be sure, select 'Restart the computer in MS-DOS mode' from the shut
> down menu. If starting from power-up, press F8 when the 'Starting
Windows...'
> message is first displayed and select the 'Command prompt only' option.
> Another possibility is that your anti-virus developer may have provided an
> emergency boot disk. Lastly, if using your own emergency recovery disk,
> ensure it is from an appropriate version of Windows to avoid possible
> FAT32 problems.
>
> If you have NT servers or workstations, it is safe to check them with native
> NT scanners. CIH cannot go resident under NT, so cannot infect nor trigger
> its payload on such systems. Thus, few of the concerns that must be
> considered when testing a Windows 9x machine apply. However, note that you
> should not scan a network share exported from a Windows 9x machine - in that
> case, an active infection on the machine exporting the share can spread
> further. In a similar vein, to check servers running non-Win32 operating
> systems, either run updated scanners native to that OS, or scan them across
> the network from anything other than a Windows 9x workstation.
>
> Should you discover an infection of CIH, it is also most important to
> determine, quickly but safely, how widely the infection has spread through
> your organization. Safely? Remember, this is a fast infector - the act of
> opening a clean file on a machine with an active infection will cause it to
> be infected, if you have write-access to the file.
>
> It is most important to consider files on network shares very carefully when
> planning a network-wide hunt. Files on attached network shares are 'seen' by
> CIH, not just those on local drives. Thus, you should not scan remote drives
> from a Windows 9x machine unless you are sure you are scanning from a clean
> environment.
>
> Should you be concerned, or am I being a tad alarmist? I am concerned. It is
> not my job to sell anti-virus software. In fact, I wish we did not need
> anti-virus software. Sure - I'd be out of a job, but there are many other
> interesting, challenging and fundamentally worthwhile things to work at.
>
> So, should you be worried? In the 36 hours or so leading up to our
> isolating the nature of the complete Win95/CIH payload, colleagues at other
> anti-virus companies were also becoming concerned about this virus. Not
because they
> were aware of its full payload, but because they were receiving samples from
> all around the world and were worried about the disk-trashing due for 26
> June.
>
> Between then and now, we have had reports from (at least) Australia,
> Chile, France, Germany, Japan, Korea, Norway, Romania, Russia, South Africa,
> Taiwan (where it is believed to have been written), the UK and the US. We
> received confirmed reports of BIOSes being reflashed on 26 June.
>
> True - it is difficult to say what the chances are of the virus finding you,
> but it is a fast-infector, meaning that it will quickly spread through most
> possible host files on an infected PC. That neat new utility your friend or
> office colleague gave you the other day, just might have been exposed to
> it.
>
> Can you really be sure where it had been before you ran it?
>
> CIH is widespread, but probably not 'common'. Thus, the threat of exposure
> is low. The BIOS flashing payload however, means that if you are at risk
> of exposure the possible cost of failing to detect it and having the payload
> trigger is higher than in previous viruses.
>
> I have heard people shrug-off this suggestion with a response such as 'New
> BIOSes are only twenty pounds [thirty dollars]'. That is true and if you are
> single user, the risk of exposure may mean the cost of ignoring this virus
> until your next regular anti-virus program update is bearable to you. If the
> Flash ROM containing your BIOS is soldered to the board, with a typical
> replacement cost of three times that you may be a little more worried. But
> imagine if you have to scale that over a large corporate IT infrastructure
> of several thousand PCs?
>
> Maybe you are an 'expert user' accustomed to adding and removing bits from
> your PC? If so, you probably did not consider the additional (and quite
> high) costs of employing suitable technical staff to effect these
> replacements.
[Previous] [Next] - [Index] [Thread Index] - [Next in Thread] [Previous in Thread]