New BIOS Exploiting Rootkit Discovered

← Back to Stories (view on slashdot.org)

New BIOS Exploiting Rootkit Discovered

Posted by Unknown on Wednesday September 14, 2011 @04:33AM from the the-90s-want-their-virus-back dept.

First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."

205 comments

Min score:

Reason:

Sort:

This is some serious business by Reverand+Dave · 2011-09-14 04:39 · Score: 1

Is it really a total surprise that it was discovered initially by a Chinese security firm? Their reaction should have been, " look at this virus we just found that we just made!"

--
I got here through a series of tubes
1. Re:This is some serious business by dintech · 2011-09-14 05:12 · Score: 1
  
  Irrespective of where it came from or it's maliciousness, you've got to admire it for how cool and sophisticated it is. Hmm, sounds French.
2. Re:This is some serious business by Anonymous Coward · 2011-09-14 05:16 · Score: 0
  
  "Irrespective of where it came from or it's maliciousness, you've got to admire it for how cool and sophisticated it is."
  One thing that isn't cool or sophisticated, is not knowing the difference between it's and its.
3. Re:This is some serious business by Anonymous Coward · 2011-09-14 05:31 · Score: 0
  
  Well the fix is relativley simple make the bios write protected by a mechanical switch and that the system cannot boot from the hdd of usb with the bios in write mode maybe hard drives should have a read only section to put the MBR on as well .
4. Re:This is some serious business by fuzzyfuzzyfungus · 2011-09-14 05:39 · Score: 4, Insightful
  
  Last week, I updated, and then applied desired settings to, several hundred systems across multiple sites without getting up from my desk, much less getting up from my desk, visiting each site, unlocking each chassis, toggling a jumper, completing the update, toggling the jumper back, relocking the chassis, and moving on to the next... Build update package, shove update package over network. Go, settings take effect on next boot(for newly purchased systems, just plug 'em in, PXE boot, and you get your system image and BIOS config automatically).
  
  The option to hard-switch the BIOS into read-only would be handy; but I'm not seeing it become a default any time soon...
5. Re:This is some serious business by lpp · 2011-09-14 05:50 · Score: 3, Informative
  
  It's not just that it was first discovered by a Chinese security firm. It also appears to be targeted at Chinese PCs. From the original post:
  
  The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus.
  Makes one wonder who developed it and what the intent was.
6. Re:This is some serious business by omnichad · 2011-09-14 06:50 · Score: 1
  
  BIOS Config != BIOS
7. Re:This is some serious business by Reverand+Dave · 2011-09-14 06:55 · Score: 1
  
  Probably the same way the super flu will kill all of the people living in the town where it is being developed.
  
  --
  I got here through a series of tubes
8. Re:This is some serious business by Anonymous Coward · 2011-09-14 07:21 · Score: 0
  
  The GP did say "updated", which could well imply BIOS update not just new config settings ("and then applied desired settings...").
9. Re:This is some serious business by rthille · 2011-09-14 07:49 · Score: 3, Funny
  
  Not only that, but a guy in china did the same thing to all those systems of yours! :-)
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
10. Re:This is some serious business by Anonymous Coward · 2011-09-14 08:22 · Score: 0
  
  One thing that isn't cool or sophisticated, is not knowing the difference between it's and its.
  One thing that isn't cool or sophisticated is not knowing where to put commas.
11. Re:This is some serious business by fuzzyfuzzyfungus · 2011-09-14 08:50 · Score: 1
  
  In this case I did do both(to bring all BIOSes for each model up to current, and then standardize the configs; but they were two distinct operations).
  
  I'd be delighted to see the security of vital bits of a PC's guts be down to something other than sheer obscurity(and, I'd really prefer that the alternative not be a cryptographic vendor lock, those don't end well.) Defaulting to a cryptographic lock, so that Joe Blow can safely get BIOS updates without touching his hardware might be ok; but you'd really want a way to override that and susbstitute a different key, by toggling the jumper or whatever. Corporate types could do their custom thing by provisioning their own key during deployment, home times could know nothing safely, and coreboot wouldn't be out in the cold...
12. Re:This is some serious business by FatdogHaiku · 2011-09-14 08:51 · Score: 1
  
  It's not, his, fault!
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
13. Re:This is some serious business by lpp · 2011-09-14 09:29 · Score: 1
  
  Furthering your analogy, your version of the flu would have been tailored to only attack individuals with chromosomal characteristics common to the Asiatic region.
14. Re:This is some serious business by Reverand+Dave · 2011-09-14 10:24 · Score: 1
  
  I figured it was more of a regional thing and less of a racial thing, but this virus seems awfully sophisticated already so who knows.
  
  --
  I got here through a series of tubes
15. Re:This is some serious business by lpp · 2011-09-14 10:39 · Score: 1
  
  Ah, I see. I figured anyone capable of creating something this sophisticated would have been able to target more platforms due to the relative accessibility of PC parts. But perhaps I'm overestimating just how accessible parts are from outside China.
16. Re:This is some serious business by Anonymous Coward · 2011-09-15 02:10 · Score: 0
  
  Makes one wonder who developed it and what the intent was.
  I developed and the intent is obvious.
  I would have eventually infected a large enough portion of Chinese WIN-PCs to start a subliminal campaign to make them all crave KFC and Ford vehicles.
  Muuuuhahahaaaaw!!!!
17. Re:This is some serious business by nobodie · 2011-09-15 13:22 · Score: 1
  
  probably another attempt by 360 AV to crush competition. They attacked QQ last Spring and made a big fuss, now maybe they are going after some competitors. It is the wild west over there.
  
  --
  Subversion of spatial scale luxury decoration ideas.
Well now. by Snkbyt3d · 2011-09-14 04:39 · Score: 1

Seems I need to drink my coffee a little faster as to write an anti-Trojan.Medromi fix to prevent it from getting in our systems. Lol
This is what easy over safe design gets ya by jmorris42 · 2011-09-14 04:40 · Score: 5, Insightful

When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.

--
Democrat delenda est
1. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 04:47 · Score: 2
  
  It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.
2. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 04:52 · Score: 1
  
  Do you have any idea how complex the BIOS code is these days? A lot of the fixes that go into BIOS releases are for the code that runs before you even hear the system beep. You really do need to be able to flash that as fixes come out.
3. Re:This is what easy over safe design gets ya by Dunbal · 2011-09-14 04:59 · Score: 4, Insightful
  
  But people wanted simple Windows based utilities to reflash the BIOS
  People wanted? Or the industry thought it would be a cool marketing gimmick? Most people have no idea what BIOS stands for, much less what it does and how dangerous it can be for them if it gets subverted. The rest of the people who know should not be too bothered to have to move a jumper to re-flash the BIOS - I mean honestly how often do you do this? - when compared to the security risk. So I don't buy the "people wanted" argument.
  I wish marketing people thought a little more about the decisions they make and held themselves to higher standards. I can't believe that no engineer turned around and said "hang on, if we can flash it from the OS, anyone can flash it from the OS..."
  
  --
  Seven puppies were harmed during the making of this post.
4. Re:This is what easy over safe design gets ya by Malties · 2011-09-14 05:01 · Score: 1
  
  But you do not need to do it from inside Windows. As complex as the BIOS code is, the intereface for flashing is not that unfriendly
5. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 05:04 · Score: 1
  
  Why? If it works during testing, but it turns out later to be not perfect, just put reinitialization code into the updates that change the code that comes AFTER that point. How the christ do you think we used to do it before they even used flash memory?
6. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 05:06 · Score: 1
  
  Yes, it was clearly market driven. One day nobody had it, and the next day somebody said "hey, look at this cool feature we have!" Nobody in the public even knew it was possible until the feature appeared.
7. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:09 · Score: 0
  
  How else are you going to allow the unwashed masses to do it? Sure, the average /.er can write their own BIOS and key it in by hand. But the average computer user doesn't understand anything more complex than "click on this picture to fix the broken computer thingy".
  Granted, the BIOS should be designed to resist this sort of attack. Vulnerabilities in the system trace back to wide open doors that are easily exploited. And that needs to be changed. But with some effort, the system can be designed such that this kind of attack is made very obvious to the user or prevented entirely.
8. Re:This is what easy over safe design gets ya by Baloroth · 2011-09-14 05:09 · Score: 4, Informative
  
  I really, really like what Gigabyte does with their BIOSes. They quite often have 2 on each motherboard, only one of which can be written to. In case of corruption of the primary, you can always boot using the secondary. Wouldn't stop this virus, of course, but it does prevent a corruption based one from hosing your system. Editing BIOS settings from Windows can be pretty convenient, especially if you want to overclock, but it isn't really necessary and probably shouldn't be possible.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
9. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:10 · Score: 1
  
  And how do you propose the units in the field get fixed? Or do they just need to pitch them and buy new ones?
10. Re:This is what easy over safe design gets ya by Errtu76 · 2011-09-14 05:18 · Score: 1
  
  I think everyone has a USB disk/key nowadays. If not, you can buy one for a couple of bucks. Have them make a "click here to prepare a bootable USB disk which will flash your BIOS" application and be done with it.
11. Re:This is what easy over safe design gets ya by X0563511 · 2011-09-14 05:21 · Score: 1
  
  Yea, instead you have vendors handing out floppy IMG files leaving you to scratch your head. I don't understand why more don't allow you to use USB Mass Storage.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
12. Re:This is what easy over safe design gets ya by ifrag · 2011-09-14 05:23 · Score: 2
  
  How else are you going to allow the unwashed masses to do it?
  I'd expect them to NOT DO IT in the first place. I can't even recall having a flashable BIOS that was actually broken in some serious way that would make a fix mandatory. The majority of my BIOS upgrades have been to support some newer CPU that still fits the same socket, something I'd expect the unwashed masses are not going to change anyway.
  
