OT: An attempt to learn from a malicious attack by an internet cracker.

am 26.03.2006 08:01:34 von lavron

Recently, an internet cracker managed to break through my computer
defenses and introduced into it a contamination which prevented the
operating system from booting. Furthermore, the intruder also altered
the CMOS storage in a manner which prevented me from reinstalling
neither Windows-XP nor Windows-98. Only after resetting the CMOS
storage I could successfully reinstall both operating systems.

I hope that someone here can answer the following questions:
1. Which fields in the CMOS storage are the Windows installers
referring to?
2. What is the raison d'etre for the existance of these fields, i.e.,
what is their legitimate purpose?
3. What are the alternative settings in these fields, and what does
each setting mean?

Well, I managed to recover from this malicious attack, and, hopefully,
I will be able to learn something from it.

Thanks in advance.

Re: An attempt to learn from a malicious attack by an internet cracker.

am 26.03.2006 10:30:44 von alexfru

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 26.03.2006 11:17:16 von Nicholas Sherlock

Re: An attempt to learn from a malicious attack by an internet cracker.

am 26.03.2006 12:41:28 von CJ

Re: An attempt to learn from a malicious attack by an internet cracker.

am 26.03.2006 17:44:55 von lavron

Alexei A. Frounze wrote:
> lavron@altavista.com wrote:
> > Recently, an internet cracker managed to break through my computer
> > defenses and introduced into it a contamination which prevented the
> > operating system from booting. Furthermore, the intruder also altered
> > the CMOS storage in a manner which prevented me from reinstalling
> > neither Windows-XP nor Windows-98. Only after resetting the CMOS
> > storage I could successfully reinstall both operating systems.
> >
> > I hope that someone here can answer the following questions:
> > 1. Which fields in the CMOS storage are the Windows installers
> > referring to?
> > 2. What is the raison d'etre for the existance of these fields, i.e.,
> > what is their legitimate purpose?
> > 3. What are the alternative settings in these fields, and what does
> > each setting mean?
> >
> > Well, I managed to recover from this malicious attack, and, hopefully,
> > I will be able to learn something from it.
> >
> > Thanks in advance.
>
> alt.os.development isn't the right group to ask.

Since I was concerned about this point I marked the posting OT.

I chose alt.os.development because of the high level of knowhow in the
discussions posted in this newsgroup. Hoping for good information I am
happy with your response and your explanation below. Thank you very
much.

> Anyway, I think the disk
> types and CMOS checksum could be damaged and prevent your computer from
> working correctly. I'm aware of a virus that exploited not only a security
> whole in windows 98 but also fdisk.exe logic in such a way that fdisk.exe
> would not correct the disk's Master Boot Record if the latter had certain
> information in it. The virus modified the MBR in such a way that fdisk.exe
> would say everything's OK in the MBR while it wasn't and the MBR was left in
> unbootable state. Zeroing out the MBR before another round of disk
> partitioning and formatting helped.
>
> Alex

Re: An attempt to learn from a malicious attack by an internet cracker.

am 26.03.2006 17:46:56 von lavron

CJ wrote:
> lavron@altavista.com wrote:
> > Recently, an internet cracker managed to break through my computer
> > defenses and introduced into it a contamination which prevented the
> > operating system from booting. Furthermore, the intruder also altered
> > the CMOS storage in a manner which prevented me from reinstalling
> > neither Windows-XP nor Windows-98. Only after resetting the CMOS
> > storage I could successfully reinstall both operating systems.
> >
> > I hope that someone here can answer the following questions:
> > 1. Which fields in the CMOS storage are the Windows installers
> > referring to?
> > 2. What is the raison d'etre for the existance of these fields, i.e.,
> > what is their legitimate purpose?
> > 3. What are the alternative settings in these fields, and what does
> > each setting mean?
> >
> > Well, I managed to recover from this malicious attack, and, hopefully,
> > I will be able to learn something from it.
> >
> > Thanks in advance.
>
> Sure it wasn't just a failed CMOS battery?
>
> CJ

The same CMOS battery is still working now without any problems.

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 26.03.2006 17:54:46 von lavron

Nicholas Sherlock wrote:
> lavron@altavista.com wrote:
> > Recently, an internet cracker managed to break through my computer
> > defenses and introduced into it a contamination which prevented the
> > operating system from booting. Furthermore, the intruder also altered
> > the CMOS storage in a manner which prevented me from reinstalling
> > neither Windows-XP nor Windows-98. Only after resetting the CMOS
> > storage I could successfully reinstall both operating systems.
>
> How do you know that it was an external attack which caused this problem?
>
> Cheers,
> Nicholas Sherlock
>
> --
> http://www.sherlocksoftware.org

What would you consider as alternative causes? I am willing to look
into any suggestion that you might have and consider it in light of my
experience with this situation.

I have already posted my reponse to a suggestion that it might be a
battery failure.

