Researchers Demo BIOS Attack That Survives Disk Wipes

← Back to Stories (view on slashdot.org)

Researchers Demo BIOS Attack That Survives Disk Wipes

Posted by CmdrTaco on Monday March 23, 2009 @01:37AM from the can't-believe-it-took-this-long dept.

suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe. Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."

31 of 396 comments (clear)

Min score:

Reason:

Sort:

Re:Of course. by Andr+T. · 2009-03-23 01:43 · Score: 3, Informative

used the stage at last week's CanSecWest conference to demonstrate methods for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts.
The fact that the BIOS is in a chip is not news. News is they've infected it.

--
Any life is made up of a single moment, the moment in which a man finds out, once and for all, who he is.
I've already had BIOS malware by Rosco+P.+Coltrane · 2009-03-23 01:43 · Score: 3, Funny

preinstalled, on ASUS boards: it was the BIOS itself. It too survived hard disk wipes, but it didn't survive my sledgehammer.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Requires root privileges or physical access by amazeofdeath · 2009-03-23 01:44 · Score: 5, Interesting

"Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope."
Hmm, I'd say you are pretty much pwned in that case even before the attacker infecting the BIOS.

--
U+F8FF
1. Re:Requires root privileges or physical access by Leafheart · 2009-03-23 01:58 · Score: 4, Informative
  
  Needing root privileges means that an attacker could put this code on another malware he writes, get an user infected and upload this to the bios. From that point onwards, if they can really disable the AV (both article and presentation are light on details), they can ensure that the box will remain infected, by injecting more code.
  Think of it as a sure fire way to get people infect for a botnet without any recourse to stop it. Except updating the EEPROM of the bios (although I couldn't see how it can survive a re-flashing.)
  
  --
  --- "When you gotta do something wrong. You gotta do it right. (Fighter)"
2. Re:Requires root privileges or physical access by wvmarle · 2009-03-23 02:03 · Score: 5, Insightful
  
  Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.
  It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.
3. Re:Requires root privileges or physical access by cowbutt · 2009-03-23 02:10 · Score: 4, Interesting
  
  It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.
  I've been thinking that this is necessary ever since I lost a nearly-new DVD Rom drive to a rogue piece of software that managed to wipe out one bit in sixteen of the drive's firmware.
4. Re:Requires root privileges or physical access by bev_tech_rob · 2009-03-23 02:45 · Score: 4, Funny
  
  The nice thing about this exploit requiring physical access is that you may have a fairly decent chance to catching the perp and applying a size 13 (my shoe size) patch upside their head or backside. Then make them pay for a new systemboard after they trashed your current one with this nasty bit of code....
  
  --
  You're messin' with my Zen Thing, man.....
5. Re:Requires root privileges or physical access by kinnell · 2009-03-23 02:45 · Score: 4, Insightful
  
  (although I couldn't see how it can survive a re-flashing.)
  Presumably reflashing the BIOS is normally performed by code within the BIOS. If you can corrupt the code in the BIOS you would have control over the flash programming, so could prevent the user from overwriting the infected blocks. I doubt this refers to physically removing the PROM and reflashing with an external programmer.
  
  --
  If I seem short sighted, it is because I stand on the shoulders of midgets
6. Re:Requires root privileges or physical access by TheRaven64 · 2009-03-23 03:40 · Score: 4, Informative
  
  On a lot of systems, reflashing the BIOS is performed by code in ROM, precisely to prevent it from being overwritten. That said, this code is executed via an interrupt, and it may be possible to replace the interrupt vector in the flash part of the BIOS.
  
  --
  I am TheRaven on Soylent News
7. Re:Requires root privileges or physical access by Nick+Ives · 2009-03-23 03:50 · Score: 4, Interesting
  
  I've been using Windows based BIOS flashers for a decade. It was originally a feature limited to enthusiast boards but now it's standard. You can even sometimes flash from within Linux for boards that support it via /dev/nvram.
  
  --
  Nick
Re:I guess it's official. by Dunbal · 2009-03-23 01:45 · Score: 5, Funny

It's official - we're screwed.
Happy news for most of the nerds on this site who sigh and collectively whisper "Finally!"

