Slashdot Mirror
Researchers Demo BIOS Attack That Survives Disk Wipes
suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe.
Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."
used the stage at last week's CanSecWest conference to demonstrate methods for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts.
The fact that the BIOS is in a chip is not news. News is they've infected it.
Any life is made up of a single moment, the moment in which a man finds out, once and for all, who he is.
preinstalled, on ASUS boards: it was the BIOS itself. It too survived hard disk wipes, but it didn't survive my sledgehammer.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
"Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope."
Hmm, I'd say you are pretty much pwned in that case even before the attacker infecting the BIOS.
U+F8FF
It's official - we're screwed.
Happy news for most of the nerds on this site who sigh and collectively whisper "Finally!"
Seven puppies were harmed during the making of this post.
If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.
If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Of course you can infect a BIOS. It has drawbacks, however. One is very limited space. A second one is that BIOSes flash differently on different mainboards. Maybe not too differently, which would be a real problem. Hoperfully, there is not enough space in the average BIOS for self-relication (which would need exploit code and flasher code at least).
The fact that this is possible is mildly entertaining, nothing revolutionary. Would have been possible (and obviously possible) with the first Flash BIOSES around.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Wait, you want me to open a PDF from folks who know how to create such a supervirus? Hmm.
Is this a news report or a trailer for a motion picture?
We've had evil viruses around for a while. Anyone remember
W95.CIH? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.
Computers are still chugging along fine. This will probably end up breaking more computers than it ends up hijacking. A broken computer is one that gets flagged and fixed or throw away.
OK, that bolded part is pretty cool and suggests a serious flaw.
Because without direct access to the physical computer, it requires (as any other malware or virus does) an entryway from the internet and cooperation from the operating system. Anyone can destroy my laptop with the keys to my appartment and a sledgehammer, but doing it from a distance requires a windows flaw to exploit.
Motherboard vendors typically use some form of protection, to prevent the 'normal' user from hacking into the BIOS Memory. In the old days, BIOS was in the 512K range, however many BIOS chips now sport 1 or 2 MB of space. This additional space is usually reserved for the nice big splash-screen image re-sellers throw up instead of having the PC sit and display the DOS boot messages (Memory test, speed, processor, Hard Drives, CD Drives, ect).
So, there is 'plenty' of memory space that is non-violatile, that lives on your motherboard that could be used to hide either multiple compressed malware programs, or a host of viri. The only way you would know if you were infected would be the obvious crash, or if you were wise enough to compare the sum-check of the BIOS that you loaded against the sum-check of what is in your BIOS memory chip.
But, the part they didn't tell you is that the BIOS memory chip may live in a variety of different places, it could be on the root PCI bus, or off the SPI bus, or hanging off the SMA bus. The virus loader would need to be smart enough to know 'where to look' and also have both Phoenix and Award BIOS passcodes/proceedures for this to be effective.
Once hit, the only way to get rid of it would be to re-flash your BIOS (assuming the new BIOS doesn't have a self-preservation routine built-in - Like disabline the ability to write the BIOS again).
Not totally,
In one hand:
Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope.
Which makes the attack more difficult in operating systems which do not allow users to run with Administrative rights all the time.
But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.
I can imagine that, everything you need is ONE time root access to "install" the BIOS instructions and fsck the machine. After that, you are pretty much in control of what comes next.
In some way, I find this similar to the viruses that infected the Master Bood Record, just a bit more interesting...
On the other hand, this will just trigger a bios-patch / virus-release cat and mouse game similar to the standard viruses.
Ubuntu is an African word meaning 'I can't configure Debian'
I was with the summary until that last part... A windows machine, I can accept that. An OpenBSD machine, I can accept that too. But another machine running VMware Player? Thats not an OS, so I don't even know what they were trying to say.
Overclockers
Not technically... some motherboards with dual bios chips can be set to fail over to the secondary bios, and from there you could re-flash the primary off of the secondary.
Better question is what typeof BIOS? Is EFI vulnerable? How about open firmware? Or is this limited to just plain ole BIOS that should have been killed a decade ago but remains as msft doesn't support anything else for most versions of it's OS?
i thought once I was found, but it was only a dream.
I've found Intel's EFI strategy to be annoying and fragmented. The EFI shell is very dos like, has very poor performance for the frame-buffer devices and leaves a lot to be desired. However, it is likely to become de facto.
