so basically the good guys went “HAY BAD GUYS! LOOK WE GOT A NEW TOY FOR YOU!!!” Good going.

@sam switzer
Or, more likely, someone who would use this in an attack already has the skill to do so, or is working on it. This being brought to light means we can start working on a solution now, which I’m sure anyone here can agree, is better than later.

I dont understand why motherboards do not have a flash protect jumper, that would solve this problem completely. I suppose you could just cut the write pin to the flash chip.

I’ve been expecting this day to come.

Back to the days when you had to pry the EPROMS out of the sockets to do a BIOS upgrade.

While BIOS systems are vulnerable, anything running an EFI should be fine, right? Or is this attack targetting EFI-based systems as well.

just was looking over the notes, it sounds like the whole “is there after a BIOS flash” is only if you do the flash through windows or immediately reboot after the flash. The logical solution would be to disconnect the hard drive and flash using a floppy. Major security flaw? Sounds more like a way to get attention.

‘in order to execute the attacks, you need either root privileges or physical access to the machine’

Why do these ever-so-tiny caveats NEVER get mentioned in the blurb on this site ??

What was hackaday is now ‘misrepresented and even slightly exaggerated a day’. If your reading this guys, then PLEASE PLEASE PLEASE change the way the content is presented here. It used to be really good and worthwhile visiting this site, but the quality and facts are dwindling away!

The last one i looked at was the SSL ‘vulnerability’ – that had NOTHING to do with ssl, but rather removing an ‘s’ from links in a plaintext page.

link broken:

http://en.wikipedia.org/wiki/CIH_virus

http://en.wikipedia.org/wiki/Chernobyl_virus

I’m sure ms windows/symantec/mcafee will have a $40/yr “protection” to sell you for this so you can use the computer you already paid for.

I don’t see any serious problems here – its not like that you can access the flash THAT easy, on top of that as far as I remember motherboards halt in a prompt if any access to flash is attempted, if not its not hard to make it behave that way.
Plus its hard to make the exploit work on MOST machines, as there are alot of bios versions and hardware. (though its just and educated guess, I’m not a bios developer)
As a specific exploit for a specific machine, carefully planned and executed its very dangerous, but is mitigated by a hot air gun, programmer and soldering iron, although I must admit removing this for average Joe will become rather hard.

This could have been done years ago and I am sure it already has (the concept, not an actual out-in-the-wild virus).

What is not necessarily easy is infecting EVERY PC. Every motherboard handles BIOS flashing differently. Call this a virus or trojan: I modify HP’s firmware file to have the correct header but garbage elsewhere. I package this into a self-extracting and self-running archive. It flashes upon extraction without question. User has no idea as the computer has not restarted and it was all done silently. All the while, the installer for the software the user was looking for runs and the user thinks everything is fine.

To make it more fancy, have a script or app check the manufacturer of the motherboard or manufacturer of the PC and have each flasher ready and compressed well into the archive (RK or 7-zip would work good).

Even though Vista has UAC, many ‘power users’ disable it and others have no idea and just click Continue and/or type in their password not knowing. On XP and lesser, there’s virtually no control after the program is launched. The computer will be bricked in probably less than 30 seconds.

I guess antivirus scanners should check for ‘BIOS modification code’ too now. Lucky for me, I use Linux.

The first thing I thought of when I read this was CIH. I remember encountering that a LONG time ago. It’s great that so many people already mentioned it, or I might have thought that I had remembered it wrong. (I had to reflash the bios to get the machine working again)

Agree with mike, numa and others…virus attacks on bios is old. I found one back in late 90s. this is one reason manufacturers have been trying to get rid of bios, besides other performance related issues.

10 years ago? Try 20, BIOS viruses are the oldest ones around, that’s why all BIOS have a setting to protect them and a warning if it changes, and gigabyte has their double BIOS chip, because at one time half the computers in china were infected.

Next someone is going to discover rootblock viruses, and a round thing called the wheel I expect.

