Hi all

I did have recently several computers with damaged BIOS, contaminated by tampering. This tampering, among other things prevented HD defragmentation and a Trojan or Worm of some sort was making copies of whatever we were doing in the computer, passawords included, and storing them somewhere in the HD. When conected to the NET, everything was going out to those who did it.

We want some *bullet* proof BIOS and I was thinking in using a brand new Flash EEPROM with fresh BIOS, having them configured to the computers needs (they use all the same brand motherboards in two models only) and programming new UV erasable EPROM's.
Those UV erasable can't be contaminated, greatly increasing security, including against Chernobyl like virus.

The questions are:

Has anybody done that before ?
Does it work properly ?
Any problems found that could be circumvented.

ANY kind of info and or sugestions will be very much appreciated.

Thank you
Luiz

There are some flaws in trying something like this, though I do like the idea.

First, many flash chip form factors may not have an EPROM or PROM equivalent chip readily available. Take for example the 2Mb TSOP flash chip found on your average Intel motherboard these days. It is hard enough to find the flash chips, much less a non-writable alternative.

Second, many motherboard/bios designs these days actually store a large portion of the CMOS settings in the Flash ROM. Quite a few more boards than you would imagine use this trick. This makes for some serious work to change hardware around as the PNP data for PCI cards would have to be re-burned into your ROM if you so much as moved a video card over one slot.

It is a brute force solution, which I like, but it creates a serious headache in terms of execution and upkeep. I would start a vigorous anti-virus education and investigation policy in the workplace instead. Teach your users what to watch out for, how to backup their files, how to scan downloaded files for virus, and what to do if they think they've got one. This also cuts down on the time you spend replying to the "Good Times" emails you get from users you support about once every year as they will learn to know a hoax. Get good enterprise wide virus software installed and keep up with the updates for it. Your BIOS idea helps with Chernobyl-esque virii, but you will still need to protect data on the drive. Why spend so much time protecting the bios when the data is so much more valuable anyway? What is a $100 on a motherboard compared to your boss's credit card number?

Spot on 800. Also the lack of sockets on modern motherboards would require some very capable soldering (even with the right kit).

I work for a software house and we have a solid (but non-restrictive) anti-virus setup and as a result viruses are not a problem. Everyone is allowed net access at lunchtimes and out of hours (plus a large number of all day 'surfers') so the opportunity for virus attack is large but being software engineers most employees know the risks and take appropriate precautions (standard PC setup includes anti-virus software anyway).

Interestingly enough the companies that seem to have most problems with viruses are those that have the most restrictive approach i.e. mininal internet access (essentail mail only) and restrictive access to machines with floppy drives. Presumably this just encourages complacency.

Must stop rambling on http://www.sysopt.com/forum/smile.gif

Steve

Hi Steves & 800XL

Thank you very much for your reply.
Due to the open nature of this forum, I wasn't very clear about how serious and complex this situation is.
I really need to have someone to answer my first post's questions because everything else as already been done.

1.
I was using Intel motherboards in all computers and changed them all to ASUS (from ASUStek) P2B and P5A-B models because of this.
Those motherboards have very common 32 pin dual in line 2 Mbit Flash EEPROM's that could have substitutes available.

2.
The BIOS and HD contamination did not came from the Internet. They are intentionally done by people that as gained physical access to the company's building, and I suppose this is being *sponsored* by someone I can't stop for the time being.

3.
The company is a registered user of one of the world best software houses with weekly upgrades being done.
This software and many others could not detect the Trojan working around but that was sending over the net everything that was being done.
After this was solved, new break in and new contamination and we started getting copies of everything we do in virtual folders somewhere that scans from the would later read.
FW was reconfigured to prevent that but they somehow circumvent that.
This *animal* somehow resists formating of the HD.
Another *quality* of this animal is instant copying of anything that uses the command *Edit Copy* or *Edit Cut*. The HD instantly works to save that.
Yes, this could be a way of the legal user, trying to avoid typing, get the encryption software passwords in place from a previously typed text... but we already know this *quality* of the *animal*
Its method of propagation is by *Copy* a file, *Send it to* or simply by reading a disquete.
We learned it the hard way. We brought in a brand new laptop and the day it arrived we started putting in the software. Since our major *Suite* is upgrades from older versions (on disquete) we had to introduce the #1 disquete when the new version in CD ROM asked us to do so. Yes, you guessed, it now stands idle and contaminated too !
And we can´t get rid of this !

4.
Since all concerned Hard Drives are in drawers and never left at the company, the HD contamination came from the disquetes that were there, or from the BIOS.
BIOS reserved memory is very large this days. Enough for very large programs...

5.
The diference bettwen my boss credit card number and the $100 dollars motherboard, is that this people is not after my boss's credit card, but after the files we have in the computers :-)

6
Believe me, everything that could be done, I already did.

The only things left are:

a) A BIOS that could not be tampered and that would never be left in the company.

b) New Hard Drives and new clean software.