--
Seven puppies were harmed during the making of this post.
Fatal flaw: No BIOS reset by davidwr · 2009-03-23 01:45 · Score: 5, Insightful

If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.
If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Fatal flaw: No BIOS reset by wastedlife · 2009-03-23 02:10 · Score: 5, Insightful
  
  This is why there should always be 2 copies of the BIOS. One that is physically read-only and contains the BIOS as shipped. And another writable one that can be disabled with a jumper. If your BIOS is corrupted or hijacked, you could always go back to the backup BIOS and restore.
  An alternative would be replaceable BIOS chips like the ones from the days before writable BIOS. If a customer gets a BIOS corruption or virus, they could call and order a replacement and not have to buy a whole new mobo. That would also be a good way to distribute BIOS updates to people afraid of bricking their system.
  
  --
  Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
2. Re:Fatal flaw: No BIOS reset by wastedlife · 2009-03-23 03:02 · Score: 3, Insightful
  
  Probably most customers didn't care about the feature compared to what it cost to implement. I do wish this was standard though.
  
  --
  Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
No surprise by gweihir · 2009-03-23 01:47 · Score: 4, Interesting

Of course you can infect a BIOS. It has drawbacks, however. One is very limited space. A second one is that BIOSes flash differently on different mainboards. Maybe not too differently, which would be a real problem. Hoperfully, there is not enough space in the average BIOS for self-relication (which would need exploit code and flasher code at least).
The fact that this is possible is mildly entertaining, nothing revolutionary. Would have been possible (and obviously possible) with the first Flash BIOSES around.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:No surprise by jellomizer · 2009-03-23 01:58 · Score: 3, Insightful
  
  Them Old Time Viruses ran with a lot less then what modern BIOS have, so I wouldn't focus to much on size to save us.
  When the Virus initially runs it is probably in the Hard Drive to the RAM which can can fit a LOT of configurations to break into a lot of BIOS manufactures.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
PDF by JewGold · 2009-03-23 01:51 · Score: 5, Funny

Wait, you want me to open a PDF from folks who know how to create such a supervirus? Hmm.

--
Is this a news report or a trailer for a motion picture?
1. Re:PDF by L4t3r4lu5 · 2009-03-23 02:31 · Score: 5, Funny
  
  It's already too late for you, I'm afraid. You've already read the stub of the article which was copied from the original website by another person. The virus jumped through their monitor (writing directly onto their retina using a zero-day exploit) which was then transcoded into nerve pulses. These were transfered to the poster's fingers which caused very small, but significant, induced current in their keyboard. The virus travelled through the USB port and into the PC, and got posted to slashdot. It now resides in your brain, and mine, ready to be exploited at the author's whim.
  
  Or, you really need to take off the tinfoil hat.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
2. Re:PDF by MadKeithV · 2009-03-23 03:06 · Score: 4, Funny
  
  There is some irony in the fact that most botnet zombies are indeed caused by lack of brains.
3. Re:PDF by SydShamino · 2009-03-23 03:18 · Score: 3, Interesting
  
  Perhaps you haven't seen Pontypool, a Canadian horror film about a virus that adapts to transmit itself through language. The film itself treats the premise as improbable but the best fit for the observed circumstances.
  I liked the film most because of how much imagery they convey through the lack of film footage; the story centers around a small-town morning radio team and what they hear and broadcast. Almost everything is left to the imagination. As I was watching it, all I could do was think back to Cloverleaf and how Pontypool was the same thing, but better, because shakey-cam was replaced with no-cam.
  
  --
  It doesn't hurt to be nice.
Re:I guess it's official. by Anonymous Coward · 2009-03-23 01:53 · Score: 5, Insightful

We've had evil viruses around for a while. Anyone remember
W95.CIH? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.
Computers are still chugging along fine. This will probably end up breaking more computers than it ends up hijacking. A broken computer is one that gets flagged and fixed or throw away.
Re:why is it OS dependant by Drakkenmensch · 2009-03-23 02:05 · Score: 4, Funny

Because without direct access to the physical computer, it requires (as any other malware or virus does) an entryway from the internet and cooperation from the operating system. Anyone can destroy my laptop with the keys to my appartment and a sledgehammer, but doing it from a distance requires a windows flaw to exploit.
Re:I guess it's official. by xtracto · 2009-03-23 02:09 · Score: 4, Informative

Not totally,
In one hand:

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope.
Which makes the attack more difficult in operating systems which do not allow users to run with Administrative rights all the time.

But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.
I can imagine that, everything you need is ONE time root access to "install" the BIOS instructions and fsck the machine. After that, you are pretty much in control of what comes next.
In some way, I find this similar to the viruses that infected the Master Bood Record, just a bit more interesting...
On the other hand, this will just trigger a bios-patch / virus-release cat and mouse game similar to the standard viruses.