Well at least the guy on the picture looks like he’s in the 1970′s :)

sorry for 2x post but:

@sam switzer:
> so basically the good guys went “HAY BAD GUYS! LOOK WE GOT A NEW TOY FOR YOU!!!” Good going.

that’s a very proprietary attitude that seems very inappropriate for a /hacking/ website

Also:
The CIH virus only effects FAT file systems.
This could mean that any machine running XP on FAT32, rather than NTFS, might be at risk to CIH.

Anyone else want to mention cih again? You know… just in case we missed the last 20 posts about it.

At least with Intel machines, the flash part will be locked and can only be unlocked in SMM. In some cases, the first 64K will remain write protected even after this and you can enter a recovery mode to reflash the rest of the chip. Backup BIOS banks are another system I have seen employed too.

I’m not sure how much stock to put into the SMM ataacks as there are a few caveots with them, so they may not be enough to get through to flash the chip. But even if they did, assembly BIOS is not terrbly easy to patch because of it’s single linked nature. A little change here or there could potentally leave it nonfunctional.

UEFI solutions may be a bit more vulnerable as it is more like modern software, but there are provisions for code signing, delivery of limited updated to the firmware (that must also be signed), TPM flash verification, and other security that should help to protect systems.

But this particular hack does NOT use the mainboard BIOS. IT soulds like they are using PCI expansion ROMs.
The question I have is if the card is still functional after the flash? Not all PCI cards have expansion ROMs, and not all those that do have writeable flash. So what card are they using? How are hey getting their code invoked? They say it’s 32 bit code but the option ROMs that run in POST are 16 bit. Is this instead a combination of an OS driver and the compromised PCI card? In this case, does the driver invoke the code on the PCI card?

There has been a fair amount of “OMG, the BIOS is vulnerable” hyperbole lately. Yes, there is a lot of potental power there, but the way the code is put together now makes it difficult to attack. The new stuff is well aware that there are people who have been trying to attack BIOS for a while and new firmware may be vulnerable, but that this is also an opportunity to build security down at that level.

So I was browsing ‘misrepresented and even slightly exaggerated a day’ when I came across “researchers discover 10 year old viral exploit which the alleged tech media broadcasts as ‘news’”…. Seriously, if you got this ‘virus’ you could just flash the bios with a CD. No way a virus is gonna be able to re-write that CD to include itself. Furthermore, many motherboard manufacturers still include a removable bios chip which can be flashed outside of a computer or in another computer. I don’t see how you could fit malware on my bios chip with the limited amount of space that is free on it anyway.

Hmm, will this affect my motherboard with dual BIOS, one which is read-only? If I got it, I think I should be able to just reset the original one from the second BIOS to recover.

even older as this type fo thing has been about since day one there was code for this in the amiga days lol

Not enough details on how it reinfects the bios after it’s been reflashed, for the sensationalist claim made here that it is “unaffected by flashing and reformatting”. The origin article never claims that. They say they can reinfect the bios after a reboot, good for them, but that also inevitably leads to a clean bios state before a reboot. In which case there’s another component that does the reinfection, that’s in higher level software, in which case a reformat AND a reflash will probably work just fine, not to mention that an external reflash would always work unless malware uses magic now :) Reporting on off-topic things would work much better if not done in tabloid style.

my g1 is infected w. a root virus that’s been on my G4mac running os9… the mac stays off the net…

guess it really doesn’t mastter, as the viruas has made its way onto my phone after charging it w. a usb cable.

I can identify certain (poorly) encrypted files on my g1, which have a creation date of 1969.

Wharf

if this propagates then you can just turn off your motherboard’s flashing capbility (maybe through a jumper or in the bios)

idiot researchers don’t have enough details. my guess is that whatever patching code it is, it’s not even close to working on all computers. the code isn’t OS dependent, but it almost certainly is motherboard/hardware dependent. If you’ve ever had experience flashing mobo BIOSes (and failing) you’ll realize that more likely than not such a “BIOS rootkit” will brick your MOBO (or at least require a new EEPROM) than infect your computer. And that is, if the rootkit author happens to find some code that’ll work on every motherboard on earth, without the user noticing that suddenly his/her highly proprietary onboard secondary ATA controller/sound card or something like that stopped working. And then there’s the lovely dual EEPROM configurations, protected BIOS (on DRM’d systems, I’d imagine?), etc. At best one of these guys probably couldn’t get more than 2% of the computers if they weren’t already protected in the first place.

