The Mebromi BIOS Rootkit Hype: An adapted version of Kris Kaspesky ISA ROM shell coders?

Is the Mebromi BIOS Rootkit hype is based on an adapted version of Kris Kaspesky ISA ROM shell coders?


Well, this is probably one of the most hillarious thing that ever happened if it's true. I need to investigate further. I cannot say for sure until further evidence confirm my suspicion. From quick glimpse, it looks like infecting the IVT of Windows XP (probably I'm wrong) . So, stay tuned!

Tweeting New Articles

I'm starting to tweet link to articles I'm writing. I've been too busy lately. Probably that should be enough for sometime. You could follow the update over at twitter @Pinczakko. Of course, this blog will still be more in-depth.

Implanting malicious hardware

After reading this and this over at Bunnie's blog, I came to think that how easy someone can "implant" malicious hardware anywhere in the supply chain before the hardware reaches it's destination. Ball Grid Array chips are complex beast to work with physically. But, with the BGA reballing tool, even a complex chip like that could be replaced with ease (quote from Bunnie's blog):

Before seeing this, I was under the impression that reballing was an involved process, but with this jig the operator could strip and reball a chip in under a few minutes, which translates to a labor cost of a couple dozen cents

This is insane. In PC motherboard, the chipset is mostly in BGA packaging. Flash ROM chips these days are back in the old "DIP" (Dual In-line Package), so it's quite easy to work with. But, to think that even BGA chips could be altered with ease is just mind boggling.

Malicious Code Execution in PCI Expansion ROM Article

The "Malicious Code Execution in PCI Expansion ROM" article is up. You could read it over at: http://resources.infosecinstitute.com/pci-expansion-rom/.

It's a mix of old and new things; from what we have known from the old PCI expansion ROM as mentioned in PCI specification and new "feature" added by the PCI firmware spec.