Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkits Head for Your BIOS

Posted by Zonk on from the get-me-off-of-the-internet-please dept.

Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).

14 of 287 comments (clear)

  1. What about EFI? by Aqua+OS+X · · Score: 2, Insightful

    What about EFI?

    --
    "Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
    1. Re:What about EFI? by Burz · · Score: 5, Insightful

      A new EFI system is what you're supposed to buy in response to BIOS-scare stories.

      That's what about EFI.

  2. write protect swith by Anonymous Coward · · Score: 2, Insightful

    it worked for floppy disk.. I want a little hardware switch that cuts the write lines @ the bios

  3. Re:Solution by Benanov · · Score: 4, Insightful

    The problem is, think of Joe Sixpack updating his own...

    Wait. Never mind. Joe Sixpack almost would never flashes a BIOS, because he still calls the tower "my hard drive."

  4. one-button functionality is to blame by AndyST · · Score: 4, Insightful

    There are two contradicting principles here.

    1. a hardware jumper on the motherboard, the BIOS flashing procedure with a floppy disk, done by some tech-savvy user.
    2. the average non-technical home user wants one-button simplicity

    Many home users want that second kind of functionality. Partly because they don't want to bother with the details, partly because they are mentally challenged. They really like to be able to update the Computer's BIOS as easy as visiting a web site or running any kind of program. Unfortunately, this is what they get. And so do we.

  5. Re:Solution by CastrTroy · · Score: 5, Insightful

    No, on the inside would stop it from being tripped by accident, or by users who have no idea what it does and decide to start playing with it. Also, all updates to the BIOS should just be stored on a secondary chip, and have to be confirmed when the user boots up the next time before it is copied to the actual bios. And there should be a third read only chip containing the original bios, which could somehow be loaded in the case of an emergency/mistake. BIOS chips can't really be that expensive, so putting extra security measures in place to not get your system hosed are important.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  6. You Young Whippersnappers! by Anonymous Coward · · Score: 5, Insightful

    Way way back in the summer of 1994 we use to have viruses that would write themselves to the boot sector of our hard drives and some of them would even overwrite our Bios. I wouldn't expect you to know about it, since it happened so long ago but, those were tough times. Some PC manufacturers would even put antivirus detection software in their Bios to detect and prevent these Bios viruses. Sometimes it worked. Other times your system was hosed!

    Grandad Admin.

    In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.

    1. Re:You Young Whippersnappers! by lintux · · Score: 3, Insightful

      Problem with today's malware is that the authors don't want their stuff to be noticed. Not by the owner of the infected machine, at least. They want to continue spreading spam, viruses and credit card numbers for as long as they can. Breaking things on purpose is not the way to go then.

      Computer viruses today are hardly an annoyance to their "victims", only to the rest of the world. :-(

    2. Re:You Young Whippersnappers! by jmorris42 · · Score: 4, Insightful

      > In comparison, todays "malware" seems rather tame or even benign.

      No, today's malware got serious. Used to be it was kids proving how 133t they were, now it is professionals implanting spyware and rootkits to make spam zombies, both of which are highly profitable. Destroying a machine earns you zero dollars, owning it makes the cash register go DING!

      What scares the shit outta me, and should scare everyone else with a clue, is the thought of terrorism via the Internet. Imagine the damage a well heeled outfit could inflict.

      Follow me here for a minute. Source code for Windows is out there. Obviously source for Linux, BSD and now Solaris is out there. It isn't just motherboards that have a flash chip. Almost every DVD/CD drive has one and many hard drives even load firmware from flash. Now lets imagine a well funded effort to locate a day zero exploit in two or more popular platforms. And remember, Windows and PC Linux aren't the only ones. Add in Linksys access points, Cisco IOS, etc. While one team works the exploit problem others work on a propagation engine that won't suffer from the crippling flaws seen in previous attempts and a deadly payload. Plant a kaboom in the BIOS instantly, so if the machine is rebooted it, along with the drives, goes bye bye. Then attempt to infect other hosts for 24-48 hours before triggering a reboot into death.

      If done correctly it could destroy outright 10-25% (or even more) of the client's on the Internet and a good percentage of the servers, access points and other infrastructure. This alone would probably be enough to tank the world economy, but the real effect would be a widespread FEAR of reconnecting to the Internet. Kiss Google, Amazon, Dell, etc goodbye if that happened.

      --
      Democrat delenda est
    3. Re:You Young Whippersnappers! by duh_lime · · Score: 3, Insightful

      Why is that surprising?

      An owned PC is worth more to an attacker than a destroyed machine. (I'm talking about "large numbers" here, not pointed efforts to take a site/machine down.)

      I'm surprised there are *any* large-scale malicious viruses anymore... Only because "ownership" means cash to the person who can deliver the botnets. And, for identity thieves, a crashed machine doesn't serve up personal information.

      Follow the money.

  7. Watch Out!! by mslinux · · Score: 2, Insightful

    I can't wait until one of these is widespread AND badly written. Once several thousand computers stop booting and are potential ruined (umm... you need a new motherboard... this is not covered under warranty). God help whoever wrote and distributed it. He will hang.

  8. Re:Hoglund? by IamTheRealMike · · Score: 4, Insightful
    The Warden doesn't "spy" on you, that's a ridiculous assertion ... what it did/does do is hash various bits of data including open window titles then send the hashes to Blizzard for checking against a database of known bad signatures (ie cheating apps). Hashes are one-way, there's no method Blizzard has for finding out what porn you're surfing, and they're unlikely to care even if they could.

    In other words, at no point is the actual title of any windows transmitted.

    Let's review this situation:

    • Hoglund makes money off letting people cheat in WoW. This damages the enjoyability of the game for many people, making him in my mind what is commonly called an "asshat".

    • Blizzard hand his backside to him on a plate when the Warden becomes a polymorphic, encrypted maze of interlocking checks and scans.

    • He writes some bullshit article comparing the Warden to spyware, despite it sharing no characteristics with spyware at all. It doesn't try and prevent itself being uninstalled, users are perfectly aware it is there and comes with WoW - many like it, as it helps make the game fairer - and it does not send personally identifiable information back to Blizzard. In fact the hashing seems to have been put in specifically in order to preserve privacy.

    It amazes me that such a transparent piece of bullshittery could have got as much press as it did, given that it's clearly a case of him trying to spite Blizzard after they shut down the money-making business of Wow!Sharp (it only went open source after they felt it had become useless). Ever since this sordid incident, Hoglund has been a dirty name to me and many others familiar with it, and I don't trust him at all.

    Like I said, it wouldn't surprise me a bit if he released code showing how to hack the BIOS, just like he teaches people how to write rootkits despite them having (as far as I'm aware) no legitimate uses.

  9. Re:move along. by psmears · · Score: 2, Insightful

    And what, exactly, would a rootkit or virus want with the BIOS?

    A very insightful question—and one with a scary answer. Currently, if I have a machine that's infected with a rootkit/virus/other malware, I can boot Knoppix or other favourite live CD of choice, and be sure that the malware isn't running (and thus can't prevent me detecting/removing it, log my keystrokes, wipe my HD, or any other things I'd rather it didn't do). Once malware starts overwriting the BIOS, I can't even be sure of that: as soon as I apply power to the machine, it's already compromised...

    --
    Need to type accents and special characters in Windows? Use FrKeys
  10. Re:In the Good Old Days by fbjon · · Score: 2, Insightful

    Actually, I think it's more because no-one has bothered yet. Users who are incompatible with moving jumpers around are likely also incompatible with BIOS updates.

    --
    True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.