Re: An attempt to learn from a malicious attack by an internet cracker.

am 26.03.2006 18:34:23 von unknown

Post removed (X-No-Archive: yes)

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 26.03.2006 23:56:26 von Nicholas Sherlock

lavron@altavista.com wrote:
> Nicholas Sherlock wrote:
>> How do you know that it was an external attack which caused this problem?
>
> What would you consider as alternative causes?

In situations like these, if you're not too paranoid, it's best to go
with "Never attribute to malice that which can be adequately explained
by stupidity". How do you know that your computer didn't just.. break?
Power spike? Why would someone attack your computer like that? Do you
have a firewall? Antivirus?

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 02:17:54 von lavron

Nicholas Sherlock wrote:
> lavron@altavista.com wrote:
> > Nicholas Sherlock wrote:
> >> How do you know that it was an external attack which caused this problem?
> >
> > What would you consider as alternative causes?
>
> In situations like these, if you're not too paranoid, it's best to go
> with "Never attribute to malice that which can be adequately explained
> by stupidity". How do you know that your computer didn't just.. break?
> Power spike? Why would someone attack your computer like that? Do you
> have a firewall? Antivirus?
>
> Cheers,
> Nicholas Sherlock
>
> --
> http://www.sherlocksoftware.org

Well, Nicholas, I was expecting stronger arguments than these. Anyway,
let me answer your points one by one:

1. "... if you're not too paranoid ..."

Nowadays, one does not need to be paranoid to be concerned about
crackers' attacks, not when the firewall reports a torrent of intrusion
attempts, many from the same URLs attempting time and again for 20, 30,
40 times and more to break through. Nevertheless, I spent plenty of
time studying and analyzing the situation with as much equanimity as I
could muster.

2. "How do you know that your computer didn't just.. break?"

The computer did not break down. It is running now and it was running
all along throughout the crisis while I was thoroughly testing,
analyzing and investigating the problem.

3. "Power spike?"

The power for the computer is provided by a UPS which also provides
clean power.

4. "Why would someone attack your computer like that?"

Trying to look into the mindset of a cracker is not easy, but I would
think that a person who is willing to invest untold number of
person-hours in an effort to break into other people's computers would
derive a lot of satisfaction from each success. From the point of view
of the cracker, there is a good reason to be very proud of the
brilliant execution of such a powerful attack as the one discussed
here.

5. "Do you have a firewall? Antivirus?"

I have already answered this question in item 1 above. Anyway, this
very question of yours suggests the possibility of an attack by an
intruder.

Finally, I would like to point out that my original questions were
about the CMOS fields tested by the Windows' installers. I hope that
you have some information for me answering these questions.

Re: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 02:30:15 von xpyttl

"Jim Watt" wrote in message
news:0kgd22hb5glatts4a9vt7msp6dcjg6g7vg@4ax.com...

> Its not unknown for the CMOS memory to drop data and
> cause a problem and then work correctly.

Not just "not unknown", but fairly common. Certainly more common than an
external attack changing CMOS.

> Have you actually measured the voltage on the battery ?

If the battery is more than a year old, replace it anyway. To reasonably
measure the voltage on the battery you need a load -- just grabbing a
voltmeter won't do it.

> These things are all more probable than some external
> entity changing it.

It does happen that occasionally the CMOS memory will change withoug
explanation. Uncommon, but it does happen at a measurable rate. There are
just too many easier ways to cause trouble than messing with the CMOS, so
the script kiddies normally don't play with it.

> But in order to eliminate a possiblity, have you ever kept
> a pet ferret ?

Or even a cat. Still more likely than an external attack for the cat to
walk on the keyboard and change the settings.

But you do have a clue there ... if the checksum was wrong, the CMOS was
changed by a voltage excursion or other hardware misoperation rather than
programatically.

So go back to square one. REPLACE THE BATTERY. Then wait. If it happens
again within a couple of years replace the mobo. If it happens after a
couple of years, its time to upgrade the box anyway.

...

Re: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 02:42:37 von lavron

Jim Watt wrote:
> On 26 Mar 2006 07:46:56 -0800, lavron@altavista.com wrote:
>
> >> Sure it wasn't just a failed CMOS battery?
> >>
> >> CJ
> >
> >The same CMOS battery is still working now without any problems.
>
> Its not unknown for the CMOS memory to drop data and
> cause a problem and then work correctly.
>
> Have you actually measured the voltage on the battery ?
>
> These things are all more probable than some external
> entity changing it.
>
> But in order to eliminate a possiblity, have you ever kept
> a pet ferret ?
> --
> Jim Watt
> http://www.gibnet.com

The problem with the CMOS storage was in effect for more than a week
until I finally did reset it. Could it be that the battery power would
drop for so long and than miraculously recover and maintain its
strength for even longer? Beside, is was not only the CMOS which had
the problem, the boot code in the hard drive too was also involved. How
could loss of power in the battery have an impact on the code on the
hard drive? Furthermore, the alteration of the boot code on the hard
drive was very precise - too precise to be caused by a random event.

Anyway, your suggestion to measure the voltage on the battery is a good
one. Thanks.

