New BIOS Exploiting Rootkit Discovered

← Back to Stories (view on slashdot.org)

New BIOS Exploiting Rootkit Discovered

Posted by Unknown on Wednesday September 14, 2011 @04:33AM from the the-90s-want-their-virus-back dept.

First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."

155 of 205 comments (clear)

Min score:

Reason:

Sort:

This is some serious business by Reverand+Dave · 2011-09-14 04:39 · Score: 1

Is it really a total surprise that it was discovered initially by a Chinese security firm? Their reaction should have been, " look at this virus we just found that we just made!"

--
I got here through a series of tubes
1. Re:This is some serious business by dintech · 2011-09-14 05:12 · Score: 1
  
  Irrespective of where it came from or it's maliciousness, you've got to admire it for how cool and sophisticated it is. Hmm, sounds French.
2. Re:This is some serious business by fuzzyfuzzyfungus · 2011-09-14 05:39 · Score: 4, Insightful
  
  Last week, I updated, and then applied desired settings to, several hundred systems across multiple sites without getting up from my desk, much less getting up from my desk, visiting each site, unlocking each chassis, toggling a jumper, completing the update, toggling the jumper back, relocking the chassis, and moving on to the next... Build update package, shove update package over network. Go, settings take effect on next boot(for newly purchased systems, just plug 'em in, PXE boot, and you get your system image and BIOS config automatically).
  
  The option to hard-switch the BIOS into read-only would be handy; but I'm not seeing it become a default any time soon...
3. Re:This is some serious business by lpp · 2011-09-14 05:50 · Score: 3, Informative
  
  It's not just that it was first discovered by a Chinese security firm. It also appears to be targeted at Chinese PCs. From the original post:
  
  The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus.
  Makes one wonder who developed it and what the intent was.
4. Re:This is some serious business by omnichad · 2011-09-14 06:50 · Score: 1
  
  BIOS Config != BIOS
5. Re:This is some serious business by Reverand+Dave · 2011-09-14 06:55 · Score: 1
  
  Probably the same way the super flu will kill all of the people living in the town where it is being developed.
  
  --
  I got here through a series of tubes
6. Re:This is some serious business by rthille · 2011-09-14 07:49 · Score: 3, Funny
  
  Not only that, but a guy in china did the same thing to all those systems of yours! :-)
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
7. Re:This is some serious business by fuzzyfuzzyfungus · 2011-09-14 08:50 · Score: 1
  
  In this case I did do both(to bring all BIOSes for each model up to current, and then standardize the configs; but they were two distinct operations).
  
  I'd be delighted to see the security of vital bits of a PC's guts be down to something other than sheer obscurity(and, I'd really prefer that the alternative not be a cryptographic vendor lock, those don't end well.) Defaulting to a cryptographic lock, so that Joe Blow can safely get BIOS updates without touching his hardware might be ok; but you'd really want a way to override that and susbstitute a different key, by toggling the jumper or whatever. Corporate types could do their custom thing by provisioning their own key during deployment, home times could know nothing safely, and coreboot wouldn't be out in the cold...
8. Re:This is some serious business by FatdogHaiku · 2011-09-14 08:51 · Score: 1
  
  It's not, his, fault!
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
9. Re:This is some serious business by lpp · 2011-09-14 09:29 · Score: 1
  
  Furthering your analogy, your version of the flu would have been tailored to only attack individuals with chromosomal characteristics common to the Asiatic region.
10. Re:This is some serious business by Reverand+Dave · 2011-09-14 10:24 · Score: 1
  
  I figured it was more of a regional thing and less of a racial thing, but this virus seems awfully sophisticated already so who knows.
  
  --
  I got here through a series of tubes
11. Re:This is some serious business by lpp · 2011-09-14 10:39 · Score: 1
  
  Ah, I see. I figured anyone capable of creating something this sophisticated would have been able to target more platforms due to the relative accessibility of PC parts. But perhaps I'm overestimating just how accessible parts are from outside China.
12. Re:This is some serious business by nobodie · 2011-09-15 13:22 · Score: 1
  
  probably another attempt by 360 AV to crush competition. They attacked QQ last Spring and made a big fuss, now maybe they are going after some competitors. It is the wild west over there.
  
  --
  Subversion of spatial scale luxury decoration ideas.
Well now. by Snkbyt3d · 2011-09-14 04:39 · Score: 1

Seems I need to drink my coffee a little faster as to write an anti-Trojan.Medromi fix to prevent it from getting in our systems. Lol
This is what easy over safe design gets ya by jmorris42 · 2011-09-14 04:40 · Score: 5, Insightful

When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.

