|
Authored by: Anonymous on Tuesday, July 10 2012 @ 05:50 PM EDT |
There is a Rube Goldberg like chain of assumptions about how you might get
infected at this level. AFAICT the argument goes that you pick up a virus in the
same old, same old way, but this virus then bodges your boot-loader code as well
as hiding itself in the usual places. So when you boot, the dirty bootloader
(pun intended) re-infects your system, to hide the fact that it is infected.
(There may be mirrors involved here...) It can re-set hash sums or file sizes or
allegedly download all the episodes of 'Yes, Minister' before the rest of your
system knows it is alive.
Theoretically, this kinda, sorta makes sense, but practically....naaah!. Since
you can always run a liveCD to check the hashsum of the bootloader in the first
place! True, if you ran the rootkit-checker from the running system, the (now
surprisingly intelligent and deviously eeevviiilll) bootloader might attempt to
fool the rootkit-checker but seriously, a straight up byte-read would avoid
that. (This is the difference between being *asked* if you have any contraband
in your pockets (cf various Monty Python skits: "oh, that's alright
then.") and being molested by the security guard at the airport. The first
does not even pretend to be actual security while the second at least believes
that if it believes enough, it IS security.)
This all reminds me of the Monty Python skit, because exactly how long do you
think it will take before someone figures out how to write arbitary numbers into
the key-space in the BIOS, which the bootloader reads to determine whether the
grub shim loader code has been properly signed.
Since the key cannot be hardcoded. To fit the scheme, it must be revocable and
thus in writeable storage. Doesn't this sound like CD's and DVD's deja vu all
over again???
[ Reply to This | Parent | # ]
|
|
|
|
|