I did enjoy most the ALPHA systems SRM. Alpha-SRM had quite a bit of features for a "BIOS" of sorts.
The Sun and Apple OpenFirmware (OpenBoot) systems was probably the closest the world got to a sane pre-boot environment. Openfirmware also has the distinction of being an actual standard IEEE 1275-1994. Unfortunately, they (Sun, Apple mainly) did not help the "linux guys" or the open community until it was too late and protected nearly worthless intellectual property for no good reason. (worthless in the sense its not monetize-able) .
Now I found from long ago the concept of PC BIOS annoying. The BIOS vendors, like Phoenix, American Magatrends, Award, have a lot of collusions with the motherboard vendors in terms of getting all the secret register-poking needed to get things going. There is a lot of black magic, legacy code and the like, but it works.
It will be very hard for a non-Pheonx-AMI-Intel vendor to come up with a new BIOS for the ages. The LinuxBIOS (coreboot) project, last I checked, and very poor support and no major vendor (e.g. Dell or HP) has looked into it seriously.
The world lost when EFI eclipsed OpenFirmware's chances of spreading. Now we are stuck with a half-assed DOS-like shell, a still-extant BIOS like menu screen that the Intel motherboards provide, and judging from the number of revisions and the release notes on the various Intel EFI boards, we may have been better off with AMI/Phoenix's secret sauce and black magic than this EFI cruft.
In the age of 2TB+ volumes it is probably inevitable that we are going to all be using EFI very soon (along with GPT).
I do not foresee Coreboot or OpenBIOS or OpenFirmware making any real progress in pushing out EFI unless Asus or Lenovo sees the utility in having a real pre-boot environment.
Not only do you need root or physical access, you also need the victim to be using a particular type of BIOS. While you could abstract this up to a module, so that it nailed all Phoenix BIOSes, or all Award BIOSes, you'd still need semi-specific payloads for each BIOS OEM. Also, you'd need the target to be using a mainstream commercial BIOS, not UEFI, OpenFirmware, or anything similar.
UEFI will be here and widespread very soon (it's in some machines already, and more every day), and the only real power this 'new' malware has is the persistence/difficulty in removal.
Not impressed.
The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
And here I thought that all the virus writers were just wimps using XSS and Word macros to run generic malware. I wondered where the old school BIOS viruses had gone.
Check out my sysadmin blog!
From what I get from the summary, what is new is that it only replaces part of the BIOS instead of installing a whole new one. If it can somehow tell which part it needs to replace on different model motherboards, then it may be able to spread further than older BIOS malware which is normally motherboard-specific.
Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
In April 26, 1999, I turned on my computer, and it met me with a black screen. Turned out that my BIOS was flashed because of this virus: http://en.wikipedia.org/wiki/Chernobyl_virus . Had to re-flash the BIOS. Obviously BIOS could have been loaded with something else other than simply erased.
LiFe iS bEAuTiFul
Let me get this straight:
It pretty much requires physical access and root. If a malicious person gets that sort of access, I'm screwed anyway.
Ok, so I'm not too worried about anyone installing this on my computer without my knowledge.
What I am interested in is the sort of equipment-tracking possibilities this creates. If I could install a tracking rootkit on a laptop which could silently persist and survive disk wipes and ROM flashes, automatically reporting in whenever it gets net access, it would be a huge advantage if the machine were ever stolen. An OS reinstall is likely, because it's a simple way to circumvent the user account password, but this would even protect against a BIOS flash (which is less likely, but still not out of the question).
Eventually, somebody somewhere would hook the laptop up to the web, probably with a completely fresh OS install, and a subpoena on the IP would reveal their location.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Sounds like they've somehow written a BIOS that detects code that would overwrite it and either kills the code, causes it to silently fail, or silently infects the new BIOS.
Obviously a failed BIOS flash would be suspicious; a silent fail would be slightly harder to notice. If they could somehow infect the new BIOS, it'd be truly devious and almost impossible to detect.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I boot without a bios - by toggling in raw machine code from the front panel switches!
This issue is a bit more complicated than you think.
Does anyone use EFI outside of Apple and IA64 based machines?
Microsoft don't support EFI, even tho Vista promised support for it... EFI is really only of benefit to run OSX or possibly Linux.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You're being watched . . .
This is a brilliant idea. To make it better, we will eventually want to allow this program on the motherboard to take updates. Of course at this point we will need another program to monitor the updates to our program that monitors the updates to the bios. To make that better, it will also have to take updates...