--
Democrat delenda est
1. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 04:47 · Score: 2
  
  It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.
2. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 04:52 · Score: 1
  
  Do you have any idea how complex the BIOS code is these days? A lot of the fixes that go into BIOS releases are for the code that runs before you even hear the system beep. You really do need to be able to flash that as fixes come out.
3. Re:This is what easy over safe design gets ya by Dunbal · 2011-09-14 04:59 · Score: 4, Insightful
  
  But people wanted simple Windows based utilities to reflash the BIOS
  People wanted? Or the industry thought it would be a cool marketing gimmick? Most people have no idea what BIOS stands for, much less what it does and how dangerous it can be for them if it gets subverted. The rest of the people who know should not be too bothered to have to move a jumper to re-flash the BIOS - I mean honestly how often do you do this? - when compared to the security risk. So I don't buy the "people wanted" argument.
  I wish marketing people thought a little more about the decisions they make and held themselves to higher standards. I can't believe that no engineer turned around and said "hang on, if we can flash it from the OS, anyone can flash it from the OS..."
  
  --
  Seven puppies were harmed during the making of this post.
4. Re:This is what easy over safe design gets ya by Malties · 2011-09-14 05:01 · Score: 1
  
  But you do not need to do it from inside Windows. As complex as the BIOS code is, the intereface for flashing is not that unfriendly
5. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 05:04 · Score: 1
  
  Why? If it works during testing, but it turns out later to be not perfect, just put reinitialization code into the updates that change the code that comes AFTER that point. How the christ do you think we used to do it before they even used flash memory?
6. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 05:06 · Score: 1
  
  Yes, it was clearly market driven. One day nobody had it, and the next day somebody said "hey, look at this cool feature we have!" Nobody in the public even knew it was possible until the feature appeared.
7. Re:This is what easy over safe design gets ya by Baloroth · 2011-09-14 05:09 · Score: 4, Informative
  
  I really, really like what Gigabyte does with their BIOSes. They quite often have 2 on each motherboard, only one of which can be written to. In case of corruption of the primary, you can always boot using the secondary. Wouldn't stop this virus, of course, but it does prevent a corruption based one from hosing your system. Editing BIOS settings from Windows can be pretty convenient, especially if you want to overclock, but it isn't really necessary and probably shouldn't be possible.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
8. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:10 · Score: 1
  
  And how do you propose the units in the field get fixed? Or do they just need to pitch them and buy new ones?
9. Re:This is what easy over safe design gets ya by Errtu76 · 2011-09-14 05:18 · Score: 1
  
  I think everyone has a USB disk/key nowadays. If not, you can buy one for a couple of bucks. Have them make a "click here to prepare a bootable USB disk which will flash your BIOS" application and be done with it.
10. Re:This is what easy over safe design gets ya by X0563511 · 2011-09-14 05:21 · Score: 1
  
  Yea, instead you have vendors handing out floppy IMG files leaving you to scratch your head. I don't understand why more don't allow you to use USB Mass Storage.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
11. Re:This is what easy over safe design gets ya by ifrag · 2011-09-14 05:23 · Score: 2
  
  How else are you going to allow the unwashed masses to do it?
  I'd expect them to NOT DO IT in the first place. I can't even recall having a flashable BIOS that was actually broken in some serious way that would make a fix mandatory. The majority of my BIOS upgrades have been to support some newer CPU that still fits the same socket, something I'd expect the unwashed masses are not going to change anyway.
  
  --
  Fear is the mind killer.
12. Re:This is what easy over safe design gets ya by S.O.B. · 2011-09-14 05:26 · Score: 1
  
  I'm sure manufacturers added the ability to flash the BIOS from a Windows based utility because they were tired of having to explain to non-technical people how to create a boot disk especially now that the floppy has more or less disappeared. Of course you could boot from a USB drive but a bootable USB drive is more problematic than a boot floppy for non-techies.
  A safer solution might be to have the BIOS read only with a writable update area where the update utility could save a compressed copy of the new BIOS. On reboot the BIOS, recognizing the presence of the update, could display the appropriate warnings and then ask the user if they want to install the update.
  Of course it would still require that the user understand the risks but at least it would eliminate stealth updates of the BIOS.
  
