Slashdot Mirror
Rootkits Head for Your BIOS
Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).
Where are such tools? If I knew such things existed, I would have experimented in "bricking" some of my machines YEARS ago
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
What about EFI?
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
They should just make the motherboard have a physical switch on it that stops your bios from getting written to. For the number of times i've had to flash my bios, it'd be a small price to pay to have to open my computer , just to have the piece of mind that some virus wasn't overwriting my bios. If it was a software setting, then there would be a way around it, but if there was a physical switch, that disconnected the write lines, then it would probably be pretty hard for a hacker to get around that.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
it worked for floppy disk.. I want a little hardware switch that cuts the write lines @ the bios
In other words, anything this guy says or does is in my mind suspect .... he writes rootkits and other forms of "attacking software", so for all we know this asshole is getting ready to post example code to the net. It wouldn't be the first time.
I've just switched to Macs after 17 years of PC ownership* (Dos, then Windows, then Linux). Boy, am I feeling smug right at this moment.
* I first typed 'ownershit' by mistake - Thinking about it, this might actually be a more accurate word to describe the joys of being a PC user.
"It is going to be about one month before malware comes out to take advantage of this," said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. "This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in."
Maybe add a physical unit that you need to move by hand in order to change the BIOS or Flash memory.
Or, if you suspect your computer has already been compromised, use an online/flash drive/external detection tool (independent from the O/S and all software) can be run to find out if you computer has been infected. (It works for the Microsoft Security guys)
The tool would have to check the computer's flash, BIOS, and currently running programs and notify you if it is being blocked/disabled/changed...and then fix the problem or tell you what to do to fix it.
He who knows best knows how little he knows. - Thomas Jefferson
I'm wondering at the possibility this has been done before and not detected because no one looks there?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
It is going to be about one month before malware comes out to take advantage of this.
That's an extremely specific prediction. I think we know who they should look at first when these rootkits show up...
Developers: We can use your help.
There are two contradicting principles here.
Many home users want that second kind of functionality. Partly because they don't want to bother with the details, partly because they are mentally challenged. They really like to be able to update the Computer's BIOS as easy as visiting a web site or running any kind of program. Unfortunately, this is what they get. And so do we.
I'm glad people in the mainstream are beginning to notice this. I saw proof of concept BIOS trojan code as early as '99. It honestly changed my view of the internet, law enforcement, and all of society. While everyone else is busy labelling each other,"Paranoid conspiracy theorist" I've been sitting back thinking,"You dumbass. He's probably right." In all reality the NSA doesn't need wiretaps. If they really wanted you they'd have MS serve up a specially crafted banner ad when you check your Hotmail.
Real malware doesn't let itself be known. It sits in the background to aid the people watching you.
fast as fast can be. you'll never catch me.
Way way back in the summer of 1994 we use to have viruses that would write themselves to the boot sector of our hard drives and some of them would even overwrite our Bios. I wouldn't expect you to know about it, since it happened so long ago but, those were tough times. Some PC manufacturers would even put antivirus detection software in their Bios to detect and prevent these Bios viruses. Sometimes it worked. Other times your system was hosed!
Grandad Admin.
In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.
One of the reasons why BIOS is flashable is to help the manufacturers. Oftentimes they have the hardware but they don't have the code written yet. Take the Dell D800 laptops for example. When they first shipped the external audio and S-video ports were nonfunctional because they hadn't written the software to put the wires together internally yet. It wasn't until rev. A13, maybe A14, of their BIOS that these ports were enabled. The D800 that I was privy to shipped with BIOS rev. A11.
fast as fast can be. you'll never catch me.
If the board uses one of the larger DIP style EEPROM BIOS chips, wouldn't it be simple to identify the write lines (from the manufacturer's data sheet)? You could then pull the chip, and 'flag' the associated pins (bend them out, so they no longer enter the socket) and re-insert the chip.
A little tricky maybe, but better than nothing for now..
There's a Starman, waiting in the sky / He'd like to come and meet us, but he hasn't got the time.
I can't wait until one of these is widespread AND badly written. Once several thousand computers stop booting and are potential ruined (umm... you need a new motherboard... this is not covered under warranty). God help whoever wrote and distributed it. He will hang.
This posting is clearly spreading it. This is part of a calculated attempt to fear computer users into accepting Trusted Platform Modules which currently exist as UFOs on the new Intel iMacs. When I say UFOs I mean Undocumented Functioning Object. It's installed on my motherboard. It's true that the TCG has made much of the documentation about their modus operandi and even Apple has some OLD documentation about this, the real agenda here is spreading Fear, Uncertainty, and Doubt about their platforms in their current implementations and ease our transition into the TPM future.
It's not difficult to see that these mechanisms could potentially be part of an much larger agenda. You see it happening all around you, RFID, Ubiquitous Surveillance, Presidentially Endorsed Wiretapping, etc. The controls on your movements are getting tighter and tighter. It's not paranoia, it's paying attention. Connect the dots is an easy game, even children can do it.
The most damning aspect of this technology is the lack of transparency required by the implementor, in that they can (at their discretion) use closed source to track users, enforce DRM restrictions where previous 'fair use' and other uses were traditionally allowed. The real question is, even for shareholders, how much is too much? Is the quest for maximizing profit hobbling our society?
Don't look to the skies for UFOs, look on your motherboard, and demand answers for undocumented ICs
if I claimed I was emperor just because some watery tart lobbed a scimitar at me they'd put me away!
On the bright side, Sony Vio owners don't need to worry. Their BIOS comes pre-hacked, so there's no room for more malware!
"Live Free or Die." Don't like it? Then keep out of the USA
The BIOS or Basic Input Output System is a series of low level instructions to help set up the basic functionality of hardware and initialize the bootstrap process. As this device is typically created in hardware in a CMOS (Complimentary Metal Oxide Semiconductor) based firmware usually called EEPROM (Electrically Eraseable Programmable Read Only Memory) you need a low level EEPROM programming utility to access and write to this firmware. As BIOS is after POST (Power On Self Test) the first device initialized during the boot process and is used to identify local and external devices and provide for their initialization and map their resource entries for later use by the operating system. Motherboard manufacturers have been aware of this vulnerability for years, and have taken appropriate steps including but not limited to jumpers (can't flash BIOS unless jumped) and other protections. This is why you'll not find a software writable BIOS implementation receive C2 certification.
EFI is equally 'hackable' and potentially even more so. By increasing complexity, you increase the exposure to compromise. It is not true that security by obscurity works for all cases, so in truth you're not going to be secure any way you slice it. IBM proved in the 1960s and early 1970s that physical access to the equipment and the appropriate knowledge can render any security system including the attempts at secure kernels useless ( a project starting with 'M' comes to mind here.)
It very true that there are inherent dangers in the use of computers, esp. with respect to sensitive data. It is equally true that any lock created is already insecure by the nature of the fact that a key must exist. The FUD is getting spread a little thick here, that's why it's important to understand that TPM is just a Dongle you can't see, touch, or remove.
if I claimed I was emperor just because some watery tart lobbed a scimitar at me they'd put me away!
You want to talk about broken hardware? I have an FIC PA-2013 mobo which has LM75 sensors under the CPU. They're labelled on the mobo. The sensor is there. But there never was a BIOS released which puts the wires together and makes them accessible to the rest of the system.
If you look in the user's manual there are screenshots of the BIOS configuration page showing the temperatures... that must've been a development screenshot because it was never made available to consumers.
fast as fast can be. you'll never catch me.
All this talk of rootkits, but little about BIOS viruses.
I have a scary scenario for y'all.
A virus that spreads over networks, stays quiet until a certain date/time GMT and then BOOM wipes the BIOS of hundreds of thousands of Windows boxes around the world in one fell swoop.
Can you spell "Black Screen of Death"?
Does anyone remember the Chernobyl virus? It worked on a good number of BIOSes, even though it was poorly written. Imagine if someone took the time to do it right.
"Love of fame is the last thing even the wise give up." - Tacitus (55 - 120 AD)
This is just a bunch of worthless FUD. Programs have been able to write to the BIOS flash ROM for years now. It's not by any means a new concept. What suddenly makes next month the date that all of these thousands of BIOS-infecting rootkits are going to be released?
And what, exactly, would a rootkit or virus want with the BIOS? Does a BIOS even have enough "extra room" to accomodate either? How about platform-independent versions? That's just an idiotic claim if I've ever seen one.
Just sounds to me like this John Heasman is your average "computer security expert" trying to stir up issues and catch some rays in the media spotlight thanks to some worthless but impressive-sounding (to idiots) premise. He needs to go back and finish his MSCE so he can do something useful with his life.
Early computers came with "Mask ROM", which couldn't be reprogrammed, and were only inexpensive if manufactured in large quantities, but they were ABSOLUTEY proof against software manipulation. As a compromise, I'd like to get a "simple" PROM technolgy into the BIOS socket. These are programmable ONCE (like a CD-R), and COULD be made such that after being burned that once, never can they have anything added to it (the way a CD-R can be blocked for further recording into blank areas). Maybe I should be a little more specific. Suppose a new empty PROM has every bit set to '1'. Burning the PROM constitutes permanently changing certain bits to '0'. If not "closed", then malware could do an additional burn and change some of the '1's that you wanted to keep into more '0's, thereby trashing the BIOS. Yes, I know that this overall notion is inconvenient when you want to update the BIOS (you need a brand new blank PROM, every time). I'll accept that as the price to keep malware out of my BIOS, thank you!
In general, flash BIOS issues are poorly addressed in mainboards. They SHOULD have a write enable jumper, but they don't. Instead, there's usually some undocumented GPIO line that must be set high and a poorly documented southbridge register bit to set. In a single move they deftly prevent many from doing what they want with their own hardware and fail to protect everyone else.
Several chipsets have features to aid in recovery by swapping the top and secodn block in the address space when a jumper is set. The idea is that you never update the emergency block at all, and if an update goes wrong, you can recover with a jumper. I have yet to see a board that doesn't leave those pins disconnected.
They COULD place the emergency recovery sector in ROM, but they never do.
To make matters worse, the current trend is to solder the flash directly to the board. I suppose they save that all important penny by not using a socket.
They could have 2 flash chips and a jumper to toggle which one is enabled, but I've only seen a few blade servers that do that. (that sure would have helped those unbootable iMacs
Many newer flash chips have lock registers that once set write protect the corresponding sector, and a lock down bit that disables unlocking until power cycled. The BIOS COULD have an option (defaults to yes) for locking down the BIOS before calling the bootloader, but they don't.
There's absolutely no good reasons not to protect flash from unwanted updates AND provide absolute safety when you DO want to update.
Joe Fourpack would flash the bios. All he would need is an e-mail instructing him that if he updates his computer by flipping this bios switch thingy and then clicking OK, he will be able to play the attached new pr0n file.
Note that Joe Fourpack is two short of a sixpack.
The price of freedom is eternal litigation.