Bios Level Malware

bios

“Reformat it”. That’s pretty much our default answer when someone calls us complaining of malware and viruses. Though many can be removed, it can sometimes be quicker and less frustrating just to reformat it. Some of us even have specific ways that we organize all of our files just to make the quarterly reformat go smoother.  Unfortunately, reformatting may no longer be the absolute cure. Researchers have developed a piece of malware that infects the BIOS.  It is un affected by reformating or flashing. This means that it is also OS independent. They tested it on Windows and OpenBSD as well as a machine running VMware Player. This is a grim sign for the future.

[via ZDNet.com]

83 thoughts on “Bios Level Malware

  1. my g1 is infected w. a root virus that’s been on my G4mac running os9… the mac stays off the net…

    guess it really doesn’t mastter, as the viruas has made its way onto my phone after charging it w. a usb cable.

    I can identify certain (poorly) encrypted files on my g1, which have a creation date of 1969.

    Wharf

  2. To the person that said “Glad I have linux” If you click on the link the post clearly says this effects users with freeBSD… So.. yeah unless you have dual bios like I do, (Thank you again Gigabyte) your S.O.L. unless you wish to flash your bios all the time.

  3. idiot researchers don’t have enough details. my guess is that whatever patching code it is, it’s not even close to working on all computers. the code isn’t OS dependent, but it almost certainly is motherboard/hardware dependent. If you’ve ever had experience flashing mobo BIOSes (and failing) you’ll realize that more likely than not such a “BIOS rootkit” will brick your MOBO (or at least require a new EEPROM) than infect your computer. And that is, if the rootkit author happens to find some code that’ll work on every motherboard on earth, without the user noticing that suddenly his/her highly proprietary onboard secondary ATA controller/sound card or something like that stopped working. And then there’s the lovely dual EEPROM configurations, protected BIOS (on DRM’d systems, I’d imagine?), etc. At best one of these guys probably couldn’t get more than 2% of the computers if they weren’t already protected in the first place.

    Anyway, getting this level of hardware access clearly requires relatively high level access on a computer (administrator in windows, root in linux, etc). I’d imagine that macs are also vulnerable–in fact, I’m pretty sure that this is one of the few things where macs are MORE vulnerable than any other systems simply because they have very consistent BIOSes.

    And of course, any good hardcore hacker is probably looking at this and laughing at how easy it is to fix. ya know that nice little write protect/write enable pin that’s on almost every motherboard? well desolder it, and put a switch in series (with appropriate pullups, whatever, you know the drill)! voila! =) This is why working with hardware is infinitely cooler than working with software =D

    BTW, I don’t know how dual bios works, but unless it requires physical access to switch the BIOS, it is still vulnerable to some form of attack (provided, of course, whatever you run has root/admin privileges)

    I’m fairly certain persistence is not new. The old DOS viruses did it all the time–it’s just with all the high level crap people have these days, most computer hackers don’t know enough shit anymore to play around with hardware level stuff and know how the good ol’ BIOS works.

    If you have control over BIOS, of course, presumably you could also have control over people trying to check its checksum (though i doubt there’s ever actually enough memory in the EEPROM to store that much data)

  4. hell why even bother to write a virus that would infect/brick a mobo that could easily be fixed, why not turn off all the fans, or just screw with the voltages, it would cause more harm and be more fun.

  5. Yeah… fans, voltages, fire!

    Viruses don’t get enough attention nowadays -it’s all spyware, malware and wii party games.

    But if some hundred thousand computers around the world would burst in flames on Michelangelo’s birthday that would really be something.

    OMG the virus is comming! save your babies!

  6. WAY OLD! I recall the CIH virus… Someone said that one. Than back in the day when this was enough of a problem that BIOS ended to come out with its own protection and such, someone mentioned that too. But I bet you guys don’t recall the mythic “Fall of Apple”. It used to be that Apple touted their “Virus Free” OS to confidently that they would have hackers try and write viruses for the Mac once a year and if anyone ever did it they would receive a big old sum of money. Needless to say people won, and they became whistle blowers, Apple just went right on and fixed the exploits people used. So what did the NSA team do, who I might add won the competition five years in a row. They made a BIOS hack that runs on a backdoor function Macs have to allow OSX to modify BIOS commands on shut-down, just another reason I do not like Macs. Well after that Apple never ever held the competition again, to my knowledge, and they did a good job at keeping it mum.