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 27.03.2006 04:31:53 von Nicholas Sherlock

lavron@altavista.com wrote:
> Finally, I would like to point out that my original questions were
> about the CMOS fields tested by the Windows' installers. I hope that
> you have some information for me answering these questions.

While it is possible for programs to write to the CMOS, the problems
that you describe could just have come from a hardware fault.

Windows doesn't explicitly do anything with or to the CMOS (It couldn't
even if it wanted to, AFAICS there is no defined layout or format for
the CMOS), but as the CMOS affects settings for your computer in
general, it could affect the running of the installer.

How do you suppose that a cracker executed malicious code into your
computer when you are running a properly configured firewall? Are you
opening any servers to the internet?

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 09:35:22 von T933191278

Is not documented but perhaps it=B4s possible to install a boot program
(or a virus )
in the cmos, did you try to restore cmos defaults before reset the cmos?

Re: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 11:11:27 von unknown

Post removed (X-No-Archive: yes)

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 27.03.2006 13:02:39 von Nicholas Sherlock

T933191278@terra.es wrote:
> Is not documented but perhaps it´s possible to install a boot program
> (or a virus )
> in the cmos

No. The CMOS is just storage space for settings. Code doesn't get
executed from there.

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 18:43:46 von lavron

Nicholas Sherlock wrote:
> lavron@altavista.com wrote:
> > Finally, I would like to point out that my original questions were
> > about the CMOS fields tested by the Windows' installers. I hope that
> > you have some information for me answering these questions.
>
> While it is possible for programs to write to the CMOS, the problems
> that you describe could just have come from a hardware fault.
>
> Windows doesn't explicitly do anything with or to the CMOS (It couldn't
> even if it wanted to,

On one hand, Nicholas, you agree that "it is possible for programs to
write to [and read from] the CMOS" and on the other hand you claim that
Windows could not do anything with the CMOS even if it wanted to. How
do these two statements of yours sit together?

> AFAICS there is no defined layout or format for
> the CMOS),

Not formally published, but the book "The Undocumented PC" provides
plenty of detailed data and layouts .

> but as the CMOS affects settings for your computer in
> general, it could affect the running of the installer.
>
> How do you suppose that a cracker executed malicious code into your
> computer when you are running a properly configured firewall?

The goal of any ideally absolute security system, computer or
otherwise, is to achieve zero restrictions on the legitimate user and
zero accessibility to the intruder. Such an ideal goal is not
achievable any more than attempts to reach the temperature of absolute
zero. Some restrictions on the legitimate user must be implemented
(e.g., the need for a password or any other access identity), and there
is no way to keep the intruder completely out. While the ideal goal is
not achievable, it can be approached asymptotically. The further down
the asymptote the better the security. But it still leaves small
accessibility to the intruder, and the determined ones explore it and
tries to take advantage of it.

For some duration in my past I was employed as a data security officer
in a major bank, and reports about security violations from all over
the world were passing through my desk. The resourcefulness of the
perpetrators was amazing. You had better keep in mind that no matter
how smart you think you are, somebody out there is trying hard to
outsmart you; and no matter how good your security system is, someone
out there is trying to find its Achilles hill.

> Are you
> opening any servers to the internet?
>
> Cheers,
> Nicholas Sherlock
>
> --
> http://www.sherlocksoftware.org

Re: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 18:55:24 von lavron

Jim Watt wrote:
> On 26 Mar 2006 16:42:37 -0800, lavron@altavista.com wrote:
>
> >
> >The problem with the CMOS storage was in effect for more than a week
> >until I finally did reset it. Could it be that the battery power would
> >drop for so long and than miraculously recover and maintain its
> >strength for even longer?
>
> Yes.
>
> But when the machine is powered, the CMOS is maintained by the
> system power. A surge on that power could corrupt the memory contents
> and running the machine later may force some charge into the battery
> to maintain it thereafter for a while. Assuming its a nominal 3v
> battery anything less than that means replacement. They carry on
> working quite some way down, but its not reliable.
>
> As the parameters in the CMOS tell the system what to do with the
> boot disk, corrupt contents could play havoc with it.
>
> Beside, is was not only the CMOS which had
>
> >the alteration of the boot code on the hard drive was very precise -
> >too precise to be caused by a random event.
>
> Shit happens.
>
> --
> Jim Watt
> http://www.gibnet.com

You are entitled to your opinion, but in my opinion the chance of
things happening along your line of thoughts is much smaller than the
chance of winning a big lottery jackpot.

But all this is irrelevant. My questions were about the CMOS fields
tested by the Windows' installers. If you have any information that
would provide answers to these questions I would be happy to continue
this discussion.

Re: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 19:02:28 von lavron

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 27.03.2006 21:47:33 von Nicholas Sherlock

lavron@altavista.com wrote:
> Nicholas Sherlock wrote:
>> Windows doesn't explicitly do anything with or to the CMOS (It couldn't
>> even if it wanted to,
>
> On one hand, Nicholas, you agree that "it is possible for programs to
> write to [and read from] the CMOS" and on the other hand you claim that
> Windows could not do anything with the CMOS even if it wanted to. How
> do these two statements of yours sit together?

