As used herein a “threat” comprises malicious software, also known as “malware” or “pestware”, which comprises software that is included or inserted in a part of a processing system or processing systems for a harmful purpose. The term threat should be read to comprise possible, potential and actual threats. Types of malware can comprise, but are not limited to, malicious libraries, viruses, worms, Trojans, adware, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or theft of identity, malicious software that passively observes the use of a computer is known as “spyware”.
An entity can comprise, but is not limited to, a file, an object, a class, a collection of grouped data, a library, a variable, a process, and/or a device.
Flash memory is a form of EEPROM (Electrically Erasable Programmable Read-Only Memory) that allows multiple locations of memory to be erased or written in one programming operation. Examples of components of a processing system which utilise Flash memory comprise the System BIOS, Video card firmware, and Optical storage firmware.
System BIOS (b(asic) i(nput/)o(utput) s(ystem)) is a set of routines stored in read-only/flash memory that enable a computer to start the operating system and to communicate with the various devices in the system, such as disk drives, keyboard, monitor, printer, and communications ports.
Firmware is software that is embedded in a hardware device of the processing system. Hardware devices which comprise firmware are referred throughout the specification as firmware devices. Firmware is often provided on Flash ROMS or as a binary image file that can be uploaded onto existing hardware. An example of firmware is the BIOS of a processing system.
A cryptographic hash function is a mathematical function that maps values from a large (or even very large) domain into a smaller range, and is a one-way function in that it is computationally infeasible to find any input which maps to any pre-specified output. Furthermore, the function is collision-free in that it is computationally infeasible to find any two distinct inputs which map to the same output.
A checksum is a digit representing the sum of the digits in an instance of digital data. The checksum can be used to check whether errors have occurred in transmission or storage.
Disassembly, in computer programming, is the result when machine code is translated back into assembly language. The term can also refer to the process of creating the disassembly, i.e. using and interacting with a disassembler.
A System Administrator is a person in charge of managing and maintaining a computer system.
In a networked information or data communications system, a user has access to one or more terminals which are capable of requesting and/or receiving information or data from local or remote information sources. In such a communications system, a terminal may be a type of processing system, computer or computerised device, personal computer (PC), mobile, cellular or satellite telephone, mobile data terminal, portable computer, Personal Digital Assistant (PDA), pager, thin client, or any other similar type of digital electronic device. The capability of such a terminal to request and/or receive information or data can be provided by software, hardware and/or firmware. A terminal may comprise or be associated with other devices, for example a local data storage device such as a hard disk drive or solid state drive. A terminal is broadly herein referred to as a processing system.
An information source can comprise a server, or any type of terminal, that may be associated with one or more storage devices that are able to store information or data, for example in one or more databases residing on a storage device. The exchange of information (i.e. the request and/or receipt of information or data) between a terminal and an information source, or other terminal(s), is facilitated by a communication means. The communication means can be realised by physical cables, for example a metallic cable such as a telephone line, semi-conducting cables, electromagnetic signals, for example radio-frequency signals or infra-red signals, optical fibre cables, satellite links or any other such medium or combination thereof connected to a network infrastructure.
Current malware scanning engines scan the file system of a processing system (i.e. the hard drive of the processing system) and input storage mediums (such as a Compact Disk or Floppy Disk) which can be read by input devices of the processing system (such as a Compact Disk Drive or a Floppy Disk Drive).
Due to current malware scanning practices, authors of malware have been seeking alternate methods to infect a processing system with malware which may not be easily detected. One such alternate method is to modify the firmware of one or more EEPROM devices of the processing system. As EEPROM devices are generally used prior to the processing system booting to an operating system, malware that modifies an EEPROM device can effect low level functionality of the processing system.
Furthermore, if a user suspects that the firmware of an EEPROM device has been altered by malware, the user must delete the modified firmware from the EEPROM device and reinstall the correct firmware. The reinstallation process of an EEPROM device generally requires the user to have a detailed knowledge of the specific EEPROM device. If the user, for example, attempts to reinstall the incorrect firmware for a BIOS of a processing system, the BIOS chip or the motherboard can be rendered useless, thus requiring the user to purchase a new BIOS chip or motherboard for the processing system.
Therefore, there exists a need for a method, system, computer readable medium of instructions, and/or a computer program product to scan firmware of a processing system for malware which addresses or at least ameliorates problems inherent in the prior art.
There also exists a need for a method, system, computer readable medium of instructions, and/or a computer program product to repair firmware which has been damaged by malware which addresses or at least ameliorates problems inherent in the prior art.
The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.