pallino

BadUSB and BIOS malware

Recommended Posts

I m also worried about the bios and the USB firmware infections.

I know the interface to write the bios is not public but unfortunately malware writer decoded it and have now access to it. Can the AV company get help , access to firmware programming code from manufacturers? When mebroni was discovered by 360 and webroot av, did emsisoft also detect it immediately through behavior components or only after a program and or signature update? How can and will Emsi protect users from bad USB ?

Share this post


Link to post
Share on other sites

First of all: Please try to avoid posting in other people's thread. Especially if they are already a couple of weeks old. I have split your post into it's own thread instead. To answer your questions:

EAM does in fact detected Mebromi based on it's behavior. No signatures necessary. The same is most likely true for BadUSB. However, there is no actual malware yet. Just a bunch of PoCs and evaluating the performance of behavior blockers based on non-malicious PoCs isn't possible.

Share this post


Link to post
Share on other sites

I didn't know the thread is "personal"...

Any chances that AV companies will get access, possibility to scan to the usb controller s firmware? The badusb code that was just posted and is avaliable to everyone is or will be detected and blocked or cause an alert by Emsisoft since this code will flash the usb firmware?

Share this post


Link to post
Share on other sites

Attempting to flash the firmware of an USB device triggers a behavior blocker warning about direct disk access. There is no real reason to get access to firmware code anytime soon. Even if you have access to the code, it won't help much. Since the firmware read and write functions are part of the firmware the output could be faked. So a malicious firmware version could just return the original non-malicious firmware image in case someone tries to read it.

Share this post


Link to post
Share on other sites

The only defense we users have at the end is prevention, so to avoid firmware changes and to rely on the behavioral capability of the av (and on the user that cannot allow the flash if he sees a warning) since if we get infected, it will be very difficult to detect it and even more to get rid if it...while the device will be a dangerous and fast infection vector.. thanks

Share this post


Link to post
Share on other sites

What happens exactly when a usb device is connected to the pc till it is accessible? The pc checks what was connected and gets the info from the firmware of the device or the device tells the pc what it is?

Share this post


Link to post
Share on other sites

Since this ongoing discussion is moving further and further away from anything related to product support, I'm going to move your topic to the "Malware and Computer Security" section where it seems to fit better. Emsisoft can always shift it back later if they feel it belongs somewhere else :)

Share this post


Link to post
Share on other sites

At what stage of the connection process does a badusb infection take place, right after a device is connected, kind of "plug-by download"?

As already explained elsewhere that is impossible to say as there is no malicious software exploiting the vulnerability that would allow for a BadUSB infection. But, logically, were that to exist you'd need a connected USB device and a piece of malicious software that is active on the computer. If those conditions are true a device could be infected.

Does this mean you plug in a device and out of the blues your computer will download BadUSB and flash it to the device? Not really, you'd need to have some malware installed that would check for the presence of USB devices as well as download the BadUSB firmware and flash it to the device. This malware would need to be running on your computer, with everything it (again logically) would need to do, as Fabian also already explained it would be intercepted by Emsisoft's behavior blocker quite some time before it would be ready to actually flash the malicious firmware to the device.

We really can speculate a lot about what malware writers can/will do with the posted source code, but its just that, speculation. Adequate protection is important to stay safe from such threats and to be perfectly honest, better spend your time making sure that is okay than worrying about a threat that is as of yet not seen in the wild. :)

Share this post


Link to post
Share on other sites

Since this is such a "biggie" and an exploit code example has been released by the people who discovered this, maybe it would be a good idea to test the code and set people's mind to rest.

Share this post


Link to post
Share on other sites

As already stated earlier:

Attempting to flash the firmware of an USB device triggers a behavior blocker warning about direct disk access

 

.Again, this is not about whether or not the code itself works, its about how said code will be deployed. You can have a malicious piece of firmware on your computer, but that doesn't magically end up on a USB device's firmware chip as soon as you plug it in. If you want to emulate an actual infection using this exploit, you need something malicious that will flash this (preferably without the user of the computer noticing). This doesn't exist yet and apart from writing a piece of malware to do this (and there really would be no point in that), there is no way to test it.

Share this post


Link to post
Share on other sites

How will that help testing malicious exploitation of the vulnerability if we already know that flashing firmware will trigger a behavioral alert? :)

Share this post


Link to post
Share on other sites

So the badusb exploitable code on https://github.com/adamcaudill/Psychson was already tested and it is sure it is detected by Emsisoft?

I asked (also)about an infected usb debice that gets plugged to a pc, at what stage of the connection process does a badusb infection take place, right after a device is connected to a pc, kind of "plug-by download" or when the usb device is accessed by windows? 

Share this post


Link to post
Share on other sites

I already answered that question:

 

 

.Again, this is not about whether or not the code itself works, its about how said code will be deployed. You can have a malicious piece of firmware on your computer, but that doesn't magically end up on a USB device's firmware chip as soon as you plug it in. If you want to emulate an actual infection using this exploit, you need something malicious that will flash this (preferably without the user of the computer noticing). This doesn't exist yet and apart from writing a piece of malware to do this (and there really would be no point in that), there is no way to test it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.