Anyway, getting this level of hardware access clearly requires relatively high level access on a computer (administrator in windows, root in linux, etc). I’d imagine that macs are also vulnerable–in fact, I’m pretty sure that this is one of the few things where macs are MORE vulnerable than any other systems simply because they have very consistent BIOSes.

And of course, any good hardcore hacker is probably looking at this and laughing at how easy it is to fix. ya know that nice little write protect/write enable pin that’s on almost every motherboard? well desolder it, and put a switch in series (with appropriate pullups, whatever, you know the drill)! voila! =) This is why working with hardware is infinitely cooler than working with software =D

BTW, I don’t know how dual bios works, but unless it requires physical access to switch the BIOS, it is still vulnerable to some form of attack (provided, of course, whatever you run has root/admin privileges)

I’m fairly certain persistence is not new. The old DOS viruses did it all the time–it’s just with all the high level crap people have these days, most computer hackers don’t know enough shit anymore to play around with hardware level stuff and know how the good ol’ BIOS works.

If you have control over BIOS, of course, presumably you could also have control over people trying to check its checksum (though i doubt there’s ever actually enough memory in the EEPROM to store that much data)

hell why even bother to write a virus that would infect/brick a mobo that could easily be fixed, why not turn off all the fans, or just screw with the voltages, it would cause more harm and be more fun.

Ahhhh….Virtualization. The bane of Microsoft.

It was a grim sign decades ago too, but it’s not high priority for the same reason an anti-rootkit isn’t currently needed on 64bit NT platforms; inconvenience.

Non-vista/7 NT and earlier systems even with driver signing can all get ring0 and up rootkits. On SP2C 64bit XP with the latest updates you can even disable driver signing with a batch file. This can only be blocked with the native policy system blocking access to file system functionality and shell access, and running dep.

writing malicious firmware for the typical BIOS is primitive. You don’t have much space to write code to handle high level protocol layers, and BUS interfaces are also different, and that means more on that layer because there is no abstraction. You also have to keep vendor code in to keep everything operational.

You’ll notice they mention root privileges and a dropper. No mention of what the BIOS code actually does other than that it can survive a re-flash; probably because the internal storage is segmented into partitions, and bios updates just update certain blocks. They put their code in the other part that isn’t touched.

My guess is their rootkit solution will be a driver/userland combo that doesn’t uses bios code to launch itself somehow to avoid too much hooking and table swapping.

If I

Oh Snap!

i have an eeprom programmer. bring it on.

Virtualization is starting to look like a better option for anything internet/mail related. OMG some nice security guy is probably looking for an exploit in that already, thanks security guy when will you release details onto the net? Probably 2 weeks before patches are going out like always. Good thing they are looking out for everyone.

@iampete3: Virtualization research is referred to as ring -0 or ring -1 layer if I remember correctly. Unless you’re talking about abstracting in software in which case it’s already done.

running servers in a software VM has the same problems as it would on top of the native layers as far as data obscurity and software vulnerabilities go it just doesn’t affect the native system integrity function wise.

regarding linux: Linux is mostly protected by it’s permissions abstractions that are in place by default.

Configure DEP and group policies on any NT system then try to run a dropper on it or do stack overflows. The stack protections for Linux are actually weaker than the one in NT, but none of them protect against remote heap corruption, and other memory corruptions that don’t happen on the stack segment pages.

//Seriously, if you got this ‘virus’ you could just flash the bios with a CD.//

yeah just boot off a CD…oh wait doorstops don’t boot. i laugh at you.

One option nobody’s mentioned is to simply have a second bios chip on hand. “Its a good thing” for a variety of reasons. You can order one from most mobo manufacturers for a very inexpensive price. If the bios in the first chip gets infected, replace it with the good second chip and hot flash the first one (all off-line of course).

@sam switzer, the bad guys have known about BIOS hacking already.

