Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Demo BIOS Attack That Survives Disk Wipes

Posted by CmdrTaco on from the can't-believe-it-took-this-long dept.

suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe. Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."

11 of 396 comments (clear)

  1. Requires root privileges or physical access by amazeofdeath · · Score: 5, Interesting

    "Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope."

    Hmm, I'd say you are pretty much pwned in that case even before the attacker infecting the BIOS.

    --
    U+F8FF
    1. Re:Requires root privileges or physical access by wvmarle · · Score: 5, Insightful

      Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.

      It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.

  2. Re:I guess it's official. by Dunbal · · Score: 5, Funny

    It's official - we're screwed.

          Happy news for most of the nerds on this site who sigh and collectively whisper "Finally!"

    --
    Seven puppies were harmed during the making of this post.
  3. Fatal flaw: No BIOS reset by davidwr · · Score: 5, Insightful

    If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.

    If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Fatal flaw: No BIOS reset by wastedlife · · Score: 5, Insightful

      This is why there should always be 2 copies of the BIOS. One that is physically read-only and contains the BIOS as shipped. And another writable one that can be disabled with a jumper. If your BIOS is corrupted or hijacked, you could always go back to the backup BIOS and restore.

      An alternative would be replaceable BIOS chips like the ones from the days before writable BIOS. If a customer gets a BIOS corruption or virus, they could call and order a replacement and not have to buy a whole new mobo. That would also be a good way to distribute BIOS updates to people afraid of bricking their system.

      --
      Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
  4. PDF by JewGold · · Score: 5, Funny

    Wait, you want me to open a PDF from folks who know how to create such a supervirus? Hmm.

    --
    Is this a news report or a trailer for a motion picture?
    1. Re:PDF by L4t3r4lu5 · · Score: 5, Funny

      It's already too late for you, I'm afraid. You've already read the stub of the article which was copied from the original website by another person. The virus jumped through their monitor (writing directly onto their retina using a zero-day exploit) which was then transcoded into nerve pulses. These were transfered to the poster's fingers which caused very small, but significant, induced current in their keyboard. The virus travelled through the USB port and into the PC, and got posted to slashdot. It now resides in your brain, and mine, ready to be exploited at the author's whim.

      Or, you really need to take off the tinfoil hat.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
  5. Re:I guess it's official. by Anonymous Coward · · Score: 5, Insightful

    We've had evil viruses around for a while. Anyone remember

    W95.CIH? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.

    Computers are still chugging along fine. This will probably end up breaking more computers than it ends up hijacking. A broken computer is one that gets flagged and fixed or throw away.

  6. Re:Intel only? by peragrin · · Score: 5, Interesting

    Better question is what typeof BIOS? Is EFI vulnerable? How about open firmware? Or is this limited to just plain ole BIOS that should have been killed a decade ago but remains as msft doesn't support anything else for most versions of it's OS?

    --
    i thought once I was found, but it was only a dream.
  7. Re:Tsarkon Reports Obama bent on bankrupting USA by Anonymous Coward · · Score: 5, Informative

    I've found Intel's EFI strategy to be annoying and fragmented. The EFI shell is very dos like, has very poor performance for the frame-buffer devices and leaves a lot to be desired. However, it is likely to become de facto.

    I did enjoy most the ALPHA systems SRM. Alpha-SRM had quite a bit of features for a "BIOS" of sorts.

    The Sun and Apple OpenFirmware (OpenBoot) systems was probably the closest the world got to a sane pre-boot environment. Openfirmware also has the distinction of being an actual standard IEEE 1275-1994. Unfortunately, they (Sun, Apple mainly) did not help the "linux guys" or the open community until it was too late and protected nearly worthless intellectual property for no good reason. (worthless in the sense its not monetize-able) .

    Now I found from long ago the concept of PC BIOS annoying. The BIOS vendors, like Phoenix, American Magatrends, Award, have a lot of collusions with the motherboard vendors in terms of getting all the secret register-poking needed to get things going. There is a lot of black magic, legacy code and the like, but it works.

    It will be very hard for a non-Pheonx-AMI-Intel vendor to come up with a new BIOS for the ages. The LinuxBIOS (coreboot) project, last I checked, and very poor support and no major vendor (e.g. Dell or HP) has looked into it seriously.

    The world lost when EFI eclipsed OpenFirmware's chances of spreading. Now we are stuck with a half-assed DOS-like shell, a still-extant BIOS like menu screen that the Intel motherboards provide, and judging from the number of revisions and the release notes on the various Intel EFI boards, we may have been better off with AMI/Phoenix's secret sauce and black magic than this EFI cruft.

    In the age of 2TB+ volumes it is probably inevitable that we are going to all be using EFI very soon (along with GPT).

    I do not foresee Coreboot or OpenBIOS or OpenFirmware making any real progress in pushing out EFI unless Asus or Lenovo sees the utility in having a real pre-boot environment.

  8. Re:I guess it's official. by markov_chain · · Score: 5, Interesting

    Heh this did happen to me a few times, very cool virus. From then on I pulled my BIOSes and cut the write-enable pin off the chips, no problems then.

    --
    Tsunami -- You can't bring a good wave down!