  --
  Fear is the mind killer.
13. Re:This is what easy over safe design gets ya by S.O.B. · 2011-09-14 05:26 · Score: 1
  
  I'm sure manufacturers added the ability to flash the BIOS from a Windows based utility because they were tired of having to explain to non-technical people how to create a boot disk especially now that the floppy has more or less disappeared. Of course you could boot from a USB drive but a bootable USB drive is more problematic than a boot floppy for non-techies.
  A safer solution might be to have the BIOS read only with a writable update area where the update utility could save a compressed copy of the new BIOS. On reboot the BIOS, recognizing the presence of the update, could display the appropriate warnings and then ask the user if they want to install the update.
  Of course it would still require that the user understand the risks but at least it would eliminate stealth updates of the BIOS.
  
  --
  Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
14. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-14 05:27 · Score: 1
  
  I never saw what was that hard about booting from a 3.5" diskette & flashing in a DOS-like environment or (by necessity, given the expanding size of BIOSes and obsolescence of the 3.5" FDD) later on, using a flash stick to do the same.
  Flashing BIOS in a running Windows OS is just plain dangerous and stupid, not only for security reasons but because there is simply a lot going on, and things can go horribly wrong. Witness the many HP laptops that have been bricked by official, HP-provided BIOS updates (mandatory in-GUI flashing).
15. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:27 · Score: 1
  
  That might work. But I'm not sure how much additional security that buys you. All it does is add an intermediate step.
16. Re:This is what easy over safe design gets ya by Sooner+Boomer · 2011-09-14 05:30 · Score: 1
  
  It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.
  This is exactly what IBM did with some of the Thinkpad models. There was a special chip that held the password. The problem was, that if this chip "glitched", or you forgot the password, you now have a brick. The chip was soldered onto the motherboard, and couldn't be reset by jumpers or disconnecting the battery. I've got two unit that are junk because of this.
  
  --
  Chaos maximizes locally around me.
17. Re:This is what easy over safe design gets ya by calzakk · 2011-09-14 05:32 · Score: 1
  
  But how many of the "unwashed masses" do actually flash their BIOS?
18. Re:This is what easy over safe design gets ya by NoNonAlphaCharsHere · 2011-09-14 05:33 · Score: 1
  
  The "intermediate step" is user intervention, which is the whole point. At least you wouldn't get your BIOS rooted "accidentally".
19. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 05:34 · Score: 1
  
  Read the whole thread. The idea is to have the BIOS on day one good enough to be failsafe getting to a state where it has a working video and keyboard can at least boot a floppy, CD, or USB stick. Nothing else. It's even conceivable that you don't guarantee the video and keyboard work, but as long as you can boot a DOS media with autoexec.bat you can get the reflashing accomplished.
  Do you really think that's not possible? Funny; the PC and the AT could do better than that.
20. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 05:35 · Score: 1
  
  I think the solution to that design flaw is pretty clear and workable.
21. Re:This is what easy over safe design gets ya by hweimer · 2011-09-14 05:37 · Score: 1
  
  In the past decade or so, the only situations in which I did BIOS updates was to get on-site support being dispatched to replace some faulty hardware (which the hardware vendor wouldn't do unless you ran the latest BIOS firmware). Hardly something what I would expect the unwashed masses to experience.
  
  --
  OS Reviews: Free and Open Source Software
22. Re:This is what easy over safe design gets ya by Reverand+Dave · 2011-09-14 05:37 · Score: 1
  
  That's how apple does it!
  
  --
  I got here through a series of tubes
23. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-14 05:43 · Score: 0
  
  I've got it. Let's put out locked bootloaders like they have on phones. That seems to go over very well with phone users (not).
24. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:44 · Score: 1
  
  You're forgetting social engineering. How many people fall victim to that every day? Someone who doesn't know any better will do whatever their computer tells them to do if you word it correctly.
  But I will agree that the user intervention part will significantly reduce the number of incidents.
25. Re:This is what easy over safe design gets ya by ColdWetDog · 2011-09-14 05:44 · Score: 1
  
  The "intermediate step" is user intervention, which is the whole point. At least you wouldn't get your BIOS rooted "accidentally".
  Why does 'user intervention' in the context of computer security fill me with a vague sense of dread?
  
  --
  Faster! Faster! Faster would be better!
26. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:48 · Score: 4, Informative
  
  Given that I've worked for a major CPU company and worked with the BIOS developers on more than one occasion as they debugged problems, I think I can say with some confidence that the modern BIOS is more complex by several orders of magnitude over the primitive BIOS you would find in a PC and AT machine. This explosion in complexity means that it's just not financially possible to fund the development to have a flawless BIOS right out of the gate. There are just too many permutations to consider when developing the system to test them all. And even if you did get a "perfect" BIOS out the door, the chips on the board are so much more complex that they never leave the factory without flaws. Ever. And sometimes you just don't find them until they're in the field and you need to supply a workaround.
27. Re:This is what easy over safe design gets ya by gstoddart · 2011-09-14 05:50 · Score: 2
  
  But how many of the "unwashed masses" do actually flash their BIOS?
  And, in fairness to the "unwashed masses"... how many of the, er, "washed masses" actually do this?
  In 16 years in the computer industry, plus university and high school ... I have never flashed a BIOS. It simply doesn't come up for me. Granted, I don't build systems, but I've simply never needed to do this.
  How many home users will ever do this task?
  
  --
  Lost at C:>. Found at C.
28. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-14 05:55 · Score: 0
  
  Put a switch on the motherboard that let's enable or disable flashing the bios, like the jumper, I just prefer switch. Then enable it by default, all the noobs can just leave it that way, and those that care can set it to disable and only enable it when flashing. Yeah I was shocked when the first motherboards came out that didn't require moving the jumper, I'm surprised it's taken this long for active exploits to materialize.
29. Re:This is what easy over safe design gets ya by blair1q · 2011-09-14 06:24 · Score: 1
  
  computer makers didn't want to spend a dime to add a switch and a wire to every case, if it didn't help people steal music or view pr0n or frag n00bs.
30. Re:This is what easy over safe design gets ya by simcop2387 · 2011-09-14 06:25 · Score: 1
  
  Last time that I *HAD* to flash my bios was when I had an incompatibility with my VooDoo 5 card.
31. Re:This is what easy over safe design gets ya by couchslug · 2011-09-14 06:41 · Score: 1
  
  Most people never reflash a BIOS, and even after years of working on PCs I do so rarely.
  I suspect the removal of BIOS-protection jumpers is mere cost-cutting. No pins, no jumper, no extra work on the production line to install the jumper.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
32. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-14 06:46 · Score: 0
  
  Well, you know what? In my 30+ years in the computer industry, I've flashed countless BIOS.
33. Re:This is what easy over safe design gets ya by gstoddart · 2011-09-14 06:48 · Score: 1
  
  Well, you know what? In my 30+ years in the computer industry, I've flashed countless BIOS.
  OK, so we've narrowed it down to between zero and infinity ... thanks for your useful contribution. :-P
  
  --
  Lost at C:>. Found at C.
34. Re:This is what easy over safe design gets ya by omnichad · 2011-09-14 06:53 · Score: 1
  
  My motherboard lets me just read the new BIOS image file off the usb drive directly - no booting required. There's an update BIOS option in the config screen.
35. Re:This is what easy over safe design gets ya by itof500 · 2011-09-14 07:09 · Score: 1
  