In general, one could take a checksum of the BIOS image on a known-good system (e.g. when you get it from the factory, assuming the factory wasn’t hacked :), and check it periodically for tampering.

Unfortunately this doesn’t work. We tried that for DELL laptops and discovered that Dell BIOS is being written to. I suspect it’s things like battery calibration. This means that checksums and preventing write access cannot mitigate this vulnerability.

Other people (Joanna Rutkowska) pointed out that even TPM module doesn’t solve the problem because SMM runs before TPM, and can be exploited to run untrusted code.

I think there is one or two flashable BIOS ROMs that everyone is forgetting about….

1) AC’97 Audio Embedded
2) NVIDIA GeForce Graphics has an easily flashable bios
3) RAID Controllers
4) NICs
5) Routers
6) Modems
Also, yes, it is impossible for a remote attacker to enter your machine and flash you the bad news. But its not impossible for you to download undetectable bios flash software in the form of “crackz” and “keygens.” I’m pretty positive my NVIDIA GeForce is infected, and since NVIDIA doesn’t provide any end-user BIOS flashing softwar, you are left at the mercy of 3rd party hackjobs to fix the problem…

Basically anything that is made by a company that has people working for it is vulnerable. Either build your own hardware, or welcome to the phucking future… nukes are starting to sound like less of a hassle to me…. I know thats not funny, but this crap is really that annoying to me.
Signs of infected hardware…
1)Errors when flashing installing drivers
2)Errors right after a fresh install of windows with the latest updates (even virus’s get out of date, fortunately)
3)Freezing/Lockups during CPU/GPU intensive use
4)Modem or router light indicating web access when computer is sitting idle.

You can take it or leave it but I know what I’m talking about.. I honestly don’t care if you believe me. Machine code really isn’t that difficuly to write if you are a total loser and bored out of your mind….not to mention you just got fired from a job where you were working with proprietary hardware…

Remember-> All hardware is programmable. That is how we are able to run software on it….

Big brother is in my computer(s). In fact he’s in three of them. One can no longer be partitioned. It’s a doorstop.

They’ve over flashed my computer’s BIOS chip, so reflashing will not work. I know it’s government because of the research I do in law. They don’t like what I know and implement.

I go through a proxy and I can’t get them out. They’re in the ATI graphics card flash. My motherboard is an older one who BIOS isn’t protect. No jumpers. They got into Linux as easily as they did with my last XP machine. Same attack pattern.

The common denominator between my last XP machine and this one is FIREFOX. I think Firefox may be a spook funded browser that was designed to attract people so government could easily get inside people’s machines. Think about it. Why would someone spend all those resources to make a nice browser and email client? What’s in it for them?

I never ran as root. I did not run weird software. Just stuff off the repositories. They found me again.

What I think they do is tag your computer through the browser. You see, I visit a forum and on that forum you can send people a private message. So, here’s what I would do to get into people machines using a spook browser. I would put some code in the browser that would sniff for a character sequence in the html data stream and when it found it is would wake up its malware program and tag the system, which in turn would report back to a server. The IP address of the server would be embedded in the html tagging sequence. Once that is done you then start to load more code through the browser.

I did notice that Firefox crashed the system at the beginning when the attacks started, forcing em to press the reset button. It did this in both XP and Linux. Also, it fucked up the tab saving feature on the browser, in that when the browser was restarted all its tabs we not save and I had to go back into the Firefox setup and restore the tap save feature. So, I’ve decided that Firefox is the point of entry. Otherwise, how could they get into both XP and Linux in the same manner?

If big brother doesn’t like what you saying or doing then he will get inside your computer. The hang out on the forums and tag people who are not towing the part line. I think they also get in through Thunderbird email by sending a wakeup sequence by email. The email would look like junk mail. The sequence could be in the subject line, and would be filtered out by the email program so the user would not see it.

They’re trying to make my life a living hell. They already trashed two hard disks.

This will never take off.
The money’s in getting idiots to install adware, no money in writing a virus that bombs your hdd.

who would write a virus that fails to propogate, has no monetary gain for the creator, and does nothing but turn off the machine?
only people who are ever gonna use it are the Steam kiddies.