Windows could read and write from the CMOS, no problem (I can't think of
a reason why it would want to. If Windows wanted to know anything, it'd
ask the BIOS). The problem is that the CMOS's contents are nonsense,
AFAIK there is no defined format for the CMOS. Perhaps I am wrong, but I
can't find anything definitive on the 'net.

>> AFAICS there is no defined layout or format for
>> the CMOS),
>
> Not formally published, but the book "The Undocumented PC" provides
> plenty of detailed data and layouts

And what would Windows gain by relying on these undocumented values??
They're just system settings. If system settings are screwed up, your
computer will run screwed up. No magic involved.

>...out there is trying to find its Achilles hill.

So are you opening servers to the Internet, or not?

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 27.03.2006 23:37:07 von lavron

Nicholas Sherlock wrote:
> lavron@altavista.com wrote:
> > Nicholas Sherlock wrote:
> >> Windows doesn't explicitly do anything with or to the CMOS (It couldn't
> >> even if it wanted to,
> >
> > On one hand, Nicholas, you agree that "it is possible for programs to
> > write to [and read from] the CMOS" and on the other hand you claim that
> > Windows could not do anything with the CMOS even if it wanted to. How
> > do these two statements of yours sit together?
>
> Windows could read and write from the CMOS, no problem (I can't think of
> a reason why it would want to. If Windows wanted to know anything, it'd
> ask the BIOS). The problem is that the CMOS's contents are nonsense,
> AFAIK there is no defined format for the CMOS. Perhaps I am wrong, but I
> can't find anything definitive on the 'net.
>
> >> AFAICS there is no defined layout or format for
> >> the CMOS),
> >
> > Not formally published, but the book "The Undocumented PC" provides
> > plenty of detailed data and layouts
>
> And what would Windows gain by relying on these undocumented values??
> They're just system settings. If system settings are screwed up, your
> computer will run screwed up. No magic involved.
>

Windows, the operating system, apparently does not refer to the CMOS
storage - it worked well even during the problem. However, the Windows
installers apparently do refer to the CMOS storage - they refused to
install Windows during the problem but worked well after the CMOS
storage was reset.

> >...out there is trying to find its Achilles hill.
>
> So are you opening servers to the Internet, or not?
>

Assuming that I correctly understand your question, my answer is: No.

> Cheers,
> Nicholas Sherlock
>
> --
> http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 28.03.2006 04:52:46 von s_dubrovich

lavron@altavista.com wrote:
> Recently, an internet cracker managed to break through my computer
> defenses and introduced into it a contamination which prevented the
> operating system from booting. Furthermore, the intruder also altered
> the CMOS storage in a manner which prevented me from reinstalling
> neither Windows-XP nor Windows-98. Only after resetting the CMOS
> storage I could successfully reinstall both operating systems.
>
Can you share the general info on how they were able to do this? Or,
how to prevent this? Can you say something about your hardware and
network interface?

> I hope that someone here can answer the following questions:

I have incomplete knowlege about the following, so my conclusions maybe
in error.
CMOS is a rather dated term, nowadays the terms are GPNV [general
purpose NonVolatile] or NVS [NonVolatile Storage]. The CMOS Bios dates
to the 80286, IIRC the actual storage was on the RTC [real time clock
chip] which was utilized by the CMOS Bios to statically store various
system parameters. One of which was the flag
bit to disable NMI, a suggested thing to do on the 286 to switch to
protected mode. Disabling the NMI involved clearing bit 7 of the byte
accessible thru Port 70h, for example. The amount of NVS was very
small, I don't recall the amount, less than 256 bytes, maybe closer to
64 bytes, maybe only 16 bytes. The GPNV of today is huge by comparison
and holds all sorts of things related to static $PnP Bios and _SM_
SMBIOS [System Management Bios] values. Most certainly the NVS holds
all that is referred to by [I'll call it the F2 system] setup menu,
available at the the end of the POST routine, before the OS boots. The
NVS may also hold the System Event Log as well. Refer to the System
Management BIOS Reference Specification. The SMBIOS is a subnode to
the $PnP Plug and Play Bios, it is only one component of the Desktop
Management Interface (DMI). Reference the PhoenixBIOS 4.0 User's
Manual.

> 1. Which fields in the CMOS storage are the Windows installers
> referring to?
Which fields, I haven't a clue. Logically is can be assumed that it
needs to survey the system to install the pertinant components matched
to the system hardware and state. It most probably maintains its own
'system event log' as to the installation procedure. Possibly, there
was an error in allocating that space if a lurker had already allocated
it.

> 2. What is the raison d'etre for the existance of these fields, i.e.,
> what is their legitimate purpose?

