Researchers Demo BIOS Attack That Survives Disk Wipes

suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe. Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."

Fatal flaw: No BIOS reset

[davidwr]

If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.

If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.

Re:Fatal flaw: No BIOS reset

[wastedlife]

This is why there should always be 2 copies of the BIOS. One that is physically read-only and contains the BIOS as shipped. And another writable one that can be disabled with a jumper. If your BIOS is corrupted or hijacked, you could always go back to the backup BIOS and restore.

An alternative would be replaceable BIOS chips like the ones from the days before writable BIOS. If a customer gets a BIOS corruption or virus, they could call and order a replacement and not have to buy a whole new mobo. That would also be a good way to distribute BIOS updates to people afraid of bricking their system.

Re:Fatal flaw: No BIOS reset

[wastedlife]

Probably most customers didn't care about the feature compared to what it cost to implement. I do wish this was standard though.

Re:I guess it's official.

We've had evil viruses around for a while. Anyone remember

W95.CIH? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.

Computers are still chugging along fine. This will probably end up breaking more computers than it ends up hijacking. A broken computer is one that gets flagged and fixed or throw away.

Re:No surprise

[jellomizer]

Them Old Time Viruses ran with a lot less then what modern BIOS have, so I wouldn't focus to much on size to save us.
When the Virus initially runs it is probably in the Hard Drive to the RAM which can can fit a LOT of configurations to break into a lot of BIOS manufactures.

Re:Requires root privileges or physical access

[wvmarle]

Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.

It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.

Re:Requires root privileges or physical access

[kinnell]

(although I couldn't see how it can survive a re-flashing.)

Presumably reflashing the BIOS is normally performed by code within the BIOS. If you can corrupt the code in the BIOS you would have control over the flash programming, so could prevent the user from overwriting the infected blocks. I doubt this refers to physically removing the PROM and reflashing with an external programmer.

Re:Intel only?

[Zebedeu]

Better question is what typeof BIOS?

Your many hours of programming C/C++ betray you :-)