  Raises hand.
  Admittedly, it was awhile back to solve a network card incompatibility. Then there was another to enable the 4th DIMM slot (an ASUS motherboard. Never bought another from them).
  Duke out
36. Re:This is what easy over safe design gets ya by bill_mcgonigle · 2011-09-14 07:13 · Score: 1
  
  and nobody wanted end users to have to open the case and move a jumper
  That's just more cost-cutting. An A/B switch would have worked fine, but added 20 cents to the cost of a PC.
  I like how ASUS (and others, no doubt) have BIOS's that know how to read VFAT and can pull a flash image off a USB drive directly. The user just needs to know how to copy a file to a flash drive.
  How about if only the ability to toggle 'boot into BIOS' was exposed to the OS? A Windows utility could then copy the file to the flash drive, and set the PC to boot into BIOS and issue a reboot sequence. A smart BIOS could take it from there.
  "This procedure will permanently reprogram your computer with updated or changed functionality. If you did not intend to do this, click NO now." or something would be a reasonable warning screen. If the BIOS validated signatures by default, even better.
  MSI seems to be writing their new BIOS in EFI instead of straight x86 assembly so we should see some of this soon. There's OpenBoot too, if you have a lucky match of mobos.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
37. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-14 07:18 · Score: 0
  
  do you also like that this trivial technique is patented by them? they even advertise with that *sigh*
38. Re:This is what easy over safe design gets ya by idontgno · 2011-09-14 07:39 · Score: 1
  
  Oh, I don't know. Even infinity can be a countable set.
  I just think GPP has poor counting skills.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
39. Re:This is what easy over safe design gets ya by geekprime · 2011-09-14 07:46 · Score: 1
  
  "In my 30+ years in the computer industry,"
  You sir are not a part of the set titled "the unwashed masses"
40. Re:This is what easy over safe design gets ya by AceJohnny · 2011-09-14 07:46 · Score: 1
  
  I really, really hate what Gigabyte does with their BIOSes, considering their BIOS backed itself up on the end on some of my disks, changed the OS-visible size of the disk using Host Protected Area (HPA), squashing the mdraid metadata that was happily living there.
  By the time I understood what was happening, I had had 3 of my 6 RAID disks screwed, as I had swapped the disks around ignorantly thinking it was some controller error.
  That feature was not advertised, and that version of the BIOS had a bug where this feature didn't properly detect which disks it could accomplish this on (it only looked for NTFS/VFAT partitions, natch) and could not be disabled. While I can understand the purpose and usefulness of the feature, releasing with such a bug has made me swear off Gigabyte.
  For the reference, it was a GA-P35-DS3, with BIOS F12.
  
  --
  Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
41. Re:This is what easy over safe design gets ya by WorBlux · 2011-09-14 08:35 · Score: 1
  
  every set is a subset of itself of course. However you still can't enumerate it.
42. Re:This is what easy over safe design gets ya by Onymous+Coward · 2011-09-14 08:47 · Score: 1
  
  That sounds more like marketing driven than market driven.
  market driven: Determined by or responsive to market forces.
43. Re:This is what easy over safe design gets ya by vux984 · 2011-09-14 10:11 · Score: 1
  
  I think everyone has a USB disk/key nowadays. If not, you can buy one for a couple of bucks. Have them make a "click here to prepare a bootable USB disk which will flash your BIOS" application and be done with it.
  And how do they boot off it? Few computers are set by default to boot off the usb drive, and most shouldn't be.
  So now, in addition to fiddling with a hardware dongle, you want them to go into bios and mess around with the selection of boot devices, and then later change it back...
  "and be done with it"? Making the bootable disk is just the first step in a needless process that only gets more complicated from here... expect
  a) support calls to skyrocket in frequency ... as millions of users flail about useless because they had trouble making one... they used a 2 Terabyte external usb hard drive instead of a flash drive and lost all their data, they managed to locate a usb drive from 5 years ago that is too small or doesn't work... and then after getting flash drive... can't figure out how to get the pc to boot off of it.
  b) bios updates to not happen because they are "too hard"
44. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-14 10:57 · Score: 0
  
  In this case it's not as good as what Biostar does with thiers: it's a 8 pin DIP that can be pulled out and reflashed.
45. Re:This is what easy over safe design gets ya by TheInternetGuy · 2011-09-14 12:02 · Score: 0
  
  Actually, If you cant follow the simple procedure to update your BIOS outside of windows you are probably better off not updating.
  
  --
  If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
46. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-14 12:08 · Score: 0
  
  My Asus motheboard has an option in the bios settings menu to update the bios. It supports reading the update image from usb flash drives. If it was always as simple as downloading a .img to a flash drive, rebooting, and running through the menus, and if motherboard companies provided an easy to follow printable instruction card (like a nicely designed PDF with pictures etc) then I think most people could do it.
47. Re:This is what easy over safe design gets ya by smash · 2011-09-14 15:47 · Score: 1
  
  The whole BIOS idea as we know it is broken. The only thing you should really need to go in there for these days is to change boot device. Which can/could be done with boot menu. Pick sensible defaults, actually test the firmware properly before release, and the whole need to write to bios goes away.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
48. Re:This is what easy over safe design gets ya by cbiltcliffe · 2011-09-14 19:51 · Score: 1
  
  b) bios updates to not happen because they are "too hard"
  How many end users update their own BIOS now?
  In my experience, it is precisely zero. Most of them, when you mention BIOS, or even explain what it is, get a glazed look on their face.
  So this isn't going to change anything for 99.9% of users, other than making it more difficult to get infected by something like this.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
49. Re:This is what easy over safe design gets ya by sumdumass · 2011-09-14 21:56 · Score: 1
  
  well, i just composed an email warning all my family and friends of this and the steps they need to protect themselves. I found this program on a Chinese website that automatically patches any bios concerning this risk from within windows explorer. but you have to make sure you disable your antivirus before running it else it will make your system inaccessible.
  Is that social enough?
50. Re:This is what easy over safe design gets ya by sumdumass · 2011-09-14 22:01 · Score: 1
  
  I had to update my bios on a system to stop the crashes in windows XP. the box the mainboard came in said it was designed for win xp, but it would go into crashing reboot fits after some automatic windows updates early on.
51. Re:This is what easy over safe design gets ya by sumdumass · 2011-09-14 22:07 · Score: 1
  
  i think his point was that he had done it for the unwashed masses. I can agree with him too. I've done bios updates to cure many issues with other people's computers. for all those unwashed masses out there, they probably have needed to flash the bios but paid someone else to do it when their system became too unstable. So instead of flashing it themselves, they paid some repair tech $150 to fix their system.
52. Re:This is what easy over safe design gets ya by sjames · 2011-09-14 22:28 · Score: 1
  
  Some things, such as many memory controllers can only be set up once per reset. If you try to repeat the procedure they enter an undefined and non-functional state.
  A better answer is to have a ROM fallback that can set things up as conservatively as possibly just far enough to allow re-flashing the primary BIOS.
53. Re:This is what easy over safe design gets ya by ResidentSourcerer · 2011-09-15 02:11 · Score: 1
  
  Agreed, sort of.
  The better solution would be to run a lead to the case, and have a button that you had to press down while the BIOS was being flashed.
  [Semi-off topic digressesion follows.]
  In general 'read only' is your security friend. I tried intermittently to figure out a FreeBSD hack that would allow me to boot a production server as read only on the root partition. OpenBSD has the ability to mark files as immutable when in security level 2.
  I like the idea that I can have a set of programs that cannot be compromised by malware. I once had a linux intrusion that rewrote ls to hide directories that had names ... (three dots) It also would show normal sizes of ps, which was hacked to not show certain processes. We were scratching our heads for a while. They hadn't hacked lsof or find however.
  A better model for a secure system:
  1. Certain directories are not writable in normal operating mode. /bin, /sbin /lib are a good start.
  2. No program that requires elevated privledge can run from a writable directory.
  3. The chmod system call cannot mark a program set{ug)id in normal operating mode since any such program is in a directory that is un-writable.
  4. Data is not executable. Executable code is not modifyable in memory. Don't know how much of a restriction this makes.
  5. To make a change you have to lower the operating status of the OS to 'insecure' In practice this should mean similar to single user mode, with a set of parameters that can be chosen by the operator. E.g. in security change mode, the computer cannot route outside the local subnet. Or if truely paranoid, has no network connection at all. No background processes run in SC mode.
  This doesn't make the computer secure. Lots of bad thinks can be done by programs running in user space. But this gives you a kit of trusted tools that the OS can use to examine the running processes.
  
