Slashdot Mirror
Researchers Demo BIOS Attack That Survives Disk Wipes
suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe.
Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."
"Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope."
Hmm, I'd say you are pretty much pwned in that case even before the attacker infecting the BIOS.
U+F8FF
Of course you can infect a BIOS. It has drawbacks, however. One is very limited space. A second one is that BIOSes flash differently on different mainboards. Maybe not too differently, which would be a real problem. Hoperfully, there is not enough space in the average BIOS for self-relication (which would need exploit code and flasher code at least).
The fact that this is possible is mildly entertaining, nothing revolutionary. Would have been possible (and obviously possible) with the first Flash BIOSES around.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
What were the editors thinking of when they wrote "perform unveil"?
Better question is what typeof BIOS? Is EFI vulnerable? How about open firmware? Or is this limited to just plain ole BIOS that should have been killed a decade ago but remains as msft doesn't support anything else for most versions of it's OS?
i thought once I was found, but it was only a dream.
Not only do you need root or physical access, you also need the victim to be using a particular type of BIOS. While you could abstract this up to a module, so that it nailed all Phoenix BIOSes, or all Award BIOSes, you'd still need semi-specific payloads for each BIOS OEM. Also, you'd need the target to be using a mainstream commercial BIOS, not UEFI, OpenFirmware, or anything similar.
UEFI will be here and widespread very soon (it's in some machines already, and more every day), and the only real power this 'new' malware has is the persistence/difficulty in removal.
Not impressed.
The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
And here I thought that all the virus writers were just wimps using XSS and Word macros to run generic malware. I wondered where the old school BIOS viruses had gone.
Check out my sysadmin blog!
In April 26, 1999, I turned on my computer, and it met me with a black screen. Turned out that my BIOS was flashed because of this virus: http://en.wikipedia.org/wiki/Chernobyl_virus . Had to re-flash the BIOS. Obviously BIOS could have been loaded with something else other than simply erased.
LiFe iS bEAuTiFul
Let me get this straight:
It pretty much requires physical access and root. If a malicious person gets that sort of access, I'm screwed anyway.
Ok, so I'm not too worried about anyone installing this on my computer without my knowledge.
What I am interested in is the sort of equipment-tracking possibilities this creates. If I could install a tracking rootkit on a laptop which could silently persist and survive disk wipes and ROM flashes, automatically reporting in whenever it gets net access, it would be a huge advantage if the machine were ever stolen. An OS reinstall is likely, because it's a simple way to circumvent the user account password, but this would even protect against a BIOS flash (which is less likely, but still not out of the question).
Eventually, somebody somewhere would hook the laptop up to the web, probably with a completely fresh OS install, and a subpoena on the IP would reveal their location.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Sounds like they've somehow written a BIOS that detects code that would overwrite it and either kills the code, causes it to silently fail, or silently infects the new BIOS.
Obviously a failed BIOS flash would be suspicious; a silent fail would be slightly harder to notice. If they could somehow infect the new BIOS, it'd be truly devious and almost impossible to detect.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Perhaps you haven't seen Pontypool, a Canadian horror film about a virus that adapts to transmit itself through language. The film itself treats the premise as improbable but the best fit for the observed circumstances.
I liked the film most because of how much imagery they convey through the lack of film footage; the story centers around a small-town morning radio team and what they hear and broadcast. Almost everything is left to the imagination. As I was watching it, all I could do was think back to Cloverleaf and how Pontypool was the same thing, but better, because shakey-cam was replaced with no-cam.
It doesn't hurt to be nice.
ISTR firmware viruses infecting C64 floppy disk drives......
After reading the article, I don't think this is novel or new, rather a friendly reminder that firmware viruses are still a potential threat.
LedgerSMB: Open source Accounting/ERP
Heh this did happen to me a few times, very cool virus. From then on I pulled my BIOSes and cut the write-enable pin off the chips, no problems then.
Tsunami -- You can't bring a good wave down!
There's a serious difference between nuking a BIOS and infecting it. A disease doesn't survive long if it instantly kills whoever it infects. Same thing with a computer virus. The news is that this isn't like the W95.CIH bug, it doesn't kill the host, it just embeds itself so deeply that it is near impossible to remove and just keeps spreading, like the Herpes virus in humans.
My blog. Good stuff (when I remember to update it). Read it.
Ever since they've made computers with flashable BIOSs, this became possible.
Ever since they've removed the physical jumper to prevent unintentional flashing of the BIOS it's become probable.
The scum that make most viruses and other malware wouldn't be able to do this, and even believed it impossible. Now that a researcher has done it, and made that knowledge public means it's only a matter of time before we see real ones in the wild.
It doesn't matter which BIOS you have if it is flashable without a physical restriction active (like a jumper that has to be moved). It's easy to give your software the access codes for multiple BIOSs. All you need to do is a little research, especially since most BIOS manufacturers have already given you the tools to do it with.
I almost find it hard to believe those idiots did this. It's been an unwritten research area for decades because of the known risk.
(Or more accurately, what the unintended effect would be, the eventual creation of a BIOS infector.)
Well, when the inevitable happens, the only way to fix it will to be getting a fresh BIOS chip, or New Motherboard, or New Computer. Hmmm... Maybe a side effect will be a rise in home brewed BIOS and chip burners.
Then again, 99% of the users out there wouldn't open their case for anything, they're afraid the magic pixies will escape...
Some BIOSes have an option for flash protection; would that be an effective countermeasure?
Want to hear the voice of GOD? cat
Now that a researcher has done it, and made that knowledge public means it's only a matter of time before we see real ones in the wild.
I almost find it hard to believe those idiots did this. It's been an unwritten research area for decades because of the known risk.
(Or more accurately, what the unintended effect would be, the eventual creation of a BIOS infector.)
Sounds like you're advocating security through obscurity? I'm not a computer security expert but it seems to me that keeping a research area unstudied for this reason is not the best approach to any kind of intellectual endeavor.