To maintain state, static values, across cold boots. Such as the
system event log. Such as the boot device sequence [IPL]. Such as PXE
Enable!!(A)

> 3. What are the alternative settings in these fields, and what does
> each setting mean?
>
This is too broad to answer, I've not found a good reference that
details these.

> Well, I managed to recover from this malicious attack, and, hopefully,
> I will be able to learn something from it.
>
(A) Before I comment further, what is your knowledge of the PXE preboot
extentions, Remote Program Load, remote system management? Modern Post?

> Thanks in advance.
You're welcome.

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 28.03.2006 17:19:49 von see-my-signature

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 29.03.2006 18:13:52 von lavron

s_dubrovich@yahoo.com wrote:
> lavron@altavista.com wrote:
> > Recently, an internet cracker managed to break through my computer
> > defenses and introduced into it a contamination which prevented the
> > operating system from booting. Furthermore, the intruder also altered
> > the CMOS storage in a manner which prevented me from reinstalling
> > neither Windows-XP nor Windows-98. Only after resetting the CMOS
> > storage I could successfully reinstall both operating systems.
> >
> Can you share the general info on how they were able to do this? Or,
> how to prevent this? Can you say something about your hardware and
> network interface?
>

I do not know. All I can tell you is that the connection of my single
computer to the internet is through an ISP, and that the software
firewall reported a deluge of intrusion attempts, including multitudes
of repetitive attempts originated from the same URLs. It is conceivable
that at least one managed to break through.

>
> > I hope that someone here can answer the following questions:
>
> I have incomplete knowlege about the following, so my conclusions maybe
> in error.
> CMOS is a rather dated term, nowadays the terms are GPNV [general
> purpose NonVolatile] or NVS [NonVolatile Storage]. The CMOS Bios dates
> to the 80286, IIRC the actual storage was on the RTC [real time clock
> chip] which was utilized by the CMOS Bios to statically store various
> system parameters. One of which was the flag
> bit to disable NMI, a suggested thing to do on the 286 to switch to
> protected mode. Disabling the NMI involved clearing bit 7 of the byte
> accessible thru Port 70h, for example. The amount of NVS was very
> small, I don't recall the amount, less than 256 bytes, maybe closer to
> 64 bytes, maybe only 16 bytes. The GPNV of today is huge by comparison
> and holds all sorts of things related to static $PnP Bios and _SM_
> SMBIOS [System Management Bios] values. Most certainly the NVS holds
> all that is referred to by [I'll call it the F2 system] setup menu,
> available at the the end of the POST routine, before the OS boots. The
> NVS may also hold the System Event Log as well. Refer to the System
> Management BIOS Reference Specification. The SMBIOS is a subnode to
> the $PnP Plug and Play Bios, it is only one component of the Desktop
> Management Interface (DMI). Reference the PhoenixBIOS 4.0 User's
> Manual.
>
> > 1. Which fields in the CMOS storage are the Windows installers
> > referring to?
> Which fields, I haven't a clue. Logically is can be assumed that it
> needs to survey the system to install the pertinant components matched
> to the system hardware and state. It most probably maintains its own
> 'system event log' as to the installation procedure. Possibly, there
> was an error in allocating that space if a lurker had already allocated
> it.
>
> > 2. What is the raison d'etre for the existance of these fields, i.e.,
> > what is their legitimate purpose?
>
> To maintain state, static values, across cold boots. Such as the
> system event log. Such as the boot device sequence [IPL]. Such as PXE
> Enable!!(A)
>
> > 3. What are the alternative settings in these fields, and what does
> > each setting mean?
> >
> This is too broad to answer, I've not found a good reference that
> details these.
>
> > Well, I managed to recover from this malicious attack, and, hopefully,
> > I will be able to learn something from it.
> >
> (A) Before I comment further, what is your knowledge of the PXE preboot
> extentions, Remote Program Load, remote system management? Modern Post?
>

I greatly appreciate your detailed explanation; thank you very much.
No, I am not familiar with the concepts you mentioned.

My purpose in posting my original post was to figure out if, should the
problem happen again, it would be possible to reset one or a few more
field(s) to their original value(s) rather than clear the entire CMOS
storage. The response of Alexei Frounze as well as yours suggests to me
that there is very little point in further pursuing this idea. Hence I
am dropping it for the time being.

>
> > Thanks in advance.
> You're welcome.

