[citation][nom]halls[/nom]At least they admitted their mistake, and are making it right.[/citation]
I dunno, this may be too apologist for my taste. Not sure how this is an actual mistake; do they have a pile marked "good" and another marked "inexplicably loaded with malware" in their spares depots? As a couple folks have already pointed out, this simply has "FAIL" written all over it.
What I want to know is how spyware is running off a motherboard. There is either a dedicated ROM chip for the bot to run off of, or there is an infected BIOS, in either case Dell HAD to know the boards were bad.
[citation][nom]warfart1[/nom]What I want to know is how spyware is running off a motherboard. There is either a dedicated ROM chip for the bot to run off of, or there is an infected BIOS, in either case Dell HAD to know the boards were bad.[/citation]
THIS. Someone has to go out of their way to make something like this happen. For Dell to essentially respond to the issue with, "Whoopsiedaisy, we made a little boo-boo!" is a total side-step. They should be launching a full internal investigation to find the origin of the program(s) as well as how and where the boards were tampered with. Half-arsing it, however, is par for the course for Dell.
Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...
[citation][nom]jazz84[/nom]THIS. Someone has to go out of their way to make something like this happen. For Dell to essentially respond to the issue with, "Whoopsiedaisy, we made a little boo-boo!" is a total side-step. They should be launching a full internal investigation to find the origin of the program(s) as well as how and where the boards were tampered with. Half-arsing it, however, is par for the course for Dell.Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...[/citation]
Who has told you that they're not investigating this? Why should the results be public? Maybe they will be once they find something.
Who is on the other end of the telemetry feed is what I want to know?
Where are the boards being manufactured?
My guess is (speculation only)they are being made in China and this is more than likey a case of international corporate espionage.
OK fellow geeks, how could this have been anything other than a malicious action on someone's part? There is no way this was an accident and I am sure identifying the offending programmer is easy. So, what will Dell do next?
Also, think about the comments Dell made that non-Windows users won't be affected and Windows users only require updated AV programs to protect themselves. How do either of these protect against a firmware embedded malicious app?
Interesting situation Dell has created for itself.
If the motherboard is infected, then that means that it's in the BIOS itself and it not a worm, but a RootKit, one which installs itself to the BIOS.
The RootKit writes itself to the empty spaces in the BIOS code and depending on if it's an older type RootKit or a newer type RootKit, the older type (v1) will just infect the BIOS where as the newer types will infect the BIOS and the MBR (v2) the the last type of which I am aware of will also load itself to memory (v3).
Those are the developmental stages of each new variety of BIOS RootKit which Loads before the Operating system itself can even load, making it extremely difficult to detect and even to remove.
Video Cards can become infected very easily too once the motherboard BIOS becomes infected and even the firmware of Hard Drives can become infected. Anything which uses a Firmware/BIOS can be infected these days if it is networked and not secured.
When a Motherboard does become infected, the easiest way to remove the infection from the system and any other infections from your hard drives is to pull the drives and set them to one side making sure to label which drive as to which drive is which. the drives can be connected to another system as Secondary drives and fully scanned with several choice pieces of software, then visually looked over with Windows Explorer so as to remove the majority of infections.
The Motherboard itself you should be able to remove the BIOS chip from it's socket, then use the CLR CMOS jumper to clear out anything that might remain behind. You should be able to order a New BIOS chip from the Motherboard Manufacturer or possibly some other company.
If the BIOS Chip is soldered on the Board, then chances are, you're SOL and you'll need to order a new motherboard.
Once you reconnect your drives and boot up the system, you'll still need to run a few scans so as to clear out any registry entries which could not be accessed while the drives were connected externally and maybe catch a few strays that may have been missed in the mean time.
RootKits are only a small part of the whole and usually the RootKit is installed by a worm.
RootKits don't contain worms or anything else, what they do is to provide protection for other pieces of Malevolent software such as Worms, Viruses, Packet Sniffers, Spyware, FastFlux Proxy Networks, Spam Servers, and what ever else Malware Authors may harbor on your system.
After all, it's a Billion Dollar industry these days that's not tied to any one country. Instead, it's all Internet Mafia Gang related. Some Big time whiles others may be small fries.
Not really trying to do anything here except add a little value to the article for those who may read it and not understand how a motherboard could become infected in the first place.
I am a member of the Security Community and offline, I deal with such issues as RootKits and Malware on a regular basis. Family and friends all say I'm the guy to go to when it comes to computer problems. Which can be a bit of an inconvenience when you have other things you may want to do at the time.
As to using the term RootKit, when it comes to the BIOS itself, this becomes more of an inaccurate term seeing as it loads before even the Operating System has a chance to begin to load. BootKit is a more accurate description.
Also, versions 2 & 3 tend to protect themselves by making it extremely difficult to remove the BootKit and any associated infections.
1 - Remove the BootKit with new BIOS chip but fail to clean the drive - BIOS becomes reinfected shortly after.
2 - Clean the Drive without replacing the BIOS chip - Drive becomes reinfected.
3 - Try doing a Clean installation of Windows - Drive still gets infected whether it be from the BIOS or from memory.
I see. You gave good info just came across the wrong way I guess.
I used to be the Information Assurance security officer for an Army installation although that was some time ago. Now I am relegated to the simple tasks of Sys admin. for a large corporation. Much more relaxing.
[citation][nom]jonathan1683[/nom]Thanks for the info, I never heard of having to replace a MB to get rid of a virus. Couldn't you just rewrite the bios/flash it?[/citation]
The BIOS is what controls the motherboard, hence your computer. So what ever you try to boot from, the BootKit is going to load first and it will protect itself. This is why a socketed BIOS chip is important. But there is also the option to password protect your BIOS too which will protect your BIOS providing you use a strong password which can't be attacked and you don't loose the password for when you need to get into your BIOS.
Some of the newer board which have multiple flash options such as the ASUS or GigaByte motherboards, I honestly don't know. I'd say it all depends on what protects they have in place to protect the backup flash along with what ever else they have there would be the determining factors. Cause if anything were to get through, especially when you try to restore a previous BIOS stored on the motherboard, then the motherboard would become toast.
So it would be very important to check out the BIOS backup and protection features before making a purchase. A BIOS chip socket is always a plus.
Thanks for the info I will turn on my password for my bios. Can anyone also describe how a virus would infect the firmware on a hard drive? Also from experience with security related things in the past rootkits can be invisible to AV scanners so they would be hard to detect, but how would you detect a bios infection or a firmware infection? I know there are tools that scan for rootkits, but never heard of a bios scanner?