Bios level malware

bios

“Reformat it”. That’s pretty much our default answer when someone calls us complaining of malware and viruses. Though many can be removed, it can sometimes be quicker and less frustrating just to reformat it. Some of us even have specific ways that we organize all of our files just to make the quarterly reformat go smoother.  Unfortunately, reformatting may no longer be the absolute cure. Researchers have developed a piece of malware that infects the BIOS.  It is un affected by reformating or flashing. This means that it is also OS independent. They tested it on Windows and OpenBSD as well as a machine running VMware Player. This is a grim sign for the future.

[via ZDNet.com]

Comments

  1. Emerica says:

    Domain is dead here. 403

  2. Sam Switzer says:

    so basically the good guys went “HAY BAD GUYS! LOOK WE GOT A NEW TOY FOR YOU!!!” Good going.

  3. grizball says:

    @ sam switzer: yeah, wtf are they thinking?!!!

  4. Jon Kelly says:

    @sam switzer
    Or, more likely, someone who would use this in an attack already has the skill to do so, or is working on it. This being brought to light means we can start working on a solution now, which I’m sure anyone here can agree, is better than later.

  5. Kevin says:

    Intel has known since 2005, and the bug supposedly goes back to 386. netowrkworld had few articles about it.

  6. Stan Stevey says:

    I dont understand why motherboards do not have a flash protect jumper, that would solve this problem completely. I suppose you could just cut the write pin to the flash chip.

  7. BigD145 says:

    Cut the flash pin and install a manual switch.

  8. TALR says:

    I’ve been expecting this day to come.

  9. memee says:

    fuck :(

  10. Sean says:

    Back to the days when you had to pry the EPROMS out of the sockets to do a BIOS upgrade.

  11. TALR says:

    btw, what the heck is with the 403 when U click the link??

  12. belthesar says:

    While BIOS systems are vulnerable, anything running an EFI should be fine, right? Or is this attack targetting EFI-based systems as well.

  13. Zengar says:

    @stan stevey
    A flash protect jumper I could see, but not cutting the write pin. Motherboards get to the system integrators several BIOS revisions out of date, and there are situations where even after the computer has gone out to the end user that one would want to do an update. Some on-board RAID controllers I’ve encountered, for example, can potentially get fouled up enough to need a BIOS update/reset to get back to functional.(needless to say, we stopped using that board)

    On topic: I’ve been worried about this for years, the only good point I see is that while it isn’t _OS_ specific, it _is_ hardware specific.

  14. Sam Switzer says:

    just was looking over the notes, it sounds like the whole “is there after a BIOS flash” is only if you do the flash through windows or immediately reboot after the flash. The logical solution would be to disconnect the hard drive and flash using a floppy. Major security flaw? Sounds more like a way to get attention.

  15. cptfalcon says:

    @sam, this may be a bit of the chicken or the egg problem. However, many times people are not concerned or even aware of a risk unless there is a big red flag waving in their face demonstrating it as a threat. Take for instance SCADA systems…

  16. Heath Jones says:

    ‘in order to execute the attacks, you need either root privileges or physical access to the machine’

    Why do these ever-so-tiny caveats NEVER get mentioned in the blurb on this site ??

    What was hackaday is now ‘misrepresented and even slightly exaggerated a day’. If your reading this guys, then PLEASE PLEASE PLEASE change the way the content is presented here. It used to be really good and worthwhile visiting this site, but the quality and facts are dwindling away!

    The last one i looked at was the SSL ‘vulnerability’ – that had NOTHING to do with ssl, but rather removing an ‘s’ from links in a plaintext page.

  17. numa says:

    I guess everyone has forgotten about the Chernobyl virus (see http://en.wikipedia.org/wiki/CIH_virus)?

    Let me rename this article to “researchers discover 10 year old viral exploit which the dumbed down alleged tech media broadcasts as ‘news'”.

  18. numa says:
  19. GD says:

    Hi Stan,
    some Mobo have a BIOS protection jumper on them, although I recognize it’s not a very common feature, sometimes is mostly undocumented, and seldom used from the user.
    Look here http://tinyurl.com/cub99v [ECS P6VXM2] and here http://tinyurl.com/d2xz5x [Gateway support].
    It seems to me that it will become one important feature to look for in a mobo from now on…
    Anyway malicious BIOS corruption is not entirely new: I recall that back in the ’90 the CIH used to do that on specific pieces of hardware.