    Anyways BIOS viruses are as old as they come really…

  7. It was a grim sign decades ago too, but it’s not high priority for the same reason an anti-rootkit isn’t currently needed on 64bit NT platforms; inconvenience.

    Non-vista/7 NT and earlier systems even with driver signing can all get ring0 and up rootkits. On SP2C 64bit XP with the latest updates you can even disable driver signing with a batch file. This can only be blocked with the native policy system blocking access to file system functionality and shell access, and running dep.

    writing malicious firmware for the typical BIOS is primitive. You don’t have much space to write code to handle high level protocol layers, and BUS interfaces are also different, and that means more on that layer because there is no abstraction. You also have to keep vendor code in to keep everything operational.

    You’ll notice they mention root privileges and a dropper. No mention of what the BIOS code actually does other than that it can survive a re-flash; probably because the internal storage is segmented into partitions, and bios updates just update certain blocks. They put their code in the other part that isn’t touched.

    My guess is their rootkit solution will be a driver/userland combo that doesn’t uses bios code to launch itself somehow to avoid too much hooking and table swapping.

    If I

  8. Tatsh: no linux based BIOS flashers?
    All the HP DL server (and I suppose, also the rest of the line) BIOS flashers and BIOS update disks are linux based [http://tinyurl.com/2gurxk dl380 g5], even if the provide a Windows “online”version too.
    Now I suppose you’ve found plenty of them :D

  9. Virtualization is starting to look like a better option for anything internet/mail related. OMG some nice security guy is probably looking for an exploit in that already, thanks security guy when will you release details onto the net? Probably 2 weeks before patches are going out like always. Good thing they are looking out for everyone.

  10. @belthesar:
    EFI could be infected a bit easier, but EFI has a few parts soo some one would have to look at what parts are presistant though reinstalls and infect that since EFI works differently.

  11. @iampete3: Virtualization research is referred to as ring -0 or ring -1 layer if I remember correctly. Unless you’re talking about abstracting in software in which case it’s already done.

    running servers in a software VM has the same problems as it would on top of the native layers as far as data obscurity and software vulnerabilities go it just doesn’t affect the native system integrity function wise.

    regarding linux: Linux is mostly protected by it’s permissions abstractions that are in place by default.

    Configure DEP and group policies on any NT system then try to run a dropper on it or do stack overflows. The stack protections for Linux are actually weaker than the one in NT, but none of them protect against remote heap corruption, and other memory corruptions that don’t happen on the stack segment pages.

  12. Hey, has anyone else noticed that Apr 26, 2009 is rapidly approaching? This research team has known about these malware exploits for quite some time, and theyre just releasing it this month? this year? If anyone dosent know Apr 26, 09 will be the exact tenth year anniversary of some major dumping of the cih viri. Which coincided with the date of the chernobyl meltdown, and also coincided with the birthday of the chinese writer of original virus. as pointed out by the wiki file linked by 2 or 3 others already.

    http://en.wikipedia.org/wiki/CIH_virus
    Is this some kind of warning? is there something theyre not telling us?
    never did like aniversaries…

  13. One option nobody’s mentioned is to simply have a second bios chip on hand. “Its a good thing” for a variety of reasons. You can order one from most mobo manufacturers for a very inexpensive price. If the bios in the first chip gets infected, replace it with the good second chip and hot flash the first one (all off-line of course).

  14. terraterrestris, yes there is something that we are not telling you. In a few months will be revealed.
    It have nothing to do with that stupid imaginary cih virus attack.

  15. @sam switzer, the bad guys have known about BIOS hacking already.

    In general, one could take a checksum of the BIOS image on a known-good system (e.g. when you get it from the factory, assuming the factory wasn’t hacked :), and check it periodically for tampering.