  --
  Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
54. Re:This is what easy over safe design gets ya by NoNonAlphaCharsHere · 2011-09-15 05:48 · Score: 1
  
  LOL. "Rogers" on that.
55. Re:This is what easy over safe design gets ya by sjames · 2011-09-15 08:34 · Score: 1
  
  And to this day, people hardly ever actually update their BIOS. The few who do tend to be server admins who never had a problem using a DOS boot disk based flash update in the first place.
56. Re:This is what easy over safe design gets ya by vux984 · 2011-09-16 06:32 · Score: 1
  
  How many end users update their own BIOS now? In my experience, it is precisely zero.
  You'd be mistaken.
  If they leave their Sony VAIO with its pile of OOBE "out of box experience" complete with Sony Update service, and so forth, then if there is a bios update. They'll get prompted to install it, and they will. Same goes for the bundled support software on many laptops and desktops from major vendors.
  Now if you asked me how many end users CONSCIOUSLY update their BIOS i'd agree its precisely zero. But the last few years has seen an upswing in bios updates being handled almost transparently... provided the bundled support software is left intact to do its thing. (which it often is).
57. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-16 08:24 · Score: 0
  
  What you want is capability-based security. In a capability-based security system, each program inherits tokens that grant fine-grained rights. This means that if you want to, you can have the OS throw away write rights for /sbin and then no program that inherits rights from the OS (in other words, none at all) can write to /sbin. For that matter, you can keep access rights to outside directories away from your web browser and then there's no way (short of a kernel exploit) that browser-based malware can compromise anything outside its own domain. It's just too bad that only "exotic" operating systems support it very well - neither Linux nor Windows have capabilities AFAIK.
58. Re:This is what easy over safe design gets ya by cbiltcliffe · 2011-09-19 01:36 · Score: 1
  
  That's provided people don't ignore the update prompts because "I've heard they can break stuff," or "I think it might be trying to give me a virus."
  I get that a lot.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
59. Re:This is what easy over safe design gets ya by vux984 · 2011-09-19 05:40 · Score: 1
  
  That's provided people don't ignore the update prompts because "I've heard they can break stuff," or "I think it might be trying to give me a virus."
  I get that a lot.
  Yeah, its kind of strange... we criticise regular users for clicking OK to anything and everything that pops up on their screen -- as this is how they get viruses, while at the same time most of them have a gaggle of pissed of tray icons nagging them to do actual needed updates.
  Nothing cracks me up like cleaning someone's PC that's filled with toolbars, viruses, crapware, and other cruft that the user clicked OK too without reading... while acrobat reader, java, flash, windows update, and vaio update are all asking to install updates.
  That said though, I think Dell and Sony update packages (though intolerably annoying) have been effective at getting a lot of that 3rd party stuff including bios updated.
  I really think though, that Microsoft and the big vendors should get that software into the windows update track... 20 software updaters that check independantly is just annoying. Especially when most of the updaters themselves are especially annoying.
Why by fnj · 2011-09-14 04:41 · Score: 4, Insightful

Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
1. Re:Why by hedwards · 2011-09-14 04:47 · Score: 2
  
  Uh, think of the children?
2. Re:Why by grimmjeeper · 2011-09-14 05:03 · Score: 2
  
  I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field. Hell, there are flaws in BIOS code that don't get discovered until your product is shipped. You need to patch it just like you need to patch any other software. Another good reason is to allow you to upgrade some components in your system without having to buy a new motherboard. A new generation of processor can be dropped into many motherboards out there just by flashing the BIOS and plugging the chip in, assuming socket compatibility is maintained.
  Computer systems are vastly more complex now than they were even just 10 years ago. All of the subcomponents on motherboards need a BIOS that tells the CPU where they are and how to run them. Every manufacturer ships processors that have a number of flaws that the BIOS works around. It's the nature of computer systems in the 21st century.
  Sure, if we were back in the 90's and still running the pre-PCI architectures, you may have had a point about locking things down. They just didn't need the complexity we have now. But as complexity has been added on top of complexity, we absolutely cannot get by with a locked down BIOS. It just wouldn't work.
3. Re:Why by X0563511 · 2011-09-14 05:26 · Score: 2
  
  I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field.
  Intel (at least) allows you to push microcode updates right into the processor at the OS level. This doesn't need to be done by the BIOS. In fact, it shouldn't - unless you simply cannot boot without doing so!
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
4. Re:Why by Anonymous Coward · 2011-09-14 05:28 · Score: 0
  
  CPU fixes are usually handled by updating the CPU microcode and not in the bios.
5. Re:Why by Anonymous Coward · 2011-09-14 05:31 · Score: 0
  
  With the manufacturer's files only? No thank you. I want my CoreBoot.
6. Re:Why by fnj · 2011-09-14 05:38 · Score: 4, Insightful
  
  Er, the issue is not that you don't allow BIOS updates; it's that you protect them with a "big red switch," so they just can't happen like the dog ate my homework. I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.
7. Re:Why by lazyforker · 2011-09-14 05:38 · Score: 2
  
  Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
  I'll bite: bulk BIOS updates on thousands of PCs. My company has an enormous number of PCs - paying someone to manually flick a switch, stand by while a BIOS update is performed, then unflick it afterwards would represent an enormous cost in time and labor. We buy large numbers of identical machines every year - so when a BIOS update is needed it needs to be applied to a lot of machines, globally.
  Secondly: we set BIOS passwords to prevent (or make it harder for) the machine to be booted from USB thumb drive, DVD, external hard drive etc.
  How about making the PC detect signed BIOS packages?
8. Re:Why by grimmjeeper · 2011-09-14 05:39 · Score: 2
  
  Yeah, that's much more secure... ;)
  Even though you can push fixes directly into the processor in that way, there is still a reason to have to patch the BIOS. The CPU microcode pretty much only affects the CPU. The BIOS is there to interface with the rest of the components on the motherboard. And when you need to get around a flaw in your north bridge by supplying different initialization settings, there's pretty much no way to fix that in a CPU microcode push. You have to do it with a BIOS flash.
9. Re:Why by Malties · 2011-09-14 05:45 · Score: 2
  
  I don't think anyone is saying there is not a reason to flash a BIOS. But what is in question is whether to allow this to be done through WIndows. Yes it is more work to flash a BIOS from the setup screen, it is much more secure in the light of viruses that attack it.
10. Re:Why by grimmjeeper · 2011-09-14 05:50 · Score: 1
  
  I can agree with that concept.
11. Re:Why by multisync · 2011-09-14 06:10 · Score: 2
  
  There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
  Um ... no. Flashing the BIOS should be at the discretion of the owner of the hardware in question, and not restricted to software provided by the manufacturer. But I agree a physical switch to prevent unauthorized tampering by third parties is a good idea.
  
  --
  I don't care why you're posting AC
12. Re:Why by blair1q · 2011-09-14 06:26 · Score: 1
  
  on your smartphone?
13. Re:Why by ajlitt · 2011-09-14 06:39 · Score: 1
  
  Nevermind microcode. Most of the silicon bug workarounds that BIOS implements are in the form of "chicken bits": undocumented (or not publicly documented) configuration bits that the chip designers put in to turn off or tweak new features to a design. Also, a lot of features in modern processors and chipsets have a large analog component. A CPU could have hundreds of SERDES links, each with DLLs, equalization, not to mention chip-wide PLLs, power supply controls, voltage references, and more. Similar adjustments can be done to many of these during BIOS startup to correct for manufacturing or design issues.
14. Re:Why by ajlitt · 2011-09-14 06:43 · Score: 1
  
  I forgot to mention that most of these things are accessed easily through MSRs or PCI config space, both of which are easy to access from an OS driver.
15. Re:Why by Dog-Cow · 2011-09-14 07:16 · Score: 1
  
  I've been with the same company for more or less 12 years, and I have never seen IT (I work in IT) do a BIOS update on a single system, much less company-wide. What kind of crap do you buy that you have need to do this en-mass?
16. Re:Why by Anonymous Coward · 2011-09-14 07:33 · Score: 0
  
  to get an open source replacement instead of the buggy, proprietary firmware,
  or to change firmware settings from within a running system,
  or to update the firmware without rebooting so that you can write the new firmware and continue your other work before activating it by a reboot.
  i am one of the maintainers of flashrom (http://flashrom.org), a coreboot (http://coreboot.org) spin-off which allows you to do exactly the latter. we are very aware of the problems that lead to compromised BIOSes and that is software-based write protections (which are trivial to reverse engineer, but a big nuisance for us btw) and buggy operating systems. of course the vendors could start introducing secure channels to the flash chip like they do for displays to complicate copyright infringements, but adding a cheap, trivial jumper would be much more sane... and more secure.
17. Re:Why by X0563511 · 2011-09-14 07:34 · Score: 1
  
  Well, microcode doesn't persist beyond booting, so while it's not perfect, it's not permanently damaging. You usually can't just reboot to resolve a corrupted/tampered BIOS flash.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
18. Re:Why by grimmjeeper · 2011-09-14 07:43 · Score: 1
  
  Yeah, I spent a couple years dancing through the BKDG tweaking a few of those bits a couple of years back. Enough that I have a feeling you and I have worked together IRL. At the very least, your name is very familiar to me...
19. Re:Why by Anonymous Coward · 2011-09-14 10:12 · Score: 0
  
  "You can only view the dancing baby kittens if you increase the speed of your system by pressing the big red BIOS switch now"
  You underestimate the willingness of computer novices to damage their system.
20. Re:Why by Anonymous Coward · 2011-09-14 12:27 · Score: 0
  
  I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.
  And it's not just PCs, it's cable modems too.
  I'd like to take this opportunity to again thanks Cox Communications for giving me three days of down time, having to spend $99 when I didn't need to and completely trashing perfectly good working Dlink DCM-202 cable modem remotely with some custom crap firmware that did not work just because you could.
21. Re:Why by wdef · 2011-09-14 21:57 · Score: 1
  
  That argument certainly works for everything else.
22. Re:Why by multisync · 2011-09-15 08:42 · Score: 1
  
  Care to elaborate, or just trolling?
  