ISTR firmware viruses infecting C64 floppy disk drives......
After reading the article, I don't think this is novel or new, rather a friendly reminder that firmware viruses are still a potential threat.
LedgerSMB: Open source Accounting/ERP
If you read the article, it is vulnerable to a bios you can flash, and access to that process (except on VM's where you are patching the emulator).
It seems to me that the hardware demo seems to rely on physical access to the machine. The VMWare demo would require access to the host OS.
LedgerSMB: Open source Accounting/ERP
Heh this did happen to me a few times, very cool virus. From then on I pulled my BIOSes and cut the write-enable pin off the chips, no problems then.
Tsunami -- You can't bring a good wave down!
The fact that this was allowed to happen is clearly a defect in design, materials, or workmanship.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
ISTR firmware viruses infecting C64 floppy disk drives......
Nothing that would survive a power-cycle, though. That was before we had flash memory - it was either true ROMs or UV-erasable EPROMs.
Flash that can be re-programmed by "in-band" communication (vs. a dedicated maintenance channel like JTAG) is convenient but it is also very risky. I'm glad to see that this issue is getting more publicity. Maybe now we'll see a shift back to hardware write-protection, like a physical jumper inside the PC that has to be connected before you can re-flash the BIOS.
It's not just BIOS either. Your hard drive has reprogrammable firmware (see the recent Seagate bugs). Your wireless adapters (including bluetooth) may have reprogrammable firmware. There's plenty of opportunity for someone with the right knowledge to compromise your system.
There's a serious difference between nuking a BIOS and infecting it. A disease doesn't survive long if it instantly kills whoever it infects. Same thing with a computer virus. The news is that this isn't like the W95.CIH bug, it doesn't kill the host, it just embeds itself so deeply that it is near impossible to remove and just keeps spreading, like the Herpes virus in humans.
My blog. Good stuff (when I remember to update it). Read it.
Ever since they've made computers with flashable BIOSs, this became possible.
Ever since they've removed the physical jumper to prevent unintentional flashing of the BIOS it's become probable.
The scum that make most viruses and other malware wouldn't be able to do this, and even believed it impossible. Now that a researcher has done it, and made that knowledge public means it's only a matter of time before we see real ones in the wild.
It doesn't matter which BIOS you have if it is flashable without a physical restriction active (like a jumper that has to be moved). It's easy to give your software the access codes for multiple BIOSs. All you need to do is a little research, especially since most BIOS manufacturers have already given you the tools to do it with.
I almost find it hard to believe those idiots did this. It's been an unwritten research area for decades because of the known risk.
(Or more accurately, what the unintended effect would be, the eventual creation of a BIOS infector.)
Well, when the inevitable happens, the only way to fix it will to be getting a fresh BIOS chip, or New Motherboard, or New Computer. Hmmm... Maybe a side effect will be a rise in home brewed BIOS and chip burners.
Then again, 99% of the users out there wouldn't open their case for anything, they're afraid the magic pixies will escape...
Better question is what typeof BIOS?
Your many hours of programming C/C++ betray you :-)
Some BIOSes have an option for flash protection; would that be an effective countermeasure?
Want to hear the voice of GOD? cat
Now that a researcher has done it, and made that knowledge public means it's only a matter of time before we see real ones in the wild.
I almost find it hard to believe those idiots did this. It's been an unwritten research area for decades because of the known risk.
(Or more accurately, what the unintended effect would be, the eventual creation of a BIOS infector.)
Sounds like you're advocating security through obscurity? I'm not a computer security expert but it seems to me that keeping a research area unstudied for this reason is not the best approach to any kind of intellectual endeavor.
Then again, 99% of the users out there wouldn't open their case for anything, they're afraid the magic pixies will escape...
No magic pixies in my case... It's fighting Uraki that live in my case...
Uraki are much k00ler than magic pixies...{rolling eyes}
Cheers,
Xyst
I wonder how many mainboards are out there which have their Flash write protect disabled straight from the factory. Many people probably don't even know their system has one ("Jumper, whaddoyoumean jumper. I know that movie, but that's probably not it."). Shudder...
The Hacker's Guide To The Kernel: Don't panic()!
Every motherboard I've ever worked with either had a BIOS reset jumper or the CMOS battery was removable.
You've never worked on a laptop.
Request a Linux Shockwave player here: http://www.macromedia.com/support/email/wishform/