Recently, an internet cracker managed to break through my computer
defenses and introduced into it a contamination which prevented the
operating system from booting. Furthermore, the intruder also altered
the CMOS storage in a manner which prevented me from reinstalling
neither Windows-XP nor Windows-98. Only after resetting the CMOS
storage I could successfully reinstall both operating systems.

I hope that someone here can answer the following questions:
1. Which fields in the CMOS storage are the Windows installers
referring to?
2. What is the raison d'etre for the existance of these fields, i.e.,
what is their legitimate purpose?
3. What are the alternative settings in these fields, and what does
each setting mean?

Well, I managed to recover from this malicious attack, and, hopefully,
I will be able to learn something from it.

Thanks in advance.

lavron@altavista.com wrote:
alt.os.development isn't the right group to ask. Anyway, I think the disk
types and CMOS checksum could be damaged and prevent your computer from
working correctly. I'm aware of a virus that exploited not only a security
whole in windows 98 but also fdisk.exe logic in such a way that fdisk.exe
would not correct the disk's Master Boot Record if the latter had certain
information in it. The virus modified the MBR in such a way that fdisk.exe
would say everything's OK in the MBR while it wasn't and the MBR was left in
unbootable state. Zeroing out the MBR before another round of disk
partitioning and formatting helped.

Alex

lavron@altavista.com wrote:
How do you know that it was an external attack which caused this problem?

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

lavron@altavista.com wrote:
Sure it wasn't just a failed CMOS battery?

CJ

Alexei A. Frounze wrote:
Since I was concerned about this point I marked the posting OT.

I chose alt.os.development because of the high level of knowhow in the
discussions posted in this newsgroup. Hoping for good information I am
happy with your response and your explanation below. Thank you very
much.

CJ wrote:
The same CMOS battery is still working now without any problems.

Nicholas Sherlock wrote:
What would you consider as alternative causes? I am willing to look
into any suggestion that you might have and consider it in light of my
experience with this situation.

I have already posted my reponse to a suggestion that it might be a
battery failure.

lavron@altavista.com wrote:
In situations like these, if you're not too paranoid, it's best to go
with "Never attribute to malice that which can be adequately explained
by stupidity". How do you know that your computer didn't just.. break?
Power spike? Why would someone attack your computer like that? Do you
have a firewall? Antivirus?

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

* Jim Watt <jimwatt@aol.no_way>:
Jim it's been nice and quiet here lately, we've actually had discussions
regarding computer security don't you go and jinx it now.

Jason

Nicholas Sherlock wrote:

Well, Nicholas, I was expecting stronger arguments than these. Anyway,
let me answer your points one by one:

1. "... if you're not too paranoid ..."

Nowadays, one does not need to be paranoid to be concerned about
crackers' attacks, not when the firewall reports a torrent of intrusion
attempts, many from the same URLs attempting time and again for 20, 30,
40 times and more to break through. Nevertheless, I spent plenty of
time studying and analyzing the situation with as much equanimity as I
could muster.

2. "How do you know that your computer didn't just.. break?"

The computer did not break down. It is running now and it was running
all along throughout the crisis while I was thoroughly testing,
analyzing and investigating the problem.

3. "Power spike?"

The power for the computer is provided by a UPS which also provides
clean power.

4. "Why would someone attack your computer like that?"

Trying to look into the mindset of a cracker is not easy, but I would
think that a person who is willing to invest untold number of
person-hours in an effort to break into other people's computers would
derive a lot of satisfaction from each success. From the point of view
of the cracker, there is a good reason to be very proud of the
brilliant execution of such a powerful attack as the one discussed
here.

5. "Do you have a firewall? Antivirus?"

I have already answered this question in item 1 above. Anyway, this
very question of yours suggests the possibility of an attack by an
intruder.

Finally, I would like to point out that my original questions were
about the CMOS fields tested by the Windows' installers. I hope that
you have some information for me answering these questions.

"Jim Watt" <jimwatt@aol.no_way> wrote in message
news:0kgd22hb5glatts4a9vt7msp6dcjg6g7vg@4ax.com...

Not just "not unknown", but fairly common. Certainly more common than an
external attack changing CMOS.

If the battery is more than a year old, replace it anyway. To reasonably
measure the voltage on the battery you need a load -- just grabbing a
voltmeter won't do it.

It does happen that occasionally the CMOS memory will change withoug
explanation. Uncommon, but it does happen at a measurable rate. There are
just too many easier ways to cause trouble than messing with the CMOS, so
the script kiddies normally don't play with it.

