New BIOS Exploiting Rootkit Discovered

← Back to Stories (view on slashdot.org)

New BIOS Exploiting Rootkit Discovered

Posted by Unknown on Wednesday September 14, 2011 @04:33AM from the the-90s-want-their-virus-back dept.

First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."

7 of 205 comments (clear)

Min score:

Reason:

Sort:

This is what easy over safe design gets ya by jmorris42 · 2011-09-14 04:40 · Score: 5, Insightful

When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.

--
Democrat delenda est
1. Re:This is what easy over safe design gets ya by Dunbal · 2011-09-14 04:59 · Score: 4, Insightful
  
  But people wanted simple Windows based utilities to reflash the BIOS
  People wanted? Or the industry thought it would be a cool marketing gimmick? Most people have no idea what BIOS stands for, much less what it does and how dangerous it can be for them if it gets subverted. The rest of the people who know should not be too bothered to have to move a jumper to re-flash the BIOS - I mean honestly how often do you do this? - when compared to the security risk. So I don't buy the "people wanted" argument.
  I wish marketing people thought a little more about the decisions they make and held themselves to higher standards. I can't believe that no engineer turned around and said "hang on, if we can flash it from the OS, anyone can flash it from the OS..."
  
  --
  Seven puppies were harmed during the making of this post.
Why by fnj · 2011-09-14 04:41 · Score: 4, Insightful

Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
1. Re:Why by fnj · 2011-09-14 05:38 · Score: 4, Insightful
  
  Er, the issue is not that you don't allow BIOS updates; it's that you protect them with a "big red switch," so they just can't happen like the dog ate my homework. I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.
Clocks/corporotes/updates/crash dumps by Sits · 2011-09-14 04:55 · Score: 1, Insightful
Well some points why the kernel may need to write area of the BIOS off the top of my head:
- Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
- Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines
- The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)
- Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown
1. Re:Clocks/corporotes/updates/crash dumps by maxwell+demon · 2011-09-14 05:11 · Score: 3, Insightful
  
  Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
  Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines
  That's not in the BIOS Flash but on the CMOS RAM.
  
  The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)
  Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you are running DOS, of course).
  
  Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown
  Do you know a system where dumps are stored in the BIOS Flash? If you want to provide dumping into on-board Flash, you better make that Flash separate (even without viruses, if your system is so fucked up that it might trash the disk on dumping, it might also trash the flash memory it writes to; you definitely do not want that to be your BIOS!)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
Re:This is some serious business by fuzzyfuzzyfungus · 2011-09-14 05:39 · Score: 4, Insightful

Last week, I updated, and then applied desired settings to, several hundred systems across multiple sites without getting up from my desk, much less getting up from my desk, visiting each site, unlocking each chassis, toggling a jumper, completing the update, toggling the jumper back, relocking the chassis, and moving on to the next... Build update package, shove update package over network. Go, settings take effect on next boot(for newly purchased systems, just plug 'em in, PXE boot, and you get your system image and BIOS config automatically).

The option to hard-switch the BIOS into read-only would be handy; but I'm not seeing it become a default any time soon...