Researchers Demo BIOS Attack That Survives Disk Wipes

← Back to Stories (view on slashdot.org)

Researchers Demo BIOS Attack That Survives Disk Wipes

Posted by CmdrTaco on Monday March 23, 2009 @01:37AM from the can't-believe-it-took-this-long dept.

suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe. Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."

5 of 396 comments (clear)

Min score:

Reason:

Sort:

Fatal flaw: No BIOS reset by davidwr · 2009-03-23 01:45 · Score: 5, Insightful

If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.
If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Fatal flaw: No BIOS reset by wastedlife · 2009-03-23 02:10 · Score: 5, Insightful
  
  This is why there should always be 2 copies of the BIOS. One that is physically read-only and contains the BIOS as shipped. And another writable one that can be disabled with a jumper. If your BIOS is corrupted or hijacked, you could always go back to the backup BIOS and restore.
  An alternative would be replaceable BIOS chips like the ones from the days before writable BIOS. If a customer gets a BIOS corruption or virus, they could call and order a replacement and not have to buy a whole new mobo. That would also be a good way to distribute BIOS updates to people afraid of bricking their system.
  
  --
  Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
Re:I guess it's official. by Anonymous Coward · 2009-03-23 01:53 · Score: 5, Insightful

We've had evil viruses around for a while. Anyone remember
W95.CIH? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.
Computers are still chugging along fine. This will probably end up breaking more computers than it ends up hijacking. A broken computer is one that gets flagged and fixed or throw away.
Re:Requires root privileges or physical access by wvmarle · 2009-03-23 02:03 · Score: 5, Insightful

Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.
It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.
Re:Requires root privileges or physical access by kinnell · 2009-03-23 02:45 · Score: 4, Insightful

(although I couldn't see how it can survive a re-flashing.)
Presumably reflashing the BIOS is normally performed by code within the BIOS. If you can corrupt the code in the BIOS you would have control over the flash programming, so could prevent the user from overwriting the infected blocks. I doubt this refers to physically removing the PROM and reflashing with an external programmer.

--
If I seem short sighted, it is because I stand on the shoulders of midgets