  --
  Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
13. Re:This is what easy over safe design gets ya by Anonymous Coward · 2011-09-14 05:27 · Score: 1
  
  I never saw what was that hard about booting from a 3.5" diskette & flashing in a DOS-like environment or (by necessity, given the expanding size of BIOSes and obsolescence of the 3.5" FDD) later on, using a flash stick to do the same.
  Flashing BIOS in a running Windows OS is just plain dangerous and stupid, not only for security reasons but because there is simply a lot going on, and things can go horribly wrong. Witness the many HP laptops that have been bricked by official, HP-provided BIOS updates (mandatory in-GUI flashing).
14. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:27 · Score: 1
  
  That might work. But I'm not sure how much additional security that buys you. All it does is add an intermediate step.
15. Re:This is what easy over safe design gets ya by Sooner+Boomer · 2011-09-14 05:30 · Score: 1
  
  It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.
  This is exactly what IBM did with some of the Thinkpad models. There was a special chip that held the password. The problem was, that if this chip "glitched", or you forgot the password, you now have a brick. The chip was soldered onto the motherboard, and couldn't be reset by jumpers or disconnecting the battery. I've got two unit that are junk because of this.
  
  --
  Chaos maximizes locally around me.
16. Re:This is what easy over safe design gets ya by calzakk · 2011-09-14 05:32 · Score: 1
  
  But how many of the "unwashed masses" do actually flash their BIOS?
17. Re:This is what easy over safe design gets ya by NoNonAlphaCharsHere · 2011-09-14 05:33 · Score: 1
  
  The "intermediate step" is user intervention, which is the whole point. At least you wouldn't get your BIOS rooted "accidentally".
18. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 05:34 · Score: 1
  
  Read the whole thread. The idea is to have the BIOS on day one good enough to be failsafe getting to a state where it has a working video and keyboard can at least boot a floppy, CD, or USB stick. Nothing else. It's even conceivable that you don't guarantee the video and keyboard work, but as long as you can boot a DOS media with autoexec.bat you can get the reflashing accomplished.
  Do you really think that's not possible? Funny; the PC and the AT could do better than that.
19. Re:This is what easy over safe design gets ya by fnj · 2011-09-14 05:35 · Score: 1
  
  I think the solution to that design flaw is pretty clear and workable.
20. Re:This is what easy over safe design gets ya by hweimer · 2011-09-14 05:37 · Score: 1
  
  In the past decade or so, the only situations in which I did BIOS updates was to get on-site support being dispatched to replace some faulty hardware (which the hardware vendor wouldn't do unless you ran the latest BIOS firmware). Hardly something what I would expect the unwashed masses to experience.
  
  --
  OS Reviews: Free and Open Source Software
21. Re:This is what easy over safe design gets ya by Reverand+Dave · 2011-09-14 05:37 · Score: 1
  
  That's how apple does it!
  
  --
  I got here through a series of tubes
22. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:44 · Score: 1
  
  You're forgetting social engineering. How many people fall victim to that every day? Someone who doesn't know any better will do whatever their computer tells them to do if you word it correctly.
  But I will agree that the user intervention part will significantly reduce the number of incidents.
23. Re:This is what easy over safe design gets ya by ColdWetDog · 2011-09-14 05:44 · Score: 1
  
  The "intermediate step" is user intervention, which is the whole point. At least you wouldn't get your BIOS rooted "accidentally".
  Why does 'user intervention' in the context of computer security fill me with a vague sense of dread?
  
  --
  Faster! Faster! Faster would be better!
24. Re:This is what easy over safe design gets ya by grimmjeeper · 2011-09-14 05:48 · Score: 4, Informative
  
  Given that I've worked for a major CPU company and worked with the BIOS developers on more than one occasion as they debugged problems, I think I can say with some confidence that the modern BIOS is more complex by several orders of magnitude over the primitive BIOS you would find in a PC and AT machine. This explosion in complexity means that it's just not financially possible to fund the development to have a flawless BIOS right out of the gate. There are just too many permutations to consider when developing the system to test them all. And even if you did get a "perfect" BIOS out the door, the chips on the board are so much more complex that they never leave the factory without flaws. Ever. And sometimes you just don't find them until they're in the field and you need to supply a workaround.
25. Re:This is what easy over safe design gets ya by gstoddart · 2011-09-14 05:50 · Score: 2
  
  But how many of the "unwashed masses" do actually flash their BIOS?
  And, in fairness to the "unwashed masses"... how many of the, er, "washed masses" actually do this?
  In 16 years in the computer industry, plus university and high school ... I have never flashed a BIOS. It simply doesn't come up for me. Granted, I don't build systems, but I've simply never needed to do this.
  How many home users will ever do this task?
  
