Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkits Head for Your BIOS

Posted by Zonk on from the get-me-off-of-the-internet-please dept.

Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).

21 of 287 comments (clear)

  1. Solution by CastrTroy · · Score: 5, Interesting

    They should just make the motherboard have a physical switch on it that stops your bios from getting written to. For the number of times i've had to flash my bios, it'd be a small price to pay to have to open my computer , just to have the piece of mind that some virus wasn't overwriting my bios. If it was a software setting, then there would be a way around it, but if there was a physical switch, that disconnected the write lines, then it would probably be pretty hard for a hacker to get around that.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Solution by Benanov · · Score: 4, Insightful

      The problem is, think of Joe Sixpack updating his own...

      Wait. Never mind. Joe Sixpack almost would never flashes a BIOS, because he still calls the tower "my hard drive."

    2. Re:Solution by CastrTroy · · Score: 5, Insightful

      No, on the inside would stop it from being tripped by accident, or by users who have no idea what it does and decide to start playing with it. Also, all updates to the BIOS should just be stored on a secondary chip, and have to be confirmed when the user boots up the next time before it is copied to the actual bios. And there should be a third read only chip containing the original bios, which could somehow be loaded in the case of an emergency/mistake. BIOS chips can't really be that expensive, so putting extra security measures in place to not get your system hosed are important.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    3. Re:Solution by cogg · · Score: 5, Funny
      I still have to explain to my parents that the box beside the monitor is actually the computer. They think it's built into the monitor.
      You can blame apple on that.
      *ducks*
      --
      "Never 'clear the air'. Instead, investigate all the subtle nuances of the word 'fester'." - R. Candappa
  2. Hoglund? by IamTheRealMike · · Score: 5, Interesting
    Though this does not and should not reflect upon his findings or the articles, it should be noted that Hoglund is not only a rootkit "expert" but also a blackhat who enjoys developing cheats for World of Warcraft. When the Warden came out and put a stop to this little business his Wow!Sharp software got nailed and (presumably) he began losing money.

    In other words, anything this guy says or does is in my mind suspect .... he writes rootkits and other forms of "attacking software", so for all we know this asshole is getting ready to post example code to the net. It wouldn't be the first time.

    1. Re:Hoglund? by SilverspurG · · Score: 5, Informative

      He's also the author of a well-known book on rootkits. It's a pretty good read. Maybe you should revise your ill-informed personal opinion.

      He doesn't just write rootkits. He teaches seminars on how to write them. He's not a blackhat any more than the this guy. I guess that puts you on par with Oracle.

      --
      fast as fast can be. you'll never catch me.
    2. Re:Hoglund? by IamTheRealMike · · Score: 4, Insightful
      The Warden doesn't "spy" on you, that's a ridiculous assertion ... what it did/does do is hash various bits of data including open window titles then send the hashes to Blizzard for checking against a database of known bad signatures (ie cheating apps). Hashes are one-way, there's no method Blizzard has for finding out what porn you're surfing, and they're unlikely to care even if they could.

      In other words, at no point is the actual title of any windows transmitted.

      Let's review this situation:

      • Hoglund makes money off letting people cheat in WoW. This damages the enjoyability of the game for many people, making him in my mind what is commonly called an "asshat".

      • Blizzard hand his backside to him on a plate when the Warden becomes a polymorphic, encrypted maze of interlocking checks and scans.

      • He writes some bullshit article comparing the Warden to spyware, despite it sharing no characteristics with spyware at all. It doesn't try and prevent itself being uninstalled, users are perfectly aware it is there and comes with WoW - many like it, as it helps make the game fairer - and it does not send personally identifiable information back to Blizzard. In fact the hashing seems to have been put in specifically in order to preserve privacy.

      It amazes me that such a transparent piece of bullshittery could have got as much press as it did, given that it's clearly a case of him trying to spite Blizzard after they shut down the money-making business of Wow!Sharp (it only went open source after they felt it had become useless). Ever since this sordid incident, Hoglund has been a dirty name to me and many others familiar with it, and I don't trust him at all.