  --
  I don't care why you're posting AC
23. Re:Why by sjames · 2011-09-15 08:49 · Score: 1
  
  Right, and that's when you use that red switch to enable the update. In a server, you can let the BMC/SP do it, of course.
Whose idiotic idea was it to make BIOSes writable? by Anonymous Coward · 2011-09-14 04:42 · Score: 0

The only real reason a computer needs a BIOS is to run a bootloader, and if that functionality works, then it's probably going to continue to work. All other hardware drivers belong in the OS, where they can be updated without the risk of bricking your goddamn motherboard.
Coreboot by Anonymous Coward · 2011-09-14 04:45 · Score: 0

BIOS malware is not new. TFA even mentions malware from 2007 that did the same thing. Some motherboards have actually shipped with rootkits accidentally installed. Proprietary BIOSes can have rootkits in them, and can't be detected.
If you can compile the binary yourself, you can mitigate BIOS viruses. That's why we need Coreboot support on motherboards.
1. Re:Coreboot by nschubach · 2011-09-14 05:04 · Score: 1
  
  I kind of forgot about coreboot/OpenBIOS. Looking at their motherboard support page, apparently I'm not alone. It's a neat concept, but the BIOS is generally just configured and ignored for most people, including geeks.
  
  --
  Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
IT'S BIOS-EXPLOITING ROOTKIT by Anonymous Coward · 2011-09-14 04:46 · Score: 0

Not bios exploting rootkit, which implies the bios is doing the exploiting, sort of like that french guy and his chambermaid !!
CIH NEVER Infected BIOS by meerling · 2011-09-14 04:46 · Score: 2

It tried to overwrite it with garbage, thus corrupting it. Kind of like blowing up your car with dynamite isn't the same thing as stealing it.
Most of the time all CIH succeeded at was trashing the BIOS settings stored in CMOS. Clean the infector, reset the BIOS, save the changes and you were done.

It's amazing how low the understanding of what malware is and does has fallen. By the way, the antivirus industry has been aware that it would be possible to write a bios infector the moment software the update-able bios became available. Fortunately most writers of malware are pretty incompetent as far as programming goes, though this did take about 6 years longer than I expected.
1. Re:CIH NEVER Infected BIOS by fnj · 2011-09-14 05:29 · Score: 1
  
  Most of the time, yes, that's reassuring, but you're implying there is some of the time when it succeeded in actually infecting the BIOS in a non-bricking way.
2. Re:CIH NEVER Infected BIOS by GSloop · 2011-09-14 06:03 · Score: 1
  
  No, CIH was a virus that trashed the BIOS as part of it's payload.
  On some systems it was unable to modify the BIOS and so the *payload* wasn't delivered - so to speak. But it never "infected" the BIOS - in that there was never any attempt to get running code in the BIOS.
  And if somewhere somehow it placed running code in the BIOS, it should be viewed as like a million monkeys at a million keyboards. Eventually one will type something readable.
  That's a FAR, FAR cry from writing code that intentionally infects the BIOS and does "useful" things in that code.
  CIH is/was not even close.
Welcome to the bios infestation by Anonymous Coward · 2011-09-14 04:48 · Score: 0

I for one welcome our new Chinese metal oxide semiconductor (CMOS) overlord.
1. Re:Welcome to the bios infestation by cyberchondriac · 2011-09-14 05:26 · Score: 1
  
  "In Russia, BIOS rootkit exploits YOU!"
  "Al Gore invented the rootkit"
  "It's Bush's fault"
  "All your BIOS are belong to us!" (Okay, haven't heard this one for a while)
  
  There.. now we're done with all the /. memes and can move on, right? ;)
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
As long as you can update from Windows... by Anonymous Coward · 2011-09-14 04:49 · Score: 0

Motherboard vendors (think ASUS in particular) _always_ provide tools to update the BIOS firmware from Windows. I kind of understand this, because they want to be able to ship something dummy-proof so it's not a support nightmare. Of course, as long as this feature exists, it will be exploitable. The only solution is to have a more complex BIOS updating procedure, as several posters have mentioned. I suspect motherboard vendors would be rather resistant to this.
1. Re:As long as you can update from Windows... by Dunbal · 2011-09-14 05:05 · Score: 1
  
  Another solution is to make sure your BIOS is bug free when you ship. That involves paying your coders slightly more than minimum Chinese wage.
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:As long as you can update from Windows... by 0123456 · 2011-09-14 05:20 · Score: 1
  
  Another solution is to make sure your BIOS is bug free when you ship. That involves paying your coders slightly more than minimum Chinese wage.
  Which is great until a new CPU is released and you don't support it and can't upgrade the BIOS to do so. I've seen a number of AMD users complaining because they'd been told that if they bought an AMD motherboard today they would still be able to use it for future generations of AMD CPUs, only to find that the motherboard manufacturer couldn't be bothered to issue a new BIOS two years later to support the new chips even though the hardware would work with them.
3. Re:As long as you can update from Windows... by Dunbal · 2011-09-14 05:27 · Score: 1
  
  Your example is the exception because usually a new CPU means a new socket, which means a new motherboard. Besides last minute patches are usually to fix bugs that get discovered through having a large number of users, not to support new hardware. And your argument is irrelevant in the context of being able to update your BIOS through moving a jumper or even changing the physical chip like in the old days. What happens is that if you allow a company a path of least resistance, then management and employees will make sure to do the minimum effort required. Just like software patches were a rare thing before the prevalence of the internet. Now multi-hundred gigabyte release day patches are the norm. Why? Because companies are fucking lazy and sloppy and if you give them an inch they take a mile. I'm in favor of not giving them that inch.
  
  --
  Seven puppies were harmed during the making of this post.
4. Re:As long as you can update from Windows... by tepples · 2011-09-14 05:37 · Score: 1
  
  I guess conventional wisdom is that formal verification to ensure that a BIOS is bug free is too expensive for this market segment.
5. Re:As long as you can update from Windows... by maxwell+demon · 2011-09-14 05:39 · Score: 1
  
  If you change the CPU, you must open your case and manipulate the hardware anyway. Changing a jumper to allow BIOS update wouldn't be a big deal in that case.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
6. Re:As long as you can update from Windows... by 0123456 · 2011-09-14 05:46 · Score: 1
  
  If you change the CPU, you must open your case and manipulate the hardware anyway. Changing a jumper to allow BIOS update wouldn't be a big deal in that case.
  In case you didn't notice, the post I was replying to was suggesting that you make the BIOS bug-free and not upgradeable at all rather than making the BIOS upgrade more complex.
7. Re:As long as you can update from Windows... by Colourspace · 2011-09-14 08:29 · Score: 1
  
  And of course, do they really care if Joe Average needs to buy a new mobo or laptop because theirs is bricked....? Possibly not, chances are it might even be from the same vendor... Writing this from my ASUS - not my choice an insurance replacement. My favoured method of bricking is spilt beer :D
8. Re:As long as you can update from Windows... by Colourspace · 2011-09-14 08:31 · Score: 1
  
  I would love to live in your perfect world. Silicon development is HUGELY complex. Yes you could theoretically release perfect hardware (from the device to the gate level) but the R+D costs would prevent anyone actually buying it.
Clocks/corporotes/updates/crash dumps by Sits · 2011-09-14 04:55 · Score: 1, Insightful
Well some points why the kernel may need to write area of the BIOS off the top of my head:
- Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
- Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines
- The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)
- Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown
1. Re:Clocks/corporotes/updates/crash dumps by webnut77 · 2011-09-14 05:10 · Score: 3, Informative
  
  Sounds like you're confusing BIOS with CMOS.
2. Re:Clocks/corporotes/updates/crash dumps by maxwell+demon · 2011-09-14 05:11 · Score: 3, Insightful
  
  Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
  Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines
  That's not in the BIOS Flash but on the CMOS RAM.
  