  20. joe57005 says:
  21. Mike says:

    ‘in order to execute the attacks, you need either root privileges or physical access to the machine’ Should add OR be able to trick someone who has into running a it. Well secured machines with careful and knowledgeable admins should not have a problem, but the “other people” who click here to see the latest photo, or worry because the email said they might be at risk, the ones who connect to your machine after looking at the picture and installing the special viewer ARE.

  22. misha says:

    I’m sure ms windows/symantec/mcafee will have a $40/yr “protection” to sell you for this so you can use the computer you already paid for.

  23. Hackius says:

    I remember removing the CIH virus from a lot of systems some time ago. This isn’t new and it isn’t hard to remove it except on laptops. Laptops are screwed.

  24. vec7or says:

    I don’t see any serious problems here – its not like that you can access the flash THAT easy, on top of that as far as I remember motherboards halt in a prompt if any access to flash is attempted, if not its not hard to make it behave that way.
    Plus its hard to make the exploit work on MOST machines, as there are alot of bios versions and hardware. (though its just and educated guess, I’m not a bios developer)
    As a specific exploit for a specific machine, carefully planned and executed its very dangerous, but is mitigated by a hot air gun, programmer and soldering iron, although I must admit removing this for average Joe will become rather hard.

  25. Jonathan says:

    IIRC the CIH/Chernobyl virus did something similar to this over a decade ago, although it wasn’t platform independent (PE format on Windows 9x & NTx I believe).

    Of course, the obvious solutions are:

    li>Use an EFI based machine
    don’t grant suspicious applications root access.

  26. Tatsh says:

    This could have been done years ago and I am sure it already has (the concept, not an actual out-in-the-wild virus).

    What is not necessarily easy is infecting EVERY PC. Every motherboard handles BIOS flashing differently. Call this a virus or trojan: I modify HP’s firmware file to have the correct header but garbage elsewhere. I package this into a self-extracting and self-running archive. It flashes upon extraction without question. User has no idea as the computer has not restarted and it was all done silently. All the while, the installer for the software the user was looking for runs and the user thinks everything is fine.

    To make it more fancy, have a script or app check the manufacturer of the motherboard or manufacturer of the PC and have each flasher ready and compressed well into the archive (RK or 7-zip would work good).

    Even though Vista has UAC, many ‘power users’ disable it and others have no idea and just click Continue and/or type in their password not knowing. On XP and lesser, there’s virtually no control after the program is launched. The computer will be bricked in probably less than 30 seconds.

    I guess antivirus scanners should check for ‘BIOS modification code’ too now. Lucky for me, I use Linux.

  27. -hero says:

    solution:
    shut down machine
    lock self in closet
    communicate via morse encoder

    -hero

  28. Mike says:

    The first thing I thought of when I read this was CIH. I remember encountering that a LONG time ago. It’s great that so many people already mentioned it, or I might have thought that I had remembered it wrong. (I had to reflash the bios to get the machine working again)

  29. andre says:

    hmm.. combine the bios hack with compromised routers and this could be very bad news. In fact one could use the other to propagate.

    Its also possible to read back the existing BIOS with settings and append the attack code (able to infect any removable drives/HDD/CDRW firmware/router/etc) and reflash. You might never know you were infected until you go to change the boot order and nothing changes upon a reboot…

  30. nomad says:

    Agree with mike, numa and others…virus attacks on bios is old. I found one back in late 90s. this is one reason manufacturers have been trying to get rid of bios, besides other performance related issues.

  31. Journeyman says:

    @Tatsh

    >Lucky for me, I use Linux.

    Did you forget the part that said it infected openBSD as well? I am sure it would have no issues with linux.

  32. Wwhat says:

    10 years ago? Try 20, BIOS viruses are the oldest ones around, that’s why all BIOS have a setting to protect them and a warning if it changes, and gigabyte has their double BIOS chip, because at one time half the computers in china were infected.

    Next someone is going to discover rootblock viruses, and a round thing called the wheel I expect.