    Unfortunately this doesn’t work. We tried that for DELL laptops and discovered that Dell BIOS is being written to. I suspect it’s things like battery calibration. This means that checksums and preventing write access cannot mitigate this vulnerability.

    Other people (Joanna Rutkowska) pointed out that even TPM module doesn’t solve the problem because SMM runs before TPM, and can be exploited to run untrusted code.

  16. I think there is one or two flashable BIOS ROMs that everyone is forgetting about….

    1) AC’97 Audio Embedded
    2) NVIDIA GeForce Graphics has an easily flashable bios
    3) RAID Controllers
    4) NICs
    5) Routers
    6) Modems
    Also, yes, it is impossible for a remote attacker to enter your machine and flash you the bad news. But its not impossible for you to download undetectable bios flash software in the form of “crackz” and “keygens.” I’m pretty positive my NVIDIA GeForce is infected, and since NVIDIA doesn’t provide any end-user BIOS flashing softwar, you are left at the mercy of 3rd party hackjobs to fix the problem…

    Basically anything that is made by a company that has people working for it is vulnerable. Either build your own hardware, or welcome to the phucking future… nukes are starting to sound like less of a hassle to me…. I know thats not funny, but this crap is really that annoying to me.
    Signs of infected hardware…
    1)Errors when flashing installing drivers
    2)Errors right after a fresh install of windows with the latest updates (even virus’s get out of date, fortunately)
    3)Freezing/Lockups during CPU/GPU intensive use
    4)Modem or router light indicating web access when computer is sitting idle.

    You can take it or leave it but I know what I’m talking about.. I honestly don’t care if you believe me. Machine code really isn’t that difficuly to write if you are a total loser and bored out of your mind….not to mention you just got fired from a job where you were working with proprietary hardware…

    Remember-> All hardware is programmable. That is how we are able to run software on it….

  17. Big brother is in my computer(s). In fact he’s in three of them. One can no longer be partitioned. It’s a doorstop.

    They’ve over flashed my computer’s BIOS chip, so reflashing will not work. I know it’s government because of the research I do in law. They don’t like what I know and implement.

    I go through a proxy and I can’t get them out. They’re in the ATI graphics card flash. My motherboard is an older one who BIOS isn’t protect. No jumpers. They got into Linux as easily as they did with my last XP machine. Same attack pattern.

    The common denominator between my last XP machine and this one is FIREFOX. I think Firefox may be a spook funded browser that was designed to attract people so government could easily get inside people’s machines. Think about it. Why would someone spend all those resources to make a nice browser and email client? What’s in it for them?

    I never ran as root. I did not run weird software. Just stuff off the repositories. They found me again.

    What I think they do is tag your computer through the browser. You see, I visit a forum and on that forum you can send people a private message. So, here’s what I would do to get into people machines using a spook browser. I would put some code in the browser that would sniff for a character sequence in the html data stream and when it found it is would wake up its malware program and tag the system, which in turn would report back to a server. The IP address of the server would be embedded in the html tagging sequence. Once that is done you then start to load more code through the browser.

    I did notice that Firefox crashed the system at the beginning when the attacks started, forcing em to press the reset button. It did this in both XP and Linux. Also, it fucked up the tab saving feature on the browser, in that when the browser was restarted all its tabs we not save and I had to go back into the Firefox setup and restore the tap save feature. So, I’ve decided that Firefox is the point of entry. Otherwise, how could they get into both XP and Linux in the same manner?

    If big brother doesn’t like what you saying or doing then he will get inside your computer. The hang out on the forums and tag people who are not towing the part line. I think they also get in through Thunderbird email by sending a wakeup sequence by email. The email would look like junk mail. The sequence could be in the subject line, and would be filtered out by the email program so the user would not see it.

    They’re trying to make my life a living hell. They already trashed two hard disks.

  18. This will never take off.
    The money’s in getting idiots to install adware, no money in writing a virus that bombs your hdd.

    who would write a virus that fails to propogate, has no monetary gain for the creator, and does nothing but turn off the machine?
    only people who are ever gonna use it are the Steam kiddies.

Leave a Reply to TJHookerCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.