Or even a cat. Still more likely than an external attack for the cat to
walk on the keyboard and change the settings.

But you do have a clue there ... if the checksum was wrong, the CMOS was
changed by a voltage excursion or other hardware misoperation rather than
programatically.

So go back to square one. REPLACE THE BATTERY. Then wait. If it happens
again within a couple of years replace the mobo. If it happens after a
couple of years, its time to upgrade the box anyway.

...

Jim Watt wrote:

The problem with the CMOS storage was in effect for more than a week
until I finally did reset it. Could it be that the battery power would
drop for so long and than miraculously recover and maintain its
strength for even longer? Beside, is was not only the CMOS which had
the problem, the boot code in the hard drive too was also involved. How
could loss of power in the battery have an impact on the code on the
hard drive? Furthermore, the alteration of the boot code on the hard
drive was very precise - too precise to be caused by a random event.

Anyway, your suggestion to measure the voltage on the battery is a good
one. Thanks.

lavron@altavista.com wrote:
While it is possible for programs to write to the CMOS, the problems
that you describe could just have come from a hardware fault.

Windows doesn't explicitly do anything with or to the CMOS (It couldn't
even if it wanted to, AFAICS there is no defined layout or format for
the CMOS), but as the CMOS affects settings for your computer in
general, it could affect the running of the installer.

How do you suppose that a cracker executed malicious code into your
computer when you are running a properly configured firewall? Are you
opening any servers to the internet?

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Is not documented but perhaps it´s possible to install a boot program
(or a virus )
in the cmos, did you try to restore cmos defaults before reset the cmos?

T933191278@terra.es wrote:
No. The CMOS is just storage space for settings. Code doesn't get
executed from there.

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Nicholas Sherlock wrote:
On one hand, Nicholas, you agree that "it is possible for programs to
write to [and read from] the CMOS" and on the other hand you claim that
Windows could not do anything with the CMOS even if it wanted to. How
do these two statements of yours sit together?

Not formally published, but the book "The Undocumented PC" provides
plenty of detailed data and layouts .

The goal of any ideally absolute security system, computer or
otherwise, is to achieve zero restrictions on the legitimate user and
zero accessibility to the intruder. Such an ideal goal is not
achievable any more than attempts to reach the temperature of absolute
zero. Some restrictions on the legitimate user must be implemented
(e.g., the need for a password or any other access identity), and there
is no way to keep the intruder completely out. While the ideal goal is
not achievable, it can be approached asymptotically. The further down
the asymptote the better the security. But it still leaves small
accessibility to the intruder, and the determined ones explore it and
tries to take advantage of it.

For some duration in my past I was employed as a data security officer
in a major bank, and reports about security violations from all over
the world were passing through my desk. The resourcefulness of the
perpetrators was amazing. You had better keep in mind that no matter
how smart you think you are, somebody out there is trying hard to
outsmart you; and no matter how good your security system is, someone
out there is trying to find its Achilles hill.

Jim Watt wrote:

You are entitled to your opinion, but in my opinion the chance of
things happening along your line of thoughts is much smaller than the
chance of winning a big lottery jackpot.

But all this is irrelevant. My questions were about the CMOS fields
tested by the Windows' installers. If you have any information that
would provide answers to these questions I would be happy to continue
this discussion.

Jim Watt wrote:

You are entitled to your opinion, but in my opinion the chance of
things happening along your line of thoughts is much smaller than the
chance of winning a big lottery jackpot.

But all this is irrelevant. My questions were about the CMOS fields
tested by the Windows' installers. If you have any information that
would provide answers to these questions I would be happy to continue
this discussion.

lavron@altavista.com wrote:
Windows could read and write from the CMOS, no problem (I can't think of
a reason why it would want to. If Windows wanted to know anything, it'd
ask the BIOS). The problem is that the CMOS's contents are nonsense,
AFAIK there is no defined format for the CMOS. Perhaps I am wrong, but I
can't find anything definitive on the 'net.

And what would Windows gain by relying on these undocumented values??
They're just system settings. If system settings are screwed up, your
computer will run screwed up. No magic involved.

So are you opening servers to the Internet, or not?

Cheers,
Nicholas Sherlock

--
http://www.sherlocksoftware.org

Nicholas Sherlock wrote:
Windows, the operating system, apparently does not refer to the CMOS
storage - it worked well even during the problem. However, the Windows
installers apparently do refer to the CMOS storage - they refused to
install Windows during the problem but worked well after the CMOS
storage was reset.

Assuming that I correctly understand your question, my answer is: No.