    Well at least the guy on the picture looks like he’s in the 1970’s :)

  33. tr0nk says:

    > gigabyte has their double BIOS chip, because at one time half the computers in china were infected

    might also be because the writer of CIH works for them now http://en.wikipedia.org/wiki/Chen_Ing_Hau#cite_note-udn-0

  34. tr0nk says:

    sorry for 2x post but:

    @sam switzer:
    > so basically the good guys went “HAY BAD GUYS! LOOK WE GOT A NEW TOY FOR YOU!!!” Good going.

    that’s a very proprietary attitude that seems very inappropriate for a /hacking/ website

  35. Louis II says:

    I hate to be a party pooper to the main article, but we’ve already seen something like this back in 1998:
    Win23.CIH (chernobyl virus)
    Many people I knew (including myself) all got the virus on our desktops. It was also a self mutating and space filling variant at different points. Thankfully none of us had the BIOS vulnerable systems, but a local computer shop had said that about 1 in 10 of the computers that came in had overwritten BIOS which they were desperately trying to figure out how to fix with out replacing the BIOS chip. They also mentioned that they had stopped accepting computers due to the CIH overfilling their repair que (and they were a good fast shop, too.)

    Anyway… more info:

    http://www.sss.ca/sensible/home.nsf/0/b38ce400451b727a8525689300571e5b?OpenDocument

    Or just search the intarwebs!

  36. Louis II says:

    Also:
    The CIH virus only effects FAT file systems.
    This could mean that any machine running XP on FAT32, rather than NTFS, might be at risk to CIH.

  37. Tatsh says:

    @Journeyman
    >Did you forget the part that said it infected openBSD as well? I am sure it would have no issues with linux.

    BSD and Linux and all other Unix-like OS’s are secure as in, you need root privileges to do anything directly with the kernel or special groups, runlevels, etc. By default, you are not given root privileges, unlike Windows (even Vista). I’d have to be dumb enough to want to run some random binary as root in order for any scheme like this to work. Beyond that, how many BIOS flashers use Linux? Personally I have found none and many are still using DOS, with the manufacturers asking their users to make DOS-bootable flash drives or FreeDOS live CD or something similar. HP and others have Windows-based flashers only.

    BIOS and how it works is pretty proprietary between manufacturers, especially when you compare Intel vs others. Foxconn is a good example. Some of their motherboards were found to have a hard time booting Linux because the ACPI implementation is proprietary.

  38. Tachikoma says:

    Anyone else want to mention cih again? You know… just in case we missed the last 20 posts about it.

  39. Wwhat says:

    I think that double BIOS chip of gigabyte might actually pre-date CIH, if not it most certainly pre-dates them hiring the guy.

  40. Splynn says:

    At least with Intel machines, the flash part will be locked and can only be unlocked in SMM. In some cases, the first 64K will remain write protected even after this and you can enter a recovery mode to reflash the rest of the chip. Backup BIOS banks are another system I have seen employed too.

    I’m not sure how much stock to put into the SMM ataacks as there are a few caveots with them, so they may not be enough to get through to flash the chip. But even if they did, assembly BIOS is not terrbly easy to patch because of it’s single linked nature. A little change here or there could potentally leave it nonfunctional.

    UEFI solutions may be a bit more vulnerable as it is more like modern software, but there are provisions for code signing, delivery of limited updated to the firmware (that must also be signed), TPM flash verification, and other security that should help to protect systems.

    But this particular hack does NOT use the mainboard BIOS. IT soulds like they are using PCI expansion ROMs.
    The question I have is if the card is still functional after the flash? Not all PCI cards have expansion ROMs, and not all those that do have writeable flash. So what card are they using? How are hey getting their code invoked? They say it’s 32 bit code but the option ROMs that run in POST are 16 bit. Is this instead a combination of an OS driver and the compromised PCI card? In this case, does the driver invoke the code on the PCI card?

    There has been a fair amount of “OMG, the BIOS is vulnerable” hyperbole lately. Yes, there is a lot of potental power there, but the way the code is put together now makes it difficult to attack. The new stuff is well aware that there are people who have been trying to attack BIOS for a while and new firmware may be vulnerable, but that this is also an opportunity to build security down at that level.