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 29.03.2006 18:36:57 von lavron

Dave (from the UK) wrote:
> lavron@altavista.com wrote:
> > Recently, an internet cracker managed to break through my computer
> > defenses and introduced into it a contamination which prevented the
> > operating system from booting. Furthermore, the intruder also altered
> > the CMOS storage in a manner which prevented me from reinstalling
> > neither Windows-XP nor Windows-98. Only after resetting the CMOS
> > storage I could successfully reinstall both operating systems.
> >
> > I hope that someone here can answer the following questions:
> > 1. Which fields in the CMOS storage are the Windows installers
> > referring to?
> > 2. What is the raison d'etre for the existance of these fields, i.e.,
> > what is their legitimate purpose?
> > 3. What are the alternative settings in these fields, and what does
> > each setting mean?
> >
> > Well, I managed to recover from this malicious attack, and, hopefully,
> > I will be able to learn something from it.
> >
> > Thanks in advance.
> >
>
> Did you ever do any science or maths at school? Were you never taught anything
> about logical reasoning?
>
> You seem to have made *huge* set of assumptions, based on very *little* indeed.
> Your computer goes wrong, so you blame a hacker altering your CMOS.
>
> I've removed 'alt.os.development' as this has nothing to do with operating
> system development.
>
> --
> Dave K MCSE.
>
> MCSE = Minefield Consultant and Solitaire Expert.
>
> Please note my email address changes periodically to avoid spam.
> It is always of the form: month-year@domain. Hitting reply will work
> for a couple of months only. Later set it manually.

Look at yourself - you did exactly what you were accusing me of doing -
rushing into conclusions. You talk big about logical reasoning, yet you
do not use it, if you have any of it at all.

You have no way of knowing how much work I did to analyze the problem,
yet you jump into the false conclusion that I simplistically blame a
cracker for my computer going wrong. It is YOU who "seem to have made
*huge* set of assumptions, based on very *little* indeed" - therefore I
reject your accusations. ADDRESS THEM TO YOURSELF!

As far as I am concerned, your words carry no weight whatsoever, they
are worthless, good for nothing. You removed your words from one
newsgroup, you might as well remove them from all of them. They do not
worth the space they occupy. I am not going to bother responding to you
and to the likes of you any more.

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 29.03.2006 18:43:33 von lavron

s_dubrovich@yahoo.com wrote:
> lavron@altavista.com wrote:
> > Recently, an internet cracker managed to break through my computer
> > defenses and introduced into it a contamination which prevented the
> > operating system from booting. Furthermore, the intruder also altered
> > the CMOS storage in a manner which prevented me from reinstalling
> > neither Windows-XP nor Windows-98. Only after resetting the CMOS
> > storage I could successfully reinstall both operating systems.
> >
> Can you share the general info on how they were able to do this? Or,
> how to prevent this? Can you say something about your hardware and
> network interface?
>

I do not know. All I can tell you is that the connection of my single
computer to the internet is through an ISP, and that the software
firewall reported a deluge of intrusion attempts, including multitudes
of repetitive attempts originated from the same URLs. It is conceivable
that at least one managed to break through.

>
> > I hope that someone here can answer the following questions:
>
> I have incomplete knowlege about the following, so my conclusions maybe
> in error.
> CMOS is a rather dated term, nowadays the terms are GPNV [general
> purpose NonVolatile] or NVS [NonVolatile Storage]. The CMOS Bios dates
> to the 80286, IIRC the actual storage was on the RTC [real time clock
> chip] which was utilized by the CMOS Bios to statically store various
> system parameters. One of which was the flag
> bit to disable NMI, a suggested thing to do on the 286 to switch to
> protected mode. Disabling the NMI involved clearing bit 7 of the byte
> accessible thru Port 70h, for example. The amount of NVS was very
> small, I don't recall the amount, less than 256 bytes, maybe closer to
> 64 bytes, maybe only 16 bytes. The GPNV of today is huge by comparison
> and holds all sorts of things related to static $PnP Bios and _SM_
> SMBIOS [System Management Bios] values. Most certainly the NVS holds
> all that is referred to by [I'll call it the F2 system] setup menu,
> available at the the end of the POST routine, before the OS boots. The
> NVS may also hold the System Event Log as well. Refer to the System
> Management BIOS Reference Specification. The SMBIOS is a subnode to
> the $PnP Plug and Play Bios, it is only one component of the Desktop
> Management Interface (DMI). Reference the PhoenixBIOS 4.0 User's
> Manual.
>
> > 1. Which fields in the CMOS storage are the Windows installers
> > referring to?
> Which fields, I haven't a clue. Logically is can be assumed that it
> needs to survey the system to install the pertinant components matched
> to the system hardware and state. It most probably maintains its own
> 'system event log' as to the installation procedure. Possibly, there
> was an error in allocating that space if a lurker had already allocated
> it.
>
> > 2. What is the raison d'etre for the existance of these fields, i.e.,
> > what is their legitimate purpose?
>
> To maintain state, static values, across cold boots. Such as the
> system event log. Such as the boot device sequence [IPL]. Such as PXE
> Enable!!(A)
>
> > 3. What are the alternative settings in these fields, and what does
> > each setting mean?
> >
> This is too broad to answer, I've not found a good reference that
> details these.
>
> > Well, I managed to recover from this malicious attack, and, hopefully,
> > I will be able to learn something from it.
> >
> (A) Before I comment further, what is your knowledge of the PXE preboot
> extentions, Remote Program Load, remote system management? Modern Post?
>

I greatly appreciate your detailed explanation; thank you very much.
No, I am not familiar with the concepts you mention.

