Some topical, albeit not significant issues I had with their write-up was the misspelling of CanSecWest as ConSecWest. Minor issue, but it reminds me of the Obama / Osama screw-ups that say more than they mean to. Also, Ars doesn't even link to the PDF at Core's site; that could have been just bad timing, but at least let Core see who is interested in the PDF...
Anywho, on to substantive ranting...
From the article, last paragraph:
This is not the sort of exploit that anyone bothers with on a grand scale. Not only is it highly impractical, it's also pointless—why go to so much trouble to infect a PC running at a Ma and Pa store if you can spend a hundredth of a cent and send them an infected e-mail they'll open and run?
"This is not the sort of exploit that anyone bothers with on a grand scale":
Orly? While I'm against FUDcasting, it's also disturbing to see a widely-read technical column wholeheartedly discount a new, and in my opinion, attractive attack vector. Do they know that people are now not viewing this as a new attack vector? Have they sent out surveys to malware authors asking them from 1 to 5, if they would consider this vector? I don't know the answer, so I am not going to discount right out of the gate an attack vector. Time will tell. But my guess is that Ars did not do any homework to back up their claim.
"Not only is it highly impractical [...]":
Hmm, also from the article:
"I haven't seen the full text of their presentation [...]".
K., if you're going to say something is impractical but you haven't seen the presentation, then, really? You're gonna say it's impractical? I haven't read the notes either, nor was I at the presentation. I did read this in the PDF from Core:
Real hardware demoSo, they're able to inject into an extensively used BIOS with an 100-line python script. And, that's impractical? I would at least ask for clarification from Core before stating without any other reason something is impractical. To me, just from the same source, I see that being very practical. Getting root / Administrator on a machine is not impractical, especially if the target is a single-user computer where the user has granted him/herself Administrative rights.
- We infected an Phoenix-Award BIOS
- Extensively used BIOS
- Using the VGA ROM signature as ready-signal.
- No debug allowed here, all was done by Reverse-Engineering and
- later, Int 10h (Not even printf!)
- Injector tool is a 100-line python script!
"[...] it's also pointless—why go to so much trouble [...]":
Orly? If I was a malware writer, I would really like the idea that, regardless of someone reinstalling Windows on their PC, I would be able to reclaim control. So, instead of the lather-rinse-repeat cycle of current vulnerabilities, exploits, and targets, I now have command and control of a device ad infinitum, or at least until the BIOS is re-flashed.
While I generally, and subjectively, agree that complex attacks to me do not seem attractive, I also do not discount them. Let the numbers speak. Wander over to Dan Kaminsky's blog at Doxpara and read up on infrastructure attacks, discussed by ZDNet. Whilst not getting bogged down on defining a complex attack, the psyb0t worm seems pretty complex to me. I am not siding one way or another that injecting nastiness at the BIOS level is going to happen or not. And, in that breadth, again, I am not discounting it.
The author seems to discount, without objective reasons, an attack vector that has the potential to be nasty in the future. I just don't know why. It's not FUD. Hmm, I'll call if FID: forget, ignore, discount. So, to me, Ars is promoting FID. That's my beef.
Jon