  The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)
  Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you are running DOS, of course).
  
  Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown
  Do you know a system where dumps are stored in the BIOS Flash? If you want to provide dumping into on-board Flash, you better make that Flash separate (even without viruses, if your system is so fucked up that it might trash the disk on dumping, it might also trash the flash memory it writes to; you definitely do not want that to be your BIOS!)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
3. Re:Clocks/corporotes/updates/crash dumps by fnj · 2011-09-14 05:25 · Score: 2
  
  Setting the real time clock just writes to data-only CMOS and maybe syncs the registers.
  I strongly suspect changing the BIOS password, boot device settings, etc., work the same way or a very similar way - i.e., don't use program flash. If they don't, it's obvious they COULD.
  Saving a crash dump to BIOS flash? Don't THINK so. Just say no. I doubt anybody does this, but again, if it's that important, it could be done to a hypothetical data-only flash or other storage. There is no excuse to save it to program flash.
  The ability to update critical early parts of the BIOS is just a bit harder to work around. I think it's primarily a matter of coming up on day one of hardware release with always-safe defaults that will always allow you to reach a point with a working display and keyboard. I doubt it would be that big a deal. It might require cooperation with CPU and video card makers. If it's harder than I think, then for god's sake let's get some smart people working on it.
4. Re:Clocks/corporotes/updates/crash dumps by Amouth · 2011-09-14 07:34 · Score: 1
  
  The only legit argument you have is doing a large-scale bios update in a corp/enterprise environment.
  and to be fair with that, some vendors (i'm familiar with Intel on this one) already support it in a secure manner that does not require the user to do anything and isn't done at the OS level. Please look into Intel's AMT work.
  
  --
  '...if only "Jumping to a Conclusion" was an event in the Olympics.'
5. Re:Clocks/corporotes/updates/crash dumps by ttong · 2011-09-14 08:09 · Score: 1
  
  That's not in the BIOS Flash but on the CMOS RAM.
  NVRAM, to be exact. It'd be useless if it were volatile.
  
  Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you are running DOS, of course).
  This doesn't make any sense. On many levels.
  As for saving a crash dump, you use IEEE1394 for that. On-board flash is going to be ridiculously expensive (a typical ATX motherboard can easily have 32GiB of RAM) both in terms of cost and in time. And what are you going to do when you're out of P/E cycles?
encrypted hard drive by Ectospheno · 2011-09-14 04:55 · Score: 1

So if you use full disk encryption such as truecrypt do you just get a trashed drive?
1. Re:encrypted hard drive by X0563511 · 2011-09-14 05:30 · Score: 1
  
  How does that have anything to do with the BIOS at all?
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
2. Re:encrypted hard drive by Ectospheno · 2011-09-14 13:51 · Score: 1
  
  Maybe you should read the relevant articles first.
3. Re:encrypted hard drive by X0563511 · 2011-09-15 01:32 · Score: 1
  
  Maybe not. Because truecrypt et al do not reside in BIOS, CMOS, or NVRAM. Even "drivelock" doesn't, it's in the disk firmware.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:Whose idiotic idea was it to make BIOSes writab by 0123456 · 2011-09-14 04:55 · Score: 1

The only real reason a computer needs a BIOS is to run a bootloader, and if that functionality works, then it's probably going to continue to work.
You're obviously nostalgic for the days when software was debugged as thoroughly as possible before shipping because it couldn't be upgraded later, rather than released with known major bugs because 'we can always fix it with a flash upgrade'.
Re:Whose idiotic idea was it to make BIOSes writab by jmorris42 · 2011-09-14 04:56 · Score: 2

> The only real reason a computer needs a BIOS is to run a bootloader...
Oh how I wish that were still true. Got one word for ya, ACPI.

--
Democrat delenda est
next, routers by Anonymous Coward · 2011-09-14 04:56 · Score: 0

since many wlan and asdl routers are actually small linux boxes with http flashing and known default root passwords, i'd be surprised if there wasn't some worms infectim them as well..
Bad? Nope by Anonymous Coward · 2011-09-14 04:56 · Score: 0

Oh, this is ba-
>Windows PE
Ahahahahahahahahahahahahahahahahaha.
Ahahahahaha.
Re:Whose idiotic idea was it to make BIOSes writab by Anonymous Coward · 2011-09-14 04:57 · Score: 1

The real question is why are BIOSes not verified for a digital signature by a hardware component.
Yes, you want to be able to upgrade a BIOS by sending a file to a client. That's an important feature. I just don't get why the file should not, as a requirement, be digitally signed.
Shachar
posting anonymously to not revert moderation
How complex can it possibly be ? by billcopc · 2011-09-14 05:05 · Score: 2

Preface: I know a thing or two about BIOS hacking.
Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ? Many of them only have 2MB, already close to capacity with just the stock BIOS. This doesn't leave a whole lot of space for adding an attack module, and it would have to do some fancy footwork to survive past the protected-mode switch. Modern operating systems don't use the BIOS at all past the bootloader, once the native device drivers take over. It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.
CIH was a very trivial virus. All it did was blindly clobber things with zeroes. It had no way of "rooting" a box. It would simply toast your OS, and if your BIOS chip supported the one flash command CIH knew, it would blank that out as well, rendering your machine unbootable. That's what we get for outsourcing even our virus writing ot China :P

--
-Billco, Fnarg.com
1. Re:How complex can it possibly be ? by bWareiWare.co.uk · 2011-09-14 05:12 · Score: 1
  
  The only payload they need is to load the MBR from somewhere unexpected (i.e. probably one address change). This ensures all the current AntiVirus code will be scanning the wrong MBR and given a false negative.
2. Re:How complex can it possibly be ? by Anonymous Coward · 2011-09-14 05:16 · Score: 0
  
  You're a serious BIOS hacker huh? An MBR is only 446 bytes of code.
3. Re:How complex can it possibly be ? by Anonymous Coward · 2011-09-14 05:20 · Score: 0
  
  The average bios, being say 1MByte , has lots of room.
  The average bios now has to have room for: Custom Logos, Option ROMS [ RAID, Ethernet, Video, etc].
  Now if we get a SKILLED programmer [ie: not a java programmer], but someone who knows C/ASM, you can squeeze of lot of malicious code in say 19,200 Bytes, which covers the size of a BIOS full-screen custom logo @ 640x480x16 colors, which most BIOS have provisions for.
4. Re:How complex can it possibly be ? by Anonymous Coward · 2011-09-14 05:24 · Score: 0
  
  SMM
5. Re:How complex can it possibly be ? by networkBoy · 2011-09-14 05:28 · Score: 1
  
  I would imagine it loads some item as an option ROM, reads more code from disk at a fixed offset location, loads into a modified bootloader that loads the actual payload then steps back to the real MBR to bring up the host OS. The BIOS code can be fairly trivial at that point, but hides that the MBR has been compromised by leaving the original MBR intact.
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
6. Re:How complex can it possibly be ? by maxwell+demon · 2011-09-14 05:29 · Score: 2
  
  Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?
  Just loading a different sector than the standard MBR sector on startup (maybe after a check that the virus code is there, e.g. by CRC) would probably already defeat a lot of tools protecting against MBR infections. Your "MBR" disk virus would no longer reside on the MBR, and thus not be detected/protected against by the standard antivirus code. Doing so should in the simplest case (no check) require to change no more than one number in the BIOS (the sector to read and execute when booting). The new "MBR" could then load and execute an arbitrary amount of extra code before handing over to the real (unchanged) MBR. Maybe even start a virtual machine to run the OS in.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
7. Re:How complex can it possibly be ? by Anonymous Coward · 2011-09-14 05:31 · Score: 0
  
  Some java programmers also know C/ASM you insensitive clod. In fact, knowing all 3 (plus several more) doesn't hurt you any.
8. Re:How complex can it possibly be ? by cachimaster · 2011-09-14 05:31 · Score: 5, Informative
  
  Preface: I know a thing or two about BIOS hacking.
  Me too, I did it several times. Not too hard if you have several motherboards to waste :)
  
  Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?
  
  Well apparently this was found on the wild, working.
  
  This doesn't leave a whole lot of space for adding an attack module.
  You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.
  
  Modern operating systems don't use the BIOS at all past the bootloader
  This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.
  