  41. John Sokol says:

    Hey I did that back in 1986 to a version of AMI bios for the 286. It’s would install the TSR portion of the Jerusalem B virus also know as the Friday the 13th virus every time the bios call to format a floppy disk was done. This couldn’t propagate itself but was manually burned into the EPROM’s of the victims machines and physically installed. The virus was defanged but was very easy to detect and clean. But upon formatting a disk would reinfect! The victim was dumb enough to ask a friend to get a copy of this 2 eprom bios from me, after he had screwed me over some time earlier. So he installed the infected chips himself! He was a big warz guy, but after the bios upgrade no one wanted to take software from him for some reason. I delight in the thought of him loosing his mind, disinfecting all his disks only to get reinfected every time he formatted a disk…

  42. Spork says:

    So I was browsing ‘misrepresented and even slightly exaggerated a day’ when I came across “researchers discover 10 year old viral exploit which the alleged tech media broadcasts as ‘news'”…. Seriously, if you got this ‘virus’ you could just flash the bios with a CD. No way a virus is gonna be able to re-write that CD to include itself. Furthermore, many motherboard manufacturers still include a removable bios chip which can be flashed outside of a computer or in another computer. I don’t see how you could fit malware on my bios chip with the limited amount of space that is free on it anyway.

  43. nitori says:

    The fix lift the flash pin and add a jumper all flashable bioses should have this.
    If someone is too dumb or lazy to move a jumper then they should not be updating their own firmware.
    As for uefi systems they’ll be even more vulnerable to this and code signing by itself is only a false sense of security as that can be easily dealt with.

    As for what card they are using I suspect a network or raid card since these due patch the boot bios for obvious reasons.

    Though to do this they need to run the app as root you don’t normally do this in linux or BSD.

    Drivers also can be distributed with MD5 sums so compromised files can be spotted and not installed.

  44. ArtemisGoldfish says:

    Hmm, will this affect my motherboard with dual BIOS, one which is read-only? If I got it, I think I should be able to just reset the original one from the second BIOS to recover.

  45. Marcus says:

    This is really really the oldest old news ever posted on hackaday.
    Sorry, but boot sector viruses that aren’t cleanable by reformatting, some not even removeable by repartioning, have been around for at least 30 years.
    Bioses on my 386 had a function to trigger a system halt when a) writing to the master boot record b) trying to write to the memory mapped eeprom content without having called a particular sequence of other calls.

    PXE exploits must have been around for about eternity nowadays, too.

    I’m a little disappointed. Quality of research really varies on hackaday.

  46. skedone says:

    even older as this type fo thing has been about since day one there was code for this in the amiga days lol

  47. superguy9000 says:

    So, we’re screwed.

  48. tsurugi says:

    Not enough details on how it reinfects the bios after it’s been reflashed, for the sensationalist claim made here that it is “unaffected by flashing and reformatting”. The origin article never claims that. They say they can reinfect the bios after a reboot, good for them, but that also inevitably leads to a clean bios state before a reboot. In which case there’s another component that does the reinfection, that’s in higher level software, in which case a reformat AND a reflash will probably work just fine, not to mention that an external reflash would always work unless malware uses magic now :) Reporting on off-topic things would work much better if not done in tabloid style.

  49. nubie says:

    I am going to guess that if I boot from a CD and perform a full flash that it will go away.

    I am also going to guess that if I pull the rom chip and re-flash it with a prom burner that it will also work.

    I see no reason why this shouldn’t work, except for the very different hardware out there.

    At minimum it could work on a series of processors by replacing the microcode with some generic microcode that will work across all Intel 775 processors for example.

    You would need to find the lowest common denominator in the bios and attach to that to get a large attack base (or just attack a certain system, or have a repository of attacks that the virus downloads).

    I think that it will become more common to keep an MD5 of your bios around so that you can double check if it is infected. (Maybe even Anti-virus software for bios, or on a bootable flash, even a quick check-sum on boot would let you know something is up and halt the boot process.)

    Write disable jumpers have been around for a very long time (there is no technical reason that the bios couldn’t be flashed by virus from the OS, and the board designers knew this.)

  50. ivelissesantana says:

    I’m not good at all this about virus. But virus have existed since I can remember. Some people get frustrated. Some rush in doing something when a PC gets a virus. I think that taking good precautions at the problem solves it. I mean, we’re not screwed.
    This guys is also an opportunity to build security down at that level. I’m sure that some anti-virus system is going to be created. This whole matter is not new, it’s been going around for 30 yrs or more.
    Do the right thing and your PC will be safe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,405 other followers