My purpose in posting my original post was to figure out if, should the
problem happen again, it would be possible to reset one or a few more
field(s) to their original value(s) rather than clear the entire CMOS
storage. The response of Alexei Frounze as well as yours suggests to me
that there is very little point in further pursuing this idea. Hence I
am dropping it for the time being.

>
> > Thanks in advance.
> You're welcome.

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 30.03.2006 02:52:48 von s_dubrovich

lavron@altavista.com wrote:
> s_dubrovich@yahoo.com wrote:
> > lavron@altavista.com wrote:
> > > Recently, an internet cracker managed to break through my computer
> > > defenses and introduced into it a contamination which prevented the
> > > operating system from booting. Furthermore, the intruder also altered
> > > the CMOS storage in a manner which prevented me from reinstalling
> > > neither Windows-XP nor Windows-98. Only after resetting the CMOS
> > > storage I could successfully reinstall both operating systems.
> > >
> > Can you share the general info on how they were able to do this? Or,
> > how to prevent this? Can you say something about your hardware and
> > network interface?
> >
>
> I do not know. All I can tell you is that the connection of my single
> computer to the internet is through an ISP, and that the software
> firewall reported a deluge of intrusion attempts, including multitudes
> of repetitive attempts originated from the same URLs. It is conceivable
> that at least one managed to break through.
>

Yes, it is conceivable to me. Did the firewall report the port numbers
involved, as well as the URL's?

> >
> > > I hope that someone here can answer the following questions:
> >
> >
> > (A) Before I comment further, what is your knowledge of the PXE preboot
> > extentions, Remote Program Load, remote system management? Modern Post?
> >
>
> I greatly appreciate your detailed explanation; thank you very much.
> No, I am not familiar with the concepts you mentioned.
>
PXE is an intel document, I've given, previously, references for the
others. You should know something of those, there is no point in my
commenting further.

> My purpose in posting my original post was to figure out if, should the
> problem happen again, it would be possible to reset one or a few more
> field(s) to their original value(s) rather than clear the entire CMOS
> storage. The response of Alexei Frounze as well as yours suggests to me
> that there is very little point in further pursuing this idea. Hence I
> am dropping it for the time being.

I understand, however these begging questions left answerless, leave no
confidence.

The three things you associated as happening with this event, the cmos
issue, the mbr issue and the firewall issue are too coincidental.

>
> >
> > > Thanks in advance.
> > You're welcome.

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 30.03.2006 03:51:25 von Nicholas Sherlock

s_dubrovich@yahoo.com wrote:
> The three things you associated as happening with this event, the cmos
> issue, the mbr issue and the firewall issue are too coincidental.

No they aren't. There was no MBR issue. The whole problem stems from a
single fault in the stored settings in the CMOS. Firewalls don't just
break with repeated attempts.

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 30.03.2006 18:07:06 von lavron

Nicholas Sherlock wrote:
> s_dubrovich@yahoo.com wrote:
> > The three things you associated as happening with this event, the cmos
> > issue, the mbr issue and the firewall issue are too coincidental.
>
> No they aren't. There was no MBR issue. The whole problem stems from a
> single fault in the stored settings in the CMOS. Firewalls don't just
> break with repeated attempts.
>
> Cheers,
> Nicholas Sherlock
>
> --
> http://www.sherlocksoftware.org

What makes you, Nicholas, so sure? The MBR, for one, was altered - no
doubts about that. For another, repetitive attacks on a firewall
suggest to me the experimentation with different approaches to locate
its Achilles hill, one of which might be successful.

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 30.03.2006 22:33:06 von Nicholas Sherlock

lavron@altavista.com wrote:
> Nicholas Sherlock wrote:
>> s_dubrovich@yahoo.com wrote:
>>> The three things you associated as happening with this event, the cmos
>>> issue, the mbr issue and the firewall issue are too coincidental.
>> No they aren't. There was no MBR issue. The whole problem stems from a
>> single fault in the stored settings in the CMOS. Firewalls don't just
>> break with repeated attempts.
>
>
> What makes you, Nicholas, so sure? The MBR, for one, was altered - no
> doubts about that

Where does the OP suggest that? All I see is that after resetting his
CMOS he could boot and/or install Windows correctly.

His repeated attacks could just be wormed computers scanning for
vulnerable targets, not very scary.

I don't deny that such an attack would be possible, but for an attack to
succeed, there would have to be:

- A server with a vulnerability that allows arbitrary code execution on
the computer
- Through poor configuration of the firewall, said server would have to
be exposed to all and sundry

Frankly, if the OP was up to date with updates, and is running a
firewall, I would rate the chances of this problem being caused by an
attack as very small indeed.

