On 22.07.2010 08:29, ron minnich wrote:
Wow, top hit on google. But I'm confused.
http://www.infoworld.com/t/malware/dells-response-motherboard-malware-causes...
"The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware."
Er, um, the firmware is in Flash I thought. OK, there's more than one Flash part I assume.
Yes. Admittedly the press doesn't know enough to get a clear picture across.
OK, what's that mean? In the Flash in the case the Flash file system used by EFI? Why is there flash storage on the motherboard? As you can guess, getting some information out of Dell or the journalists is essentially impossible.
Board manufacturers noticed that NOR flash (for BIOS) is way too expensive and you can get 128 MB NAND flash for the price of 1 MB NOR flash (rough numbers). So they use small NOR flash which hosts the firmware and a small NAND controller driver. Once firmware has run, the NAND controller driver (which lives in NOR flash) is used to load a payload (e.g. Splashtop/whatever) from NAND. That NAND flash is essentially a USB flash drive soldered onboard, and it often is attached directly without USB.
Admittedly the explanation above is an educated guess. It could easily be worse.
I like this one: "Systems running non-Microsoft Windows operating systems cannot be affected.". Which won't stop IT departments everywhere from continuing to mandate Windows :-) (yes, I realize I'm being unfair :-)
This one is even stranger: "Remaining systems can only be exposed if the customer chooses to run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.""
Eh? Why would that expose remaining systems? And why would this worm be run anyway? In other words, why is a worm on a Flash part on the mainboard being run? What other software is in that part that is also being run that we don't know about? This is very curious.
This is Dell. The company which blocks all attempts to reflash from userspace. You run a BIOS/whatever update by loading the image in memory, rebooting and waiting for the BIOS to use that image to reflash itself. Now if the in-BIOS (or in-NAND-flash) updater executes code in NAND flash which is infected with malware, you are royally screwed. Basically the only way to kill the malware (by updating the flash chip) is to execute the malware and hope for the best.
I'd like to summarize the situation with a soundbite for the press: "You're infected with HIV. Please take medication which will trigger a full AIDS outbreak because that medication has a chance to heal you."
Regards, Carl-Daniel