Wow, top hit on google. But I'm confused.
http://www.infoworld.com/t/malware/dells-response-motherboard-malware-causes...
"The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware."
Er, um, the firmware is in Flash I thought. OK, there's more than one Flash part I assume.
OK, what's that mean? In the Flash in the case the Flash file system used by EFI? Why is there flash storage on the motherboard? As you can guess, getting some information out of Dell or the journalists is essentially impossible.
I like this one: "Systems running non-Microsoft Windows operating systems cannot be affected.". Which won't stop IT departments everywhere from continuing to mandate Windows :-) (yes, I realize I'm being unfair :-)
This one is even stranger: "Remaining systems can only be exposed if the customer chooses to run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.""
Eh? Why would that expose remaining systems? And why would this worm be run anyway? In other words, why is a worm on a Flash part on the mainboard being run? What other software is in that part that is also being run that we don't know about? This is very curious.
ron
It sounds very much like it could be a system similar to HP's iLO. I don't know any details, but it seems this is another computer in the server which is always running as long as the server is connected to the mains. It has another network card and IP address and you can connect to it with a web browser and turn the power supply on/off, provide boot media over the network/internet, and use it a bit like VNC, remote screen keyboard and mouse for installing an operating system remotely. Some of these features are paid for extras where you have to enter a serial number to use them on your own server!
Something like this obviously has to have pretty good access to the main computer. Even if the Dell computer 'code on flash on the motherboard which we're not going to call firmware' isn't anything like iLO, this is another place for firmware based viruses to hide.
On 22.07.2010 08:29, ron minnich wrote:
Wow, top hit on google. But I'm confused.
http://www.infoworld.com/t/malware/dells-response-motherboard-malware-causes...
"The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware."
Er, um, the firmware is in Flash I thought. OK, there's more than one Flash part I assume.
Yes. Admittedly the press doesn't know enough to get a clear picture across.
OK, what's that mean? In the Flash in the case the Flash file system used by EFI? Why is there flash storage on the motherboard? As you can guess, getting some information out of Dell or the journalists is essentially impossible.
Board manufacturers noticed that NOR flash (for BIOS) is way too expensive and you can get 128 MB NAND flash for the price of 1 MB NOR flash (rough numbers). So they use small NOR flash which hosts the firmware and a small NAND controller driver. Once firmware has run, the NAND controller driver (which lives in NOR flash) is used to load a payload (e.g. Splashtop/whatever) from NAND. That NAND flash is essentially a USB flash drive soldered onboard, and it often is attached directly without USB.
Admittedly the explanation above is an educated guess. It could easily be worse.
I like this one: "Systems running non-Microsoft Windows operating systems cannot be affected.". Which won't stop IT departments everywhere from continuing to mandate Windows :-) (yes, I realize I'm being unfair :-)
This one is even stranger: "Remaining systems can only be exposed if the customer chooses to run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.""
Eh? Why would that expose remaining systems? And why would this worm be run anyway? In other words, why is a worm on a Flash part on the mainboard being run? What other software is in that part that is also being run that we don't know about? This is very curious.
This is Dell. The company which blocks all attempts to reflash from userspace. You run a BIOS/whatever update by loading the image in memory, rebooting and waiting for the BIOS to use that image to reflash itself. Now if the in-BIOS (or in-NAND-flash) updater executes code in NAND flash which is infected with malware, you are royally screwed. Basically the only way to kill the malware (by updating the flash chip) is to execute the malware and hope for the best.
I'd like to summarize the situation with a soundbite for the press: "You're infected with HIV. Please take medication which will trigger a full AIDS outbreak because that medication has a chance to heal you."
Regards, Carl-Daniel
-
Andrew Morgan -
Carl-Daniel Hailfinger -
ron minnich