  --
  Lost at C:>. Found at C.
26. Re:This is what easy over safe design gets ya by blair1q · 2011-09-14 06:24 · Score: 1
  
  computer makers didn't want to spend a dime to add a switch and a wire to every case, if it didn't help people steal music or view pr0n or frag n00bs.
27. Re:This is what easy over safe design gets ya by simcop2387 · 2011-09-14 06:25 · Score: 1
  
  Last time that I *HAD* to flash my bios was when I had an incompatibility with my VooDoo 5 card.
28. Re:This is what easy over safe design gets ya by couchslug · 2011-09-14 06:41 · Score: 1
  
  Most people never reflash a BIOS, and even after years of working on PCs I do so rarely.
  I suspect the removal of BIOS-protection jumpers is mere cost-cutting. No pins, no jumper, no extra work on the production line to install the jumper.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
29. Re:This is what easy over safe design gets ya by gstoddart · 2011-09-14 06:48 · Score: 1
  
  Well, you know what? In my 30+ years in the computer industry, I've flashed countless BIOS.
  OK, so we've narrowed it down to between zero and infinity ... thanks for your useful contribution. :-P
  
  --
  Lost at C:>. Found at C.
30. Re:This is what easy over safe design gets ya by omnichad · 2011-09-14 06:53 · Score: 1
  
  My motherboard lets me just read the new BIOS image file off the usb drive directly - no booting required. There's an update BIOS option in the config screen.
31. Re:This is what easy over safe design gets ya by itof500 · 2011-09-14 07:09 · Score: 1
  
  Raises hand.
  Admittedly, it was awhile back to solve a network card incompatibility. Then there was another to enable the 4th DIMM slot (an ASUS motherboard. Never bought another from them).
  Duke out
32. Re:This is what easy over safe design gets ya by bill_mcgonigle · 2011-09-14 07:13 · Score: 1
  
  and nobody wanted end users to have to open the case and move a jumper
  That's just more cost-cutting. An A/B switch would have worked fine, but added 20 cents to the cost of a PC.
  I like how ASUS (and others, no doubt) have BIOS's that know how to read VFAT and can pull a flash image off a USB drive directly. The user just needs to know how to copy a file to a flash drive.
  How about if only the ability to toggle 'boot into BIOS' was exposed to the OS? A Windows utility could then copy the file to the flash drive, and set the PC to boot into BIOS and issue a reboot sequence. A smart BIOS could take it from there.
  "This procedure will permanently reprogram your computer with updated or changed functionality. If you did not intend to do this, click NO now." or something would be a reasonable warning screen. If the BIOS validated signatures by default, even better.
  MSI seems to be writing their new BIOS in EFI instead of straight x86 assembly so we should see some of this soon. There's OpenBoot too, if you have a lucky match of mobos.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
33. Re:This is what easy over safe design gets ya by idontgno · 2011-09-14 07:39 · Score: 1
  
  Oh, I don't know. Even infinity can be a countable set.
  I just think GPP has poor counting skills.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
34. Re:This is what easy over safe design gets ya by geekprime · 2011-09-14 07:46 · Score: 1
  
  "In my 30+ years in the computer industry,"
  You sir are not a part of the set titled "the unwashed masses"
35. Re:This is what easy over safe design gets ya by AceJohnny · 2011-09-14 07:46 · Score: 1
  
  I really, really hate what Gigabyte does with their BIOSes, considering their BIOS backed itself up on the end on some of my disks, changed the OS-visible size of the disk using Host Protected Area (HPA), squashing the mdraid metadata that was happily living there.
  By the time I understood what was happening, I had had 3 of my 6 RAID disks screwed, as I had swapped the disks around ignorantly thinking it was some controller error.
  That feature was not advertised, and that version of the BIOS had a bug where this feature didn't properly detect which disks it could accomplish this on (it only looked for NTFS/VFAT partitions, natch) and could not be disabled. While I can understand the purpose and usefulness of the feature, releasing with such a bug has made me swear off Gigabyte.
  For the reference, it was a GA-P35-DS3, with BIOS F12.
  
  --
  Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
36. Re:This is what easy over safe design gets ya by WorBlux · 2011-09-14 08:35 · Score: 1
  
  every set is a subset of itself of course. However you still can't enumerate it.
37. Re:This is what easy over safe design gets ya by Onymous+Coward · 2011-09-14 08:47 · Score: 1
  
  That sounds more like marketing driven than market driven.
  market driven: Determined by or responsive to market forces.
38. Re:This is what easy over safe design gets ya by vux984 · 2011-09-14 10:11 · Score: 1
  
  I think everyone has a USB disk/key nowadays. If not, you can buy one for a couple of bucks. Have them make a "click here to prepare a bootable USB disk which will flash your BIOS" application and be done with it.
  And how do they boot off it? Few computers are set by default to boot off the usb drive, and most shouldn't be.
  So now, in addition to fiddling with a hardware dongle, you want them to go into bios and mess around with the selection of boot devices, and then later change it back...
  "and be done with it"? Making the bootable disk is just the first step in a needless process that only gets more complicated from here... expect
  a) support calls to skyrocket in frequency ... as millions of users flail about useless because they had trouble making one... they used a 2 Terabyte external usb hard drive instead of a flash drive and lost all their data, they managed to locate a usb drive from 5 years ago that is too small or doesn't work... and then after getting flash drive... can't figure out how to get the pc to boot off of it.
  b) bios updates to not happen because they are "too hard"
39. Re:This is what easy over safe design gets ya by smash · 2011-09-14 15:47 · Score: 1
  