  It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.
  True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.
9. Re:How complex can it possibly be ? by X0563511 · 2011-09-14 05:35 · Score: 1
  
  You apparently can't read. The MBR is not the BIOS, and the BIOS is not the MBR.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
10. Re:How complex can it possibly be ? by Anonymous Coward · 2011-09-14 05:38 · Score: 0
  
  I don't know. Wouldn't be overly difficult to write your own int 13h handler, intercept when NTLDR loads it's "minifile" system drivers, and uncompress/substitute an infected minifile system driver that could surrepititiously install some boot-time kernel drivers. Slightly more difficult when dealing with winload and it's cryptographic verification of certain code. These boot-time kernel drivers could do some very interesting things if you were completely familiar with the internals of the Windows kernel.
11. Re:How complex can it possibly be ? by aix+tom · 2011-09-14 05:39 · Score: 1
  
  Well, 2MB is 32 times the memory the C64 needed to do A LOT of "fancy" stuff, including it's own viruses.
12. Re:How complex can it possibly be ? by Anonymous Coward · 2011-09-14 05:41 · Score: 0
  
  There is no such thing as an average bios, they are not interchangeable and what you wrote for one would work on that one only. Your Award virus would not work on my Phoenix bios.
13. Re:How complex can it possibly be ? by Anonymous Coward · 2011-09-14 05:57 · Score: 0
  
  You can fabricate very complicated executable code that amounts to little more then 4-10 KB, the fact most compilers like spewing out bloated executables shouldn't be an indication as to what one can do with so "little" space is more with raw ASM.
14. Re:How complex can it possibly be ? by Gaygirlie · 2011-09-14 06:06 · Score: 2
  
  Many of them only have 2MB, already close to capacity with just the stock BIOS.
  Tbh, I haven't seen that small flash chips used in motherboards for YEARS. All the modern motherboards I've personally seen have had two 4MB chips, and my current one has as large as 8MB. And no, the BIOS usually takes only about 50% of the space available, the rest is for system builders and such for customizations. Ie. a BIOS virus would easily fit there and wouldn't even need to compress itself.
15. Re:How complex can it possibly be ? by ajlitt · 2011-09-14 06:53 · Score: 1
  
  This.
16. Re:How complex can it possibly be ? by Anonymous Coward · 2011-09-14 09:00 · Score: 0
  
  I've searched this batch of responses without finding a way to protect my desktop system from this. I'm a noob- I can bolt together a system and load software on it, but I'm still learning a lot of the stuff you guys take for granted. I would prefer to avoid viral code from lodging itself in the MBR and / or the BIOS of my machine- I don't care if I have to jump through a few hoops or spend an extra minute booting up.... What can I do to lessen the risk of this happening? SPHCFC
17. Re:How complex can it possibly be ? by cachimaster · 2011-09-14 18:07 · Score: 1
  
  What can I do to lessen the risk of this happening?
  Use a signed-BIOS. All Intel motherboard have a signed BIOS (Actually it's EFI).
  I would use Intel motherboards.
Same question every time by ThatsNotPudding · 2011-09-14 05:13 · Score: 1

Can we really trust sky-falling advisories from companies such as Symantec? #ProfitMotive
1. Re:Same question every time by Anonymous Coward · 2011-09-14 07:09 · Score: 0
  
  Valid point but whether companies like Symantec are generating FUD for profit or simply pushing out self-relevant studies, it's usually better for consumers to have more access to information than less. Often these kind of isolated, limited examples are only a step or two away from actual, out in the wild exploits.
Re:Whose idiotic idea was it to make BIOSes writab by networkBoy · 2011-09-14 05:16 · Score: 1

And DDR2/3/4
And PCIe/16 Graphics
All timings & lane skews handled by BIOS
-nB

--
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
BIOS on user-replaceable mask ROM by tepples · 2011-09-14 05:18 · Score: 1

And how do you propose the units in the field get fixed?
Put the BIOS image on a microSD mask ROM. Then open the case, snap out the old BIOS card, insert new BIOS card, close the case.
1. Re:BIOS on user-replaceable mask ROM by grimmjeeper · 2011-09-14 05:23 · Score: 1
  
  Yeah, let me know how well that sells to the general public.
  "What do you mean I have to open up my computer?!? That's going to void the warranty!!!"
2. Re:BIOS on user-replaceable mask ROM by maxwell+demon · 2011-09-14 05:32 · Score: 1
  
  Yeah, let me know how well that sells to the general public.
  "What do you mean I have to open up my computer?!? That's going to void the warranty!!!"
  And reflashing the BIOS doesn't?
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
3. Re:BIOS on user-replaceable mask ROM by tepples · 2011-09-14 05:40 · Score: 1
  
  Most people don't replace CPUs or do anything that would require adding features to the BIOS. And if the PC is still warranted, bring it into an authorized repair shop and a tech will snap in the new BIOS card for you.
4. Re:BIOS on user-replaceable mask ROM by JLennox · 2011-09-14 05:53 · Score: 1
  
  Dell really wants BIOS updates to involve them fronting the $40-$120 min shop charge or paying for an onsite call.
5. Re:BIOS on user-replaceable mask ROM by tepples · 2011-09-14 06:21 · Score: 1
  
  How often does a BIOS update happen, other than to support new CPUs?
6. Re:BIOS on user-replaceable mask ROM by Anonymous Coward · 2011-09-14 07:04 · Score: 0
  
  Yeah, because the general public flash their BIOS all the time don't they. I'd wager most people are running their computers with the BIOS exactly as it came with the box.
7. Re:BIOS on user-replaceable mask ROM by Anonymous Coward · 2011-09-14 07:15 · Score: 0
  
  >implying the general public knows WTF BIOS is and would ever bother upgrading it.
8. Re:BIOS on user-replaceable mask ROM by Anonymous Coward · 2011-09-14 07:20 · Score: 0
  
  It'll sell very well. Those are the same people that buy a new computer because the internet lagged a little bit while checking facebook.
9. Re:BIOS on user-replaceable mask ROM by Fjandr · 2011-09-14 07:54 · Score: 1
  
  The general public is going to reflash their BIOS at all anyway?
  I'd like to know which "general public" you deal with.
10. Re:BIOS on user-replaceable mask ROM by VanessaE · 2011-09-14 08:28 · Score: 1
  
  So put the card in question at the end of a short extension cable and mount it behind a little panel on the back of the machine - something the user can just flip open as easily as replacing a battery on a clock.
11. Re:BIOS on user-replaceable mask ROM by Fnord666 · 2011-09-14 09:16 · Score: 1
  
  I'd like to know which "general public" you deal with.
  You probably know him as Colonel Public. He was promoted recently.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
12. Re:BIOS on user-replaceable mask ROM by Anonymous Coward · 2011-09-14 10:15 · Score: 0
  
  A person of the "general public" doesn't upgrade his/her bios. They bring the computer to someone who knows how. This is the same thing as reinstalling windows. The general public doesn't need to open the computer to reformat/reinstall.. yet they still use a computer repair service.
  Your desire to win the argument has led you outside of the common sense arena.
13. Re:BIOS on user-replaceable mask ROM by smash · 2011-09-14 15:51 · Score: 1
  
  Normally not very often. However with shitty untested hardware that was rushed out the door, such as the Dell E6500 series latitudes, we got 20 bios versions in 18 months. And still there was heaps of problems outstanding with heat.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
14. Re:BIOS on user-replaceable mask ROM by Anonymous Coward · 2011-09-14 16:57 · Score: 0
  
  Colonel is below General, by about 3 pay-grades. Posting anon because it's offtopic.
15. Re:BIOS on user-replaceable mask ROM by sumdumass · 2011-09-14 22:13 · Score: 1
  
  that's probably why he mentioned that colonel public got promoted recently.
Re:Whose idiotic idea was it to make BIOSes writab by grimmjeeper · 2011-09-14 05:22 · Score: 1

And HT/QPI. Hell, you have to get the PCIe buses walked enough to even see the BIOS boot ROM on the south bridge. Not a full initialization but enough to read the contents of the boot ROM into cache and/or RAM.
Re:Whose idiotic idea was it to make BIOSes writab by fnj · 2011-09-14 05:27 · Score: 1

ACPI is a cluster fuck, but do you have any ready reason why it could not all be done in the OS, perhaps a unique module particular to the individual motherboard, rather than the BIOS?
Re:Whose idiotic idea was it to make BIOSes writab by X0563511 · 2011-09-14 05:27 · Score: 1

... in other words, ACPI?

