Researchers Demo BIOS Attack That Survives Disk Wipes

suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe. Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."

Requires root privileges or physical access

[amazeofdeath]

"Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope."

Hmm, I'd say you are pretty much pwned in that case even before the attacker infecting the BIOS.

Re:Requires root privileges or physical access

[cowbutt]

It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.

I've been thinking that this is necessary ever since I lost a nearly-new DVD Rom drive to a rogue piece of software that managed to wipe out one bit in sixteen of the drive's firmware.

Re:Requires root privileges or physical access

[Nick+Ives]

I've been using Windows based BIOS flashers for a decade. It was originally a feature limited to enthusiast boards but now it's standard. You can even sometimes flash from within Linux for boards that support it via /dev/nvram.

No surprise

[gweihir]

Of course you can infect a BIOS. It has drawbacks, however. One is very limited space. A second one is that BIOSes flash differently on different mainboards. Maybe not too differently, which would be a real problem. Hoperfully, there is not enough space in the average BIOS for self-relication (which would need exploit code and flasher code at least).

The fact that this is possible is mildly entertaining, nothing revolutionary. Would have been possible (and obviously possible) with the first Flash BIOSES around.

Re:Intel only?

[peragrin]

Better question is what typeof BIOS? Is EFI vulnerable? How about open firmware? Or is this limited to just plain ole BIOS that should have been killed a decade ago but remains as msft doesn't support anything else for most versions of it's OS?

Re:PDF

[SydShamino]

Perhaps you haven't seen Pontypool, a Canadian horror film about a virus that adapts to transmit itself through language. The film itself treats the premise as improbable but the best fit for the observed circumstances.

I liked the film most because of how much imagery they convey through the lack of film footage; the story centers around a small-town morning radio team and what they hear and broadcast. Almost everything is left to the imagination. As I was watching it, all I could do was think back to Cloverleaf and how Pontypool was the same thing, but better, because shakey-cam was replaced with no-cam.

Re:I guess it's official.

[markov_chain]

Heh this did happen to me a few times, very cool virus. From then on I pulled my BIOSes and cut the write-enable pin off the chips, no problems then.