  The whole BIOS idea as we know it is broken. The only thing you should really need to go in there for these days is to change boot device. Which can/could be done with boot menu. Pick sensible defaults, actually test the firmware properly before release, and the whole need to write to bios goes away.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
40. Re:This is what easy over safe design gets ya by cbiltcliffe · 2011-09-14 19:51 · Score: 1
  
  b) bios updates to not happen because they are "too hard"
  How many end users update their own BIOS now?
  In my experience, it is precisely zero. Most of them, when you mention BIOS, or even explain what it is, get a glazed look on their face.
  So this isn't going to change anything for 99.9% of users, other than making it more difficult to get infected by something like this.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
41. Re:This is what easy over safe design gets ya by sumdumass · 2011-09-14 21:56 · Score: 1
  
  well, i just composed an email warning all my family and friends of this and the steps they need to protect themselves. I found this program on a Chinese website that automatically patches any bios concerning this risk from within windows explorer. but you have to make sure you disable your antivirus before running it else it will make your system inaccessible.
  Is that social enough?
42. Re:This is what easy over safe design gets ya by sumdumass · 2011-09-14 22:01 · Score: 1
  
  I had to update my bios on a system to stop the crashes in windows XP. the box the mainboard came in said it was designed for win xp, but it would go into crashing reboot fits after some automatic windows updates early on.
43. Re:This is what easy over safe design gets ya by sumdumass · 2011-09-14 22:07 · Score: 1
  
  i think his point was that he had done it for the unwashed masses. I can agree with him too. I've done bios updates to cure many issues with other people's computers. for all those unwashed masses out there, they probably have needed to flash the bios but paid someone else to do it when their system became too unstable. So instead of flashing it themselves, they paid some repair tech $150 to fix their system.
44. Re:This is what easy over safe design gets ya by sjames · 2011-09-14 22:28 · Score: 1
  
  Some things, such as many memory controllers can only be set up once per reset. If you try to repeat the procedure they enter an undefined and non-functional state.
  A better answer is to have a ROM fallback that can set things up as conservatively as possibly just far enough to allow re-flashing the primary BIOS.
45. Re:This is what easy over safe design gets ya by ResidentSourcerer · 2011-09-15 02:11 · Score: 1
  
  Agreed, sort of.
  The better solution would be to run a lead to the case, and have a button that you had to press down while the BIOS was being flashed.
  [Semi-off topic digressesion follows.]
  In general 'read only' is your security friend. I tried intermittently to figure out a FreeBSD hack that would allow me to boot a production server as read only on the root partition. OpenBSD has the ability to mark files as immutable when in security level 2.
  I like the idea that I can have a set of programs that cannot be compromised by malware. I once had a linux intrusion that rewrote ls to hide directories that had names ... (three dots) It also would show normal sizes of ps, which was hacked to not show certain processes. We were scratching our heads for a while. They hadn't hacked lsof or find however.
  A better model for a secure system:
  1. Certain directories are not writable in normal operating mode. /bin, /sbin /lib are a good start.
  2. No program that requires elevated privledge can run from a writable directory.
  3. The chmod system call cannot mark a program set{ug)id in normal operating mode since any such program is in a directory that is un-writable.
  4. Data is not executable. Executable code is not modifyable in memory. Don't know how much of a restriction this makes.
  5. To make a change you have to lower the operating status of the OS to 'insecure' In practice this should mean similar to single user mode, with a set of parameters that can be chosen by the operator. E.g. in security change mode, the computer cannot route outside the local subnet. Or if truely paranoid, has no network connection at all. No background processes run in SC mode.
  This doesn't make the computer secure. Lots of bad thinks can be done by programs running in user space. But this gives you a kit of trusted tools that the OS can use to examine the running processes.
  