7.
Thus the questions of my first post.
If I have to buy special motherboards I will do it, provided I can get its BIOS in 2MBit EPROM or PROM to be sure they are not tampered. We could choose one that doesn't use that CMOS settings in the Flash EEPROM.

As you said, is a brute force solution, but a mervellous one, and the only one I think could solve this problem.
I already contacted ASUS and the first answer I got from them was:

***The ESCD can't be updated during system boot if you use EPROM instead of EEPROM***

So I insisted with ASUS for a more complete answer last friday.

But I also got this comment on ASUS reply from somebody else:

***Once you plug in the EPROM, you can no longer change the settings. EPROMs
can't be written to by the system so you can't make any changes. But you
can always put the EEPROM back in, make changes, and then burn a new EPROM.

Not being able to change the ESCD just means that the system won't accept
any changes (new hardware, etc.). That is not important if you can burn
EPROMS as necessary. As I mentioned above, you can make changes on the
EEPROM and then burn a new EPROM.

Your system will otherwise, function normally.***

(about the already mentioned *trick* of CMOS settings in the Flash ROM, that could be a problem)

8.
Now, is there someone with some experience in this matters, that has already tried this solution, or with interest in finding a solution, that could help me out of this ?

Thank you for your cooperation
All the best
Luiz

I think you are going a little out of the scope of what we could cover on this forum. I believe what you desire could be done, but I doubt its effectiveness in stopping your 'infestation' or preventing anything other than damage to the bios on these systems. If the files are your main concern as you say, then creating a method to quickly and easily restore the bios using a PROM burner (~2-$400 investment) would allow you to restore your systems if/when they are infected. I know you want to prevent this problem, but 'write protecting' the BIOS is only going to catch a very small portion of the problem. Don't take this the wrong way, as I mean no offense, but it might be wiser to invest in a better security system if this is a physical breakin problem as you seem to state.

To hit some of your points:

1) those ROMs should have fairly easy to find EPROM substitutes and would work well to do what you need. Start calling around to electronics merchants and see what you can find for a substitute.

2) Tighten local security. Hire a guard if you must. A physical threat can't be stopped completely without removing the computers from the location except when in use.

3) To purge this beasty from your hard drives, you can usually run fdisk /mbr with the drive hooked up as a primary master. Otherwise, try some of the hard drive utilities available that allow you to 'zero-fill' a drive and write over ALL of the sectors of the drive. Virii that persist after a format almost always live in the boot sector of the drive, which is cleaned with fdisk /mbr or a zero fill program.

4) Clean the hard drives as above. For the floppies, some software out there must be able to disinfect them. Gather every floppy you can find and clean them too. I am still finding FORM-A on an old floppy every so often that hid from cleaning. The bios is trickier, you need to be able to detect and cleanse that bios infection no matter what path you choose to take.

5) Tighten network security and don't store files on workstations. I thought about saying 'the boss's girlfriends phone number', but I thought that was bit too much. http://www.sysopt.com/forum/wink.gif

6) I think the drives can be recovered, but you must take great care dealing with them. Don't spread any boot floppy you use to anything else. The tamper proof bios would only protect your hardware and slightly slow the spread of the disease.

7) The ASUS reply mirrors my comments regarding CMOS settings stored in the Flash ROM. You may be faced with some sort of error message every boot if the ROM is not writeable, but I do believe there is a way to make it work.

8) I'm interested, but not enough to spend my already cramped free time pursuing the solution. If I come up with any ideas, I will add them to this post. I deal a lot with bios issues day to day and have access to most of the tools and parts needed to attempt this. I can't promise much, but I may decide to give this a try at some point. You could try talking to the various board makers and see if there is a board with the capablities you need (CPU support, AGP, etc) and ask if the ROM could be replaced with an EPROM or PROM chip that is totally non-writable. Might be one out there just right for this.

Nothing major add, although it has to be a last resort, physical/electronic/software security should come first, let us know how it goes.

Some small points/ideas:

I assume you have a network, so could you rip the floppy drives out of the majority of your machines. Leaving only the most secure machines with floppies. I only really use floppies to take big downloads home (or occasional work) so wouldn't consider it to much hassle to have to go and get a key off the system manager to obtian access to a floppy. Of course after the floppies you would probably need to remove the CD-ROMs which could be more difficult (most software can be installed from a network drive though).

A total aside, but lots of upgrade software will accept you pointing a its own installation disk 1 (or CD, or a network drive). I've done several Microsoft installations this way as it saved time searching around for the originals http://www.sysopt.com/forum/wink.gif Haven't tried it on any new (<12 month old) products so don't know it they have caught on.

If we are talking about a EEPROM resident virus re-flashing the BIOS should remove it or at least its hooks into the BIOS (if it resides in a blank bit of EEPROM that is not being used).