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
when uefi becomes more widely adopted. by Truekaiser · 2011-09-14 05:28 · Score: 2

Expect more of this. a full command environment with access to all the hardware on the system before the os boots? it's almost as if it was written 'for' virus and malware makers.
1. Re:when uefi becomes more widely adopted. by Anonymous Coward · 2011-09-14 08:59 · Score: 0
  
  Expect more of this. a full command environment with access to all the hardware on the system before the os boots? it's almost as if it was written 'for' virus and malware makers.
  or governments...
Re:Whose idiotic idea was it to make BIOSes writab by networkBoy · 2011-09-14 05:29 · Score: 1

no, DMI training (AFAIK that is not part of ACPI)

--
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Coreboot is a joke by Anonymous Coward · 2011-09-14 05:30 · Score: 0

I just looked at the supported boards page. Everything on there is a least a decade old. Oh great someone hacked together a bios that lets my Celeron 533 box boot up 3 seconds faster.
1. Re:Coreboot is a joke by WorBlux · 2011-09-14 08:51 · Score: 1
  
  There's a few newer ones, and AMD is supporting it for all of thier 14h cpu and chipsets so I think its just a matter of time till you get more options.
UEFI, anyone? by ttong · 2011-09-14 05:32 · Score: 1

So what about UEFI, will it make this type of threat more difficult or (much) easier? Also, it seems all my servers are safe from this even if they'd be running MS-Windows, because they use a cheap RAID card to detect the hard drives and then boots from one of them. Another mitigation is an encrypted root filesystem because hook.com won't be able to find a login program. Until they modify it to infect the encryption software, of course. Best way to defend against this would be to use TPM with a signed kernel, which is virtually non-existent today.
BIOS - Lots of Space for the Skilled by Anonymous Coward · 2011-09-14 05:34 · Score: 0

BIOS contains lots of free/unused space for the skilled programmer.
The BIOS Logo, which most BIOS have provision for is 640x480x16 colors. Now thats 19,200 Bytes! One can fit a LOT of malware in 18.75k IF they are skilled in C/ASM.
Another way, is to make an add-on "OPTION ROM". BIOS have provision for these too [ RAID, Video, Ethernet]. Option ROMS can hook various bios functions, interrupts, etc and override them.
The average BIOS now has ballooned to over 2Mbytes. Probably leaving 200k or so free. That is a LOT of space for code.
Sign the bios? by im3w1l · 2011-09-14 06:35 · Score: 1

When the OS requests the BIOS to flash itself, the old bios should check that the new one has a correct public key signature from the manufacturer. Three could be a physical switch on the mobo for (the tiny minority of) people who wanted to use an unsigned bios.
Correct me if I'm wrong here... by idbeholda · 2011-09-14 06:37 · Score: 1

But wouldn't the use of a BIOS password pretty much put a quick end to this? Ignoring backdoor/default passwords, of course.
Correct me if I'm wrong here... by idbeholda · 2011-09-14 06:41 · Score: 1

But wouldn't using a BIOS password pretty much put a quick end to this? Ignoring backdoor/default passwords, of course.
Re:Virus by couchslug · 2011-09-14 06:43 · Score: 1

Superstition IS a virus!
No modern man runs that code or respects the ideas behind it.

--
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Old news. by hot+soldering+iron · 2011-09-14 07:08 · Score: 1

My house mate and I caught a virus back in 1997 that infected executables, MBR, and lodged itself in his BIOS. He had to run McAfee 7 times before it finally cleared out. A BIOS infecter isn't new.
Flash BIOS is a convenience to manufacturers, normal end users usually couldn't give a shit. They have no idea what it is, what it does, or why they should care. If it doesn't make their system play games or run Office faster, they don't care.

--
When you want something built, come see me. If you want correct grammar and spelling, get a F*ing liberal arts student.
1. Re:Old news. by Anonymous Coward · 2011-09-14 23:30 · Score: 0
  
  My house mate and I caught a virus back in 1997 that infected executables, MBR, and lodged itself in his BIOS. He had to run McAfee 7 times before it finally cleared out. A BIOS infecter isn't new.
  Flash BIOS is a convenience to manufacturers, normal end users usually couldn't give a shit. They have no idea what it is, what it does, or why they should care. If it doesn't make their system play games or run Office faster, they don't care.
  True, had the same problem around 2000. Could only fix it by running a norton scan from a floppy.
Detect suspicious activity at the home router? by Anonymous Coward · 2011-09-14 07:16 · Score: 0

Would it be possible to put an appliance at the router (or add functionality to the router) to flag probable infections based on network activity? I'm thinking something a person with only moderate net admin skills could use in addition to virus scans.
Only part of the BIOS needs protecting by davidwr · 2011-09-14 07:43 · Score: 1

If your bootstrap code and code that allows for an "emergency BIOS reload from CD" early in the boot process is read-only, there will be a way to recover from any BIOS infection.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How about a frickin' HYPHEN? by Anonymous Coward · 2011-09-14 08:14 · Score: 0

Headline should be "New BIOS-Exploiting Rootkit Discovered," otherwise it means a new BIOS was discovered that is exploiting rootkits.
C'mon, editors - finish your GEDs and do your jobs.
old school by hesaigo999ca · 2011-09-14 08:23 · Score: 1

Real old school, and I am very surprised we even allow this to happen even today after all this time.
Flashable bios by nurb432 · 2011-09-14 08:52 · Score: 1

Should have never got rid of that jumper that required a little bit of human protection.

--
---- Booth was a patriot ----
Signed Code? by imjustmatthew · 2011-09-14 09:14 · Score: 1

It seems like the trivial fix here is to sign the code and only allow flashing of signed images after boot. It would be nice to be able to flash anything during boot for hacking/testing/whatever, but anyone using the windows-based flash software is likely to be okay with just signed code from the manufacturer.
Isn't this what those TPM chips were designed for in the first place before they hijacked into being tools for draconian DRM?
1. Re:Signed Code? by Anonymous Coward · 2011-09-15 02:40 · Score: 0
  
  Exactly -- which makes me think this might be the thin end of the wedge of shilling for TPM/TCPA/Treacherous Computing. I've got no problem with requiring a signed BIOS/boot loader: so long as I am the one holding the endorsement keys. Unfortunately, that's not the way the TCPA DRM system is set up.
"The Notorious CIH?" by Jeremiah+Cornelius · 2011-09-14 09:38 · Score: 1

Didn't he get gunned down in LA, after that Vibe magazine party?
Hey! I'm a west-coast, DU / Tupac kind of guy!

--
"Flyin' in just a sweet place,
Never been known to fail..."
OT: BIOS password by maxwells_deamon · 2011-09-14 10:49 · Score: 1

It used to be IBM would reset these for you if you could prove you owned the machine. I think you had to send them into to IBM or have an onsite visit, but it was possible.
I did this back in 1986. by John+Sokol · 2011-09-14 11:05 · Score: 1

It's not quite the same as back then they were EPROM's and not EEPROM's or flash. So you'd have to actually pull the chips out, erase them with a UV Lamp and then programming then in a Burner.
It's a long story but after I left high school in New Jersey I had entrusted a friend Mark to ship my possession to California where I had moved to. Instead it stole it all.
After moving I started a large collection of BIOS for XT, AT 80286 motherboards. I had written code that was floating around the BBS's that would harvest the BIOS and dump out ROM images that you could burn on to EPROM and install in to another Motherboard.
So I had made several sets of the latest AMI bios for some friends back home. Well Mark asked a mutual friend to get a copy of the BIOS from me, but not tell me who it was really for.
Well I found out and prepared a special BIOS just for him.
Mark was a big warez guy. He was sharing floppies with everyone.
So I took a copy of the Friday the 13th virus. Also know as Jerusalem B that would slow your PC down to a crawl and every time you ran a program it's file size would grow. It was very easy to detect and clean and mostly harmless. I removed the malicious payload , but made sure it still propagated normally.
The virus was only around 2000 bytes, and ran as a TSR.
I found some empty space in the ROM image, and xor encrypted it and placed it in and added hooks so when you format a floppy (Int 13) it would install the virus TSR.
From there it would then attach itself to any exe file that get's ran.
So I burned the EPROM's and sent them over. I was hearing story's from friends how he was loosing his mind. He'd clean all his disks. Then go to make someone a copy and it would be infected. No one would trade disk with him.
He never did figure out how he kept getting infected.
Revenge is sweet.

--
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
some boards have dual bios and now update from bio by Joe_Dragon · 2011-09-14 12:34 · Score: 1

some boards have dual bios and now update from bios as well.
BIOS should have a read/write switch. by antdude · 2011-09-14 12:55 · Score: 1

Like those floppy disks or something. Enable/Disable physical write option for CMOS/BIOS.

--
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Time to boot from a read-only bios by Anonymous Coward · 2011-09-15 00:03 · Score: 0

If one has a read-only bios, then the virus has to be with the disk or software loaded at boot. SDK That software should more easily be examined for scanners, etc.
Re:Whose idiotic idea was it to make BIOSes writab by Zilog · 2011-09-15 00:55 · Score: 1

The problem with signed BIOSes is that the verifying process could fail due to a current BIOS defect resulting from, at your choice, obsolescence, incompabilities from motherboards/CPUs's, previous failed BIOS update, etc..
In that case, the BIOS update becomes impossible, even for many dual-BIOS motherboards.