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 31.03.2006 01:31:12 von s_dubrovich

Nicholas Sherlock wrote:
> s_dubrovich@yahoo.com wrote:
> > The three things you associated as happening with this event, the cmos
> > issue, the mbr issue and the firewall issue are too coincidental.
>
> No they aren't. There was no MBR issue. The whole problem stems from a
> single fault in the stored settings in the CMOS. Firewalls don't just
> break with repeated attempts.
>
In fairness, the OP mentions this in comp.security.misc, in a parallel
thread.
Perhaps the firewall was already compromised and the traffic was
related to a second stage probe for a suitable faulty, auto-update
agent, to get foreign code onto the target.
>
> Cheers,
> Nicholas Sherlock
>
> --
> http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 04.04.2006 16:22:52 von lavron

Nicholas Sherlock wrote:
> lavron@altavista.com wrote:
> > Nicholas Sherlock wrote:
> >> s_dubrovich@yahoo.com wrote:
> >>> The three things you associated as happening with this event, the cmos
> >>> issue, the mbr issue and the firewall issue are too coincidental.
> >> No they aren't. There was no MBR issue. The whole problem stems from a
> >> single fault in the stored settings in the CMOS. Firewalls don't just
> >> break with repeated attempts.
> >
> >
> > What makes you, Nicholas, so sure? The MBR, for one, was altered - no
> > doubts about that
>
> Where does the OP suggest that? All I see is that after resetting his
> CMOS he could boot and/or install Windows correctly.
>

Granted, I did not explicitly mention that in the original posting. I
did, however, indicate that the contamination prevented the operating
system from booting.

I did not explicitly mention the MBR alteration in the original posting
because, as my question indicated, and as I mentioned in later
postings, I was only interested in the CMOS issue.

>
> His repeated attacks could just be wormed computers scanning for
> vulnerable targets, not very scary.
>
> I don't deny that such an attack would be possible, but for an attack to
> succeed, there would have to be:
>
> - A server with a vulnerability that allows arbitrary code execution on
> the computer
> - Through poor configuration of the firewall, said server would have to
> be exposed to all and sundry
>
> Frankly, if the OP was up to date with updates, and is running a
> firewall, I would rate the chances of this problem being caused by an
> attack as very small indeed.
>
> Cheers,
> Nicholas Sherlock
>
> --
> http://www.sherlocksoftware.org

While I am willing to admit that I cannot prove beyond any doubt that
it was an attack, you cannot prove beyond any doubt that electronic
gremlins were responsible for the problem.

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 04.04.2006 18:04:42 von unruh

lavron@altavista.com writes:

>Nicholas Sherlock wrote:
>> lavron@altavista.com wrote:
>> > Nicholas Sherlock wrote:
>> >> s_dubrovich@yahoo.com wrote:
>> >>> The three things you associated as happening with this event, the cmos
>> >>> issue, the mbr issue and the firewall issue are too coincidental.
>> >> No they aren't. There was no MBR issue. The whole problem stems from a
>> >> single fault in the stored settings in the CMOS. Firewalls don't just
>> >> break with repeated attempts.
>> >
>> >
>> > What makes you, Nicholas, so sure? The MBR, for one, was altered - no
>> > doubts about that
>>
>> Where does the OP suggest that? All I see is that after resetting his
>> CMOS he could boot and/or install Windows correctly.
>>

>Granted, I did not explicitly mention that in the original posting. I
>did, however, indicate that the contamination prevented the operating
>system from booting.

>I did not explicitly mention the MBR alteration in the original posting
>because, as my question indicated, and as I mentioned in later
>postings, I was only interested in the CMOS issue.

>>
>> His repeated attacks could just be wormed computers scanning for
>> vulnerable targets, not very scary.
>>
>> I don't deny that such an attack would be possible, but for an attack to
>> succeed, there would have to be:
>>
>> - A server with a vulnerability that allows arbitrary code execution on
>> the computer
>> - Through poor configuration of the firewall, said server would have to
>> be exposed to all and sundry
>>
>> Frankly, if the OP was up to date with updates, and is running a
>> firewall, I would rate the chances of this problem being caused by an
>> attack as very small indeed.
>>
>> Cheers,
>> Nicholas Sherlock
>>
>> --
>> http://www.sherlocksoftware.org

>While I am willing to admit that I cannot prove beyond any doubt that
>it was an attack, you cannot prove beyond any doubt that electronic
>gremlins were responsible for the problem.

If you want to waste your time chasing imaginary attackers, that is of
course your decision. He was making suggestion as to where you look for the
problem. You do not want to look there. Fine. It is your time and effort.
He is not in a court of law here.

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 05.04.2006 00:55:23 von Nicholas Sherlock

lavron@altavista.com wrote:
> While I am willing to admit that I cannot prove beyond any doubt that
> it was an attack, you cannot prove beyond any doubt that electronic
> gremlins were responsible for the problem.

I agree :)

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 05.04.2006 09:36:37 von unknown

Post removed (X-No-Archive: yes)

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 10.04.2006 00:53:47 von Martin Smith

And these trollers keep on getting the attention they so madly crave...
*sigh*

Re: OT: An attempt to learn from a malicious attack by an internet cracker.

am 10.04.2006 23:30:44 von q_q_anonymous

Re: OT: An attempt to learn from a malicious attack by an internetcracker.

am 11.04.2006 18:51:37 von y