  --
  Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
46. Re:This is what easy over safe design gets ya by NoNonAlphaCharsHere · 2011-09-15 05:48 · Score: 1
  
  LOL. "Rogers" on that.
47. Re:This is what easy over safe design gets ya by sjames · 2011-09-15 08:34 · Score: 1
  
  And to this day, people hardly ever actually update their BIOS. The few who do tend to be server admins who never had a problem using a DOS boot disk based flash update in the first place.
48. Re:This is what easy over safe design gets ya by vux984 · 2011-09-16 06:32 · Score: 1
  
  How many end users update their own BIOS now? In my experience, it is precisely zero.
  You'd be mistaken.
  If they leave their Sony VAIO with its pile of OOBE "out of box experience" complete with Sony Update service, and so forth, then if there is a bios update. They'll get prompted to install it, and they will. Same goes for the bundled support software on many laptops and desktops from major vendors.
  Now if you asked me how many end users CONSCIOUSLY update their BIOS i'd agree its precisely zero. But the last few years has seen an upswing in bios updates being handled almost transparently... provided the bundled support software is left intact to do its thing. (which it often is).
49. Re:This is what easy over safe design gets ya by cbiltcliffe · 2011-09-19 01:36 · Score: 1
  
  That's provided people don't ignore the update prompts because "I've heard they can break stuff," or "I think it might be trying to give me a virus."
  I get that a lot.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
50. Re:This is what easy over safe design gets ya by vux984 · 2011-09-19 05:40 · Score: 1
  
  That's provided people don't ignore the update prompts because "I've heard they can break stuff," or "I think it might be trying to give me a virus."
  I get that a lot.
  Yeah, its kind of strange... we criticise regular users for clicking OK to anything and everything that pops up on their screen -- as this is how they get viruses, while at the same time most of them have a gaggle of pissed of tray icons nagging them to do actual needed updates.
  Nothing cracks me up like cleaning someone's PC that's filled with toolbars, viruses, crapware, and other cruft that the user clicked OK too without reading... while acrobat reader, java, flash, windows update, and vaio update are all asking to install updates.
  That said though, I think Dell and Sony update packages (though intolerably annoying) have been effective at getting a lot of that 3rd party stuff including bios updated.
  I really think though, that Microsoft and the big vendors should get that software into the windows update track... 20 software updaters that check independantly is just annoying. Especially when most of the updaters themselves are especially annoying.
Why by fnj · 2011-09-14 04:41 · Score: 4, Insightful

Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
1. Re:Why by hedwards · 2011-09-14 04:47 · Score: 2
  
  Uh, think of the children?
2. Re:Why by grimmjeeper · 2011-09-14 05:03 · Score: 2
  
  I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field. Hell, there are flaws in BIOS code that don't get discovered until your product is shipped. You need to patch it just like you need to patch any other software. Another good reason is to allow you to upgrade some components in your system without having to buy a new motherboard. A new generation of processor can be dropped into many motherboards out there just by flashing the BIOS and plugging the chip in, assuming socket compatibility is maintained.
  Computer systems are vastly more complex now than they were even just 10 years ago. All of the subcomponents on motherboards need a BIOS that tells the CPU where they are and how to run them. Every manufacturer ships processors that have a number of flaws that the BIOS works around. It's the nature of computer systems in the 21st century.
  Sure, if we were back in the 90's and still running the pre-PCI architectures, you may have had a point about locking things down. They just didn't need the complexity we have now. But as complexity has been added on top of complexity, we absolutely cannot get by with a locked down BIOS. It just wouldn't work.
3. Re:Why by X0563511 · 2011-09-14 05:26 · Score: 2
  
  I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field.
  Intel (at least) allows you to push microcode updates right into the processor at the OS level. This doesn't need to be done by the BIOS. In fact, it shouldn't - unless you simply cannot boot without doing so!
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
4. Re:Why by fnj · 2011-09-14 05:38 · Score: 4, Insightful
  
  Er, the issue is not that you don't allow BIOS updates; it's that you protect them with a "big red switch," so they just can't happen like the dog ate my homework. I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.
5. Re:Why by lazyforker · 2011-09-14 05:38 · Score: 2
  
  Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
  I'll bite: bulk BIOS updates on thousands of PCs. My company has an enormous number of PCs - paying someone to manually flick a switch, stand by while a BIOS update is performed, then unflick it afterwards would represent an enormous cost in time and labor. We buy large numbers of identical machines every year - so when a BIOS update is needed it needs to be applied to a lot of machines, globally.
  Secondly: we set BIOS passwords to prevent (or make it harder for) the machine to be booted from USB thumb drive, DVD, external hard drive etc.
  How about making the PC detect signed BIOS packages?
6. Re:Why by grimmjeeper · 2011-09-14 05:39 · Score: 2
  
  Yeah, that's much more secure... ;)
  Even though you can push fixes directly into the processor in that way, there is still a reason to have to patch the BIOS. The CPU microcode pretty much only affects the CPU. The BIOS is there to interface with the rest of the components on the motherboard. And when you need to get around a flaw in your north bridge by supplying different initialization settings, there's pretty much no way to fix that in a CPU microcode push. You have to do it with a BIOS flash.
7. Re:Why by Malties · 2011-09-14 05:45 · Score: 2
  
  I don't think anyone is saying there is not a reason to flash a BIOS. But what is in question is whether to allow this to be done through WIndows. Yes it is more work to flash a BIOS from the setup screen, it is much more secure in the light of viruses that attack it.
8. Re:Why by grimmjeeper · 2011-09-14 05:50 · Score: 1
  
  I can agree with that concept.
9. Re:Why by multisync · 2011-09-14 06:10 · Score: 2
  
  There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
  Um ... no. Flashing the BIOS should be at the discretion of the owner of the hardware in question, and not restricted to software provided by the manufacturer. But I agree a physical switch to prevent unauthorized tampering by third parties is a good idea.
  