--
Ubuntu is an African word meaning 'I can't configure Debian'
Re:Intel only? by peragrin · 2009-03-23 02:13 · Score: 5, Interesting

Better question is what typeof BIOS? Is EFI vulnerable? How about open firmware? Or is this limited to just plain ole BIOS that should have been killed a decade ago but remains as msft doesn't support anything else for most versions of it's OS?

--
i thought once I was found, but it was only a dream.
Re:Tsarkon Reports Obama bent on bankrupting USA by Anonymous Coward · 2009-03-23 02:15 · Score: 5, Informative

I've found Intel's EFI strategy to be annoying and fragmented. The EFI shell is very dos like, has very poor performance for the frame-buffer devices and leaves a lot to be desired. However, it is likely to become de facto.
I did enjoy most the ALPHA systems SRM. Alpha-SRM had quite a bit of features for a "BIOS" of sorts.
The Sun and Apple OpenFirmware (OpenBoot) systems was probably the closest the world got to a sane pre-boot environment. Openfirmware also has the distinction of being an actual standard IEEE 1275-1994. Unfortunately, they (Sun, Apple mainly) did not help the "linux guys" or the open community until it was too late and protected nearly worthless intellectual property for no good reason. (worthless in the sense its not monetize-able) .
Now I found from long ago the concept of PC BIOS annoying. The BIOS vendors, like Phoenix, American Magatrends, Award, have a lot of collusions with the motherboard vendors in terms of getting all the secret register-poking needed to get things going. There is a lot of black magic, legacy code and the like, but it works.
It will be very hard for a non-Pheonx-AMI-Intel vendor to come up with a new BIOS for the ages. The LinuxBIOS (coreboot) project, last I checked, and very poor support and no major vendor (e.g. Dell or HP) has looked into it seriously.
The world lost when EFI eclipsed OpenFirmware's chances of spreading. Now we are stuck with a half-assed DOS-like shell, a still-extant BIOS like menu screen that the Intel motherboards provide, and judging from the number of revisions and the release notes on the various Intel EFI boards, we may have been better off with AMI/Phoenix's secret sauce and black magic than this EFI cruft.
In the age of 2TB+ volumes it is probably inevitable that we are going to all be using EFI very soon (along with GPT).
I do not foresee Coreboot or OpenBIOS or OpenFirmware making any real progress in pushing out EFI unless Asus or Lenovo sees the utility in having a real pre-boot environment.
Re:Been around for some time... by wastedlife · 2009-03-23 02:31 · Score: 3, Informative

From what I get from the summary, what is new is that it only replaces part of the BIOS instead of installing a whole new one. If it can somehow tell which part it needs to replace on different model motherboards, then it may be able to spread further than older BIOS malware which is normally motherboard-specific.

--
Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
Doesn't affect me by NotQuiteReal · 2009-03-23 03:19 · Score: 4, Funny

I boot without a bios - by toggling in raw machine code from the front panel switches!

--
This issue is a bit more complicated than you think.
Re:Intel only? by einhverfr · 2009-03-23 03:46 · Score: 3, Informative

If you read the article, it is vulnerable to a bios you can flash, and access to that process (except on VM's where you are patching the emulator).
It seems to me that the hardware demo seems to rely on physical access to the machine. The VMWare demo would require access to the host OS.

--

LedgerSMB: Open source Accounting/ERP
Re:I guess it's official. by markov_chain · 2009-03-23 03:53 · Score: 5, Interesting

Heh this did happen to me a few times, very cool virus. From then on I pulled my BIOSes and cut the write-enable pin off the chips, no problems then.

--
Tsunami -- You can't bring a good wave down!
Re:Of course. by mmontour · 2009-03-23 04:35 · Score: 4, Informative

ISTR firmware viruses infecting C64 floppy disk drives......
Nothing that would survive a power-cycle, though. That was before we had flash memory - it was either true ROMs or UV-erasable EPROMs.
Flash that can be re-programmed by "in-band" communication (vs. a dedicated maintenance channel like JTAG) is convenient but it is also very risky. I'm glad to see that this issue is getting more publicity. Maybe now we'll see a shift back to hardware write-protection, like a physical jumper inside the PC that has to be connected before you can re-flash the BIOS.
It's not just BIOS either. Your hard drive has reprogrammable firmware (see the recent Seagate bugs). Your wireless adapters (including bluetooth) may have reprogrammable firmware. There's plenty of opportunity for someone with the right knowledge to compromise your system.
Re:Intel only? by Zebedeu · 2009-03-23 05:16 · Score: 3, Insightful

Better question is what typeof BIOS?
Your many hours of programming C/C++ betray you :-)