      Like I said, it wouldn't surprise me a bit if he released code showing how to hack the BIOS, just like he teaches people how to write rootkits despite them having (as far as I'm aware) no legitimate uses.

  3. What will be interesting by HangingChad · · Score: 5, Interesting
    Is when security companies start checking for BIOS rootkits is if they find something there already staring back at them.

    I'm wondering at the possibility this has been done before and not detected because no one looks there?

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  4. Awfully specific by truthsearch · · Score: 5, Funny

    It is going to be about one month before malware comes out to take advantage of this.

    That's an extremely specific prediction. I think we know who they should look at first when these rootkits show up...

    --
    Developers: We can use your help.
  5. Re:Really? by Shanep · · Score: 5, Informative

    Where are such tools? If I knew such things existed, I would have experimented in "bricking" some of my machines YEARS ago

    Well there is UNIFLASH with source code. Then there are the likes of CBROM and AMIBCP to modify BIOS images and remove and add/enable drivers, functionality and boot screen graphics. Here and here are good places for info and tools.

    --
    War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
  6. one-button functionality is to blame by AndyST · · Score: 4, Insightful

    There are two contradicting principles here.

    1. a hardware jumper on the motherboard, the BIOS flashing procedure with a floppy disk, done by some tech-savvy user.
    2. the average non-technical home user wants one-button simplicity

    Many home users want that second kind of functionality. Partly because they don't want to bother with the details, partly because they are mentally challenged. They really like to be able to update the Computer's BIOS as easy as visiting a web site or running any kind of program. Unfortunately, this is what they get. And so do we.

  7. Took long enough by SilverspurG · · Score: 4, Interesting

    I'm glad people in the mainstream are beginning to notice this. I saw proof of concept BIOS trojan code as early as '99. It honestly changed my view of the internet, law enforcement, and all of society. While everyone else is busy labelling each other,"Paranoid conspiracy theorist" I've been sitting back thinking,"You dumbass. He's probably right." In all reality the NSA doesn't need wiretaps. If they really wanted you they'd have MS serve up a specially crafted banner ad when you check your Hotmail.

    Real malware doesn't let itself be known. It sits in the background to aid the people watching you.

    --
    fast as fast can be. you'll never catch me.
  8. You Young Whippersnappers! by Anonymous Coward · · Score: 5, Insightful

    Way way back in the summer of 1994 we use to have viruses that would write themselves to the boot sector of our hard drives and some of them would even overwrite our Bios. I wouldn't expect you to know about it, since it happened so long ago but, those were tough times. Some PC manufacturers would even put antivirus detection software in their Bios to detect and prevent these Bios viruses. Sometimes it worked. Other times your system was hosed!

    Grandad Admin.

    In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.

    1. Re:You Young Whippersnappers! by jmorris42 · · Score: 4, Insightful

      > In comparison, todays "malware" seems rather tame or even benign.

      No, today's malware got serious. Used to be it was kids proving how 133t they were, now it is professionals implanting spyware and rootkits to make spam zombies, both of which are highly profitable. Destroying a machine earns you zero dollars, owning it makes the cash register go DING!

      What scares the shit outta me, and should scare everyone else with a clue, is the thought of terrorism via the Internet. Imagine the damage a well heeled outfit could inflict.

      Follow me here for a minute. Source code for Windows is out there. Obviously source for Linux, BSD and now Solaris is out there. It isn't just motherboards that have a flash chip. Almost every DVD/CD drive has one and many hard drives even load firmware from flash. Now lets imagine a well funded effort to locate a day zero exploit in two or more popular platforms. And remember, Windows and PC Linux aren't the only ones. Add in Linksys access points, Cisco IOS, etc. While one team works the exploit problem others work on a propagation engine that won't suffer from the crippling flaws seen in previous attempts and a deadly payload. Plant a kaboom in the BIOS instantly, so if the machine is rebooted it, along with the drives, goes bye bye. Then attempt to infect other hosts for 24-48 hours before triggering a reboot into death.

      If done correctly it could destroy outright 10-25% (or even more) of the client's on the Internet and a good percentage of the servers, access points and other infrastructure. This alone would probably be enough to tank the world economy, but the real effect would be a widespread FEAR of reconnecting to the Internet. Kiss Google, Amazon, Dell, etc goodbye if that happened.