  --
  I don't care why you're posting AC
10. Re:Why by blair1q · 2011-09-14 06:26 · Score: 1
  
  on your smartphone?
11. Re:Why by ajlitt · 2011-09-14 06:39 · Score: 1
  
  Nevermind microcode. Most of the silicon bug workarounds that BIOS implements are in the form of "chicken bits": undocumented (or not publicly documented) configuration bits that the chip designers put in to turn off or tweak new features to a design. Also, a lot of features in modern processors and chipsets have a large analog component. A CPU could have hundreds of SERDES links, each with DLLs, equalization, not to mention chip-wide PLLs, power supply controls, voltage references, and more. Similar adjustments can be done to many of these during BIOS startup to correct for manufacturing or design issues.
12. Re:Why by ajlitt · 2011-09-14 06:43 · Score: 1
  
  I forgot to mention that most of these things are accessed easily through MSRs or PCI config space, both of which are easy to access from an OS driver.
13. Re:Why by Dog-Cow · 2011-09-14 07:16 · Score: 1
  
  I've been with the same company for more or less 12 years, and I have never seen IT (I work in IT) do a BIOS update on a single system, much less company-wide. What kind of crap do you buy that you have need to do this en-mass?
14. Re:Why by X0563511 · 2011-09-14 07:34 · Score: 1
  
  Well, microcode doesn't persist beyond booting, so while it's not perfect, it's not permanently damaging. You usually can't just reboot to resolve a corrupted/tampered BIOS flash.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
15. Re:Why by grimmjeeper · 2011-09-14 07:43 · Score: 1
  
  Yeah, I spent a couple years dancing through the BKDG tweaking a few of those bits a couple of years back. Enough that I have a feeling you and I have worked together IRL. At the very least, your name is very familiar to me...
16. Re:Why by wdef · 2011-09-14 21:57 · Score: 1
  
  That argument certainly works for everything else.
17. Re:Why by multisync · 2011-09-15 08:42 · Score: 1
  
  Care to elaborate, or just trolling?
  
  --
  I don't care why you're posting AC
18. Re:Why by sjames · 2011-09-15 08:49 · Score: 1
  
  Right, and that's when you use that red switch to enable the update. In a server, you can let the BMC/SP do it, of course.
CIH NEVER Infected BIOS by meerling · 2011-09-14 04:46 · Score: 2

It tried to overwrite it with garbage, thus corrupting it. Kind of like blowing up your car with dynamite isn't the same thing as stealing it.
Most of the time all CIH succeeded at was trashing the BIOS settings stored in CMOS. Clean the infector, reset the BIOS, save the changes and you were done.

It's amazing how low the understanding of what malware is and does has fallen. By the way, the antivirus industry has been aware that it would be possible to write a bios infector the moment software the update-able bios became available. Fortunately most writers of malware are pretty incompetent as far as programming goes, though this did take about 6 years longer than I expected.
1. Re:CIH NEVER Infected BIOS by fnj · 2011-09-14 05:29 · Score: 1
  
  Most of the time, yes, that's reassuring, but you're implying there is some of the time when it succeeded in actually infecting the BIOS in a non-bricking way.
2. Re:CIH NEVER Infected BIOS by GSloop · 2011-09-14 06:03 · Score: 1
  
  No, CIH was a virus that trashed the BIOS as part of it's payload.
  On some systems it was unable to modify the BIOS and so the *payload* wasn't delivered - so to speak. But it never "infected" the BIOS - in that there was never any attempt to get running code in the BIOS.
  And if somewhere somehow it placed running code in the BIOS, it should be viewed as like a million monkeys at a million keyboards. Eventually one will type something readable.
  That's a FAR, FAR cry from writing code that intentionally infects the BIOS and does "useful" things in that code.
  CIH is/was not even close.
Clocks/corporotes/updates/crash dumps by Sits · 2011-09-14 04:55 · Score: 1, Insightful
Well some points why the kernel may need to write area of the BIOS off the top of my head:
- Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
- Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines
- The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)
- Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown
1. Re:Clocks/corporotes/updates/crash dumps by webnut77 · 2011-09-14 05:10 · Score: 3, Informative
  
  Sounds like you're confusing BIOS with CMOS.
2. Re:Clocks/corporotes/updates/crash dumps by maxwell+demon · 2011-09-14 05:11 · Score: 3, Insightful
  
  Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
  Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines
  That's not in the BIOS Flash but on the CMOS RAM.
  
