Found, a new rootkit

Wed Apr 12 19:22:48 UTC 2006

Tim wrote:
> 
> This is a "wake" as in turn on again, no matter what the system state
> was (e.g. could be sleep, or soft off).  And, in this case, it's a
> function of the motherboard.  You don't even need any system software,
> it's done by BIOS (you could remove the hard drive), and you'd get the
> turned off systemboard come to life if your modem (or any other IRQ you
> picked upon in your BIOS power management settings) triggered a wake up
> event.

Hmm. In that case Joanne's comment is apropos. It may or may not
have anything to do with interrupts.

> NB:  This is different from the ring indicator in the RS-232 line.
> That's yet another event that can be used.
> 
> You can wake up the motherboard through the BIOS, which will *then* boot
> up the system (if it can).  Or, you can have a halted OS that unhalts
> when a wake up event happens, so your OS handles it instead of the BIOS.

Sounds like a reasonably complicated I/F which is likely to conceal
defects. Too many fingers in the pie.

> All in all, that goes back to the idea that if your serial port has an
> IRQ associated with it, which they can (*) do.  Any activity on the port
> generates an IRQ (regardless of whether you've got software paying
> attention to the serial port).  Such IRQs are important events that the

Any enabled IRQ. Normally, the chipsets emulate the old 16550 chip,
which allow separate enables on Transmit Empty, Receive Full,
Control Line Change (CTS, etc.).

> CPU pays attention to.  Now, if you haven't got software configured to
> do something with the event, it doesn't go and do anything.  But the CPU
> has been interrupted to check whether it should.

In any case, perhaps the BIOS can enable interrupts. I proposed that
we try an experiment. Since I'm more interested in Truth than in
Being Right, what do you say I build you a bootable floppy image with
an interrupt capture program I wrote several years ago, and we'll
try it out?

> Want some IRQ fun?  Give someone a PS/2 mouse with an intermittent break
> in the lead.  Nudging the cable sends a mass of IRQs thanks to the PS/2
> port, which can bring Win98 to its knees for no obvious reason
> (especially if the mouse still appears to work).  ;-)
> 
> * On boards like this, you *can* preset IRQs and addresses for a COM
> port to use, much the same as jumpers on ye olde systems.  You set them
> for plug and play, where the OS will configure them (or not).  Or you

I'm aware of this, but thanks for the info, anyway.

[snip]

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!