      --
      Democrat delenda est
  9. Re:Simple Solution by SilverspurG · · Score: 4, Informative

    One of the reasons why BIOS is flashable is to help the manufacturers. Oftentimes they have the hardware but they don't have the code written yet. Take the Dell D800 laptops for example. When they first shipped the external audio and S-video ports were nonfunctional because they hadn't written the software to put the wires together internally yet. It wasn't until rev. A13, maybe A14, of their BIOS that these ports were enabled. The D800 that I was privy to shipped with BIOS rev. A11.

    --
    fast as fast can be. you'll never catch me.
  10. Re:Really? by MadTinfoilHatter · · Score: 4, Funny

    I hear Sony is working on a version of their own, as well...

  11. Re:What about EFI? by Burz · · Score: 5, Insightful

    A new EFI system is what you're supposed to buy in response to BIOS-scare stories.

    That's what about EFI.

  12. BIOS viruses and Chernobyl revisited by Daruka+Krishna+Das · · Score: 4, Interesting

    All this talk of rootkits, but little about BIOS viruses.

    I have a scary scenario for y'all.

    A virus that spreads over networks, stays quiet until a certain date/time GMT and then BOOM wipes the BIOS of hundreds of thousands of Windows boxes around the world in one fell swoop.

    Can you spell "Black Screen of Death"?

    Does anyone remember the Chernobyl virus? It worked on a good number of BIOSes, even though it was poorly written. Imagine if someone took the time to do it right.

    --
    "Love of fame is the last thing even the wise give up." - Tacitus (55 - 120 AD)
  13. Re:What about EFI? by Anonymous Coward · · Score: 4, Funny

    Now they are sending rootkits after my Electronic Fuel Injection too?

  14. In the Good Old Days by VernonNemitz · · Score: 4, Interesting

    Early computers came with "Mask ROM", which couldn't be reprogrammed, and were only inexpensive if manufactured in large quantities, but they were ABSOLUTEY proof against software manipulation. As a compromise, I'd like to get a "simple" PROM technolgy into the BIOS socket. These are programmable ONCE (like a CD-R), and COULD be made such that after being burned that once, never can they have anything added to it (the way a CD-R can be blocked for further recording into blank areas). Maybe I should be a little more specific. Suppose a new empty PROM has every bit set to '1'. Burning the PROM constitutes permanently changing certain bits to '0'. If not "closed", then malware could do an additional burn and change some of the '1's that you wanted to keep into more '0's, thereby trashing the BIOS. Yes, I know that this overall notion is inconvenient when you want to update the BIOS (you need a brand new blank PROM, every time). I'll accept that as the price to keep malware out of my BIOS, thank you!

  15. Re:Simple Solution by sjames · · Score: 4, Interesting

    In general, flash BIOS issues are poorly addressed in mainboards. They SHOULD have a write enable jumper, but they don't. Instead, there's usually some undocumented GPIO line that must be set high and a poorly documented southbridge register bit to set. In a single move they deftly prevent many from doing what they want with their own hardware and fail to protect everyone else.

    Several chipsets have features to aid in recovery by swapping the top and secodn block in the address space when a jumper is set. The idea is that you never update the emergency block at all, and if an update goes wrong, you can recover with a jumper. I have yet to see a board that doesn't leave those pins disconnected.

    They COULD place the emergency recovery sector in ROM, but they never do.

    To make matters worse, the current trend is to solder the flash directly to the board. I suppose they save that all important penny by not using a socket.

    They could have 2 flash chips and a jumper to toggle which one is enabled, but I've only seen a few blade servers that do that. (that sure would have helped those unbootable iMacs

    Many newer flash chips have lock registers that once set write protect the corresponding sector, and a lock down bit that disables unlocking until power cycled. The BIOS COULD have an option (defaults to yes) for locking down the BIOS before calling the bootloader, but they don't.

    There's absolutely no good reasons not to protect flash from unwanted updates AND provide absolute safety when you DO want to update.