  The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)
  Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you are running DOS, of course).
  
  Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown
  Do you know a system where dumps are stored in the BIOS Flash? If you want to provide dumping into on-board Flash, you better make that Flash separate (even without viruses, if your system is so fucked up that it might trash the disk on dumping, it might also trash the flash memory it writes to; you definitely do not want that to be your BIOS!)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
3. Re:Clocks/corporotes/updates/crash dumps by fnj · 2011-09-14 05:25 · Score: 2
  
  Setting the real time clock just writes to data-only CMOS and maybe syncs the registers.
  I strongly suspect changing the BIOS password, boot device settings, etc., work the same way or a very similar way - i.e., don't use program flash. If they don't, it's obvious they COULD.
  Saving a crash dump to BIOS flash? Don't THINK so. Just say no. I doubt anybody does this, but again, if it's that important, it could be done to a hypothetical data-only flash or other storage. There is no excuse to save it to program flash.
  The ability to update critical early parts of the BIOS is just a bit harder to work around. I think it's primarily a matter of coming up on day one of hardware release with always-safe defaults that will always allow you to reach a point with a working display and keyboard. I doubt it would be that big a deal. It might require cooperation with CPU and video card makers. If it's harder than I think, then for god's sake let's get some smart people working on it.
4. Re:Clocks/corporotes/updates/crash dumps by Amouth · 2011-09-14 07:34 · Score: 1
  
  The only legit argument you have is doing a large-scale bios update in a corp/enterprise environment.
  and to be fair with that, some vendors (i'm familiar with Intel on this one) already support it in a secure manner that does not require the user to do anything and isn't done at the OS level. Please look into Intel's AMT work.
  
  --
  '...if only "Jumping to a Conclusion" was an event in the Olympics.'
5. Re:Clocks/corporotes/updates/crash dumps by ttong · 2011-09-14 08:09 · Score: 1
  
  That's not in the BIOS Flash but on the CMOS RAM.
  NVRAM, to be exact. It'd be useless if it were volatile.
  
  Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you are running DOS, of course).
  This doesn't make any sense. On many levels.
  As for saving a crash dump, you use IEEE1394 for that. On-board flash is going to be ridiculously expensive (a typical ATX motherboard can easily have 32GiB of RAM) both in terms of cost and in time. And what are you going to do when you're out of P/E cycles?
encrypted hard drive by Ectospheno · 2011-09-14 04:55 · Score: 1

So if you use full disk encryption such as truecrypt do you just get a trashed drive?
1. Re:encrypted hard drive by X0563511 · 2011-09-14 05:30 · Score: 1
  
  How does that have anything to do with the BIOS at all?
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
2. Re:encrypted hard drive by Ectospheno · 2011-09-14 13:51 · Score: 1
  
  Maybe you should read the relevant articles first.
3. Re:encrypted hard drive by X0563511 · 2011-09-15 01:32 · Score: 1
  
  Maybe not. Because truecrypt et al do not reside in BIOS, CMOS, or NVRAM. Even "drivelock" doesn't, it's in the disk firmware.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:Whose idiotic idea was it to make BIOSes writab by 0123456 · 2011-09-14 04:55 · Score: 1

The only real reason a computer needs a BIOS is to run a bootloader, and if that functionality works, then it's probably going to continue to work.
You're obviously nostalgic for the days when software was debugged as thoroughly as possible before shipping because it couldn't be upgraded later, rather than released with known major bugs because 'we can always fix it with a flash upgrade'.
Re:Whose idiotic idea was it to make BIOSes writab by jmorris42 · 2011-09-14 04:56 · Score: 2

> The only real reason a computer needs a BIOS is to run a bootloader...
Oh how I wish that were still true. Got one word for ya, ACPI.

--
Democrat delenda est
Re:Whose idiotic idea was it to make BIOSes writab by Anonymous Coward · 2011-09-14 04:57 · Score: 1

The real question is why are BIOSes not verified for a digital signature by a hardware component.
Yes, you want to be able to upgrade a BIOS by sending a file to a client. That's an important feature. I just don't get why the file should not, as a requirement, be digitally signed.
Shachar
posting anonymously to not revert moderation
Re:Coreboot by nschubach · 2011-09-14 05:04 · Score: 1

I kind of forgot about coreboot/OpenBIOS. Looking at their motherboard support page, