Slashdot Mirror
Rootkits Head for Your BIOS
Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).
They should just make the motherboard have a physical switch on it that stops your bios from getting written to. For the number of times i've had to flash my bios, it'd be a small price to pay to have to open my computer , just to have the piece of mind that some virus wasn't overwriting my bios. If it was a software setting, then there would be a way around it, but if there was a physical switch, that disconnected the write lines, then it would probably be pretty hard for a hacker to get around that.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
In other words, anything this guy says or does is in my mind suspect .... he writes rootkits and other forms of "attacking software", so for all we know this asshole is getting ready to post example code to the net. It wouldn't be the first time.
I'm wondering at the possibility this has been done before and not detected because no one looks there?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I'm glad people in the mainstream are beginning to notice this. I saw proof of concept BIOS trojan code as early as '99. It honestly changed my view of the internet, law enforcement, and all of society. While everyone else is busy labelling each other,"Paranoid conspiracy theorist" I've been sitting back thinking,"You dumbass. He's probably right." In all reality the NSA doesn't need wiretaps. If they really wanted you they'd have MS serve up a specially crafted banner ad when you check your Hotmail.
Real malware doesn't let itself be known. It sits in the background to aid the people watching you.
fast as fast can be. you'll never catch me.
All this talk of rootkits, but little about BIOS viruses.
I have a scary scenario for y'all.
A virus that spreads over networks, stays quiet until a certain date/time GMT and then BOOM wipes the BIOS of hundreds of thousands of Windows boxes around the world in one fell swoop.
Can you spell "Black Screen of Death"?
Does anyone remember the Chernobyl virus? It worked on a good number of BIOSes, even though it was poorly written. Imagine if someone took the time to do it right.
"Love of fame is the last thing even the wise give up." - Tacitus (55 - 120 AD)
Early computers came with "Mask ROM", which couldn't be reprogrammed, and were only inexpensive if manufactured in large quantities, but they were ABSOLUTEY proof against software manipulation. As a compromise, I'd like to get a "simple" PROM technolgy into the BIOS socket. These are programmable ONCE (like a CD-R), and COULD be made such that after being burned that once, never can they have anything added to it (the way a CD-R can be blocked for further recording into blank areas). Maybe I should be a little more specific. Suppose a new empty PROM has every bit set to '1'. Burning the PROM constitutes permanently changing certain bits to '0'. If not "closed", then malware could do an additional burn and change some of the '1's that you wanted to keep into more '0's, thereby trashing the BIOS. Yes, I know that this overall notion is inconvenient when you want to update the BIOS (you need a brand new blank PROM, every time). I'll accept that as the price to keep malware out of my BIOS, thank you!
In general, flash BIOS issues are poorly addressed in mainboards. They SHOULD have a write enable jumper, but they don't. Instead, there's usually some undocumented GPIO line that must be set high and a poorly documented southbridge register bit to set. In a single move they deftly prevent many from doing what they want with their own hardware and fail to protect everyone else.
Several chipsets have features to aid in recovery by swapping the top and secodn block in the address space when a jumper is set. The idea is that you never update the emergency block at all, and if an update goes wrong, you can recover with a jumper. I have yet to see a board that doesn't leave those pins disconnected.
They COULD place the emergency recovery sector in ROM, but they never do.
To make matters worse, the current trend is to solder the flash directly to the board. I suppose they save that all important penny by not using a socket.
They could have 2 flash chips and a jumper to toggle which one is enabled, but I've only seen a few blade servers that do that. (that sure would have helped those unbootable iMacs
Many newer flash chips have lock registers that once set write protect the corresponding sector, and a lock down bit that disables unlocking until power cycled. The BIOS COULD have an option (defaults to yes) for locking down the BIOS before calling the bootloader, but they don't.
There's absolutely no good reasons not to protect flash from unwanted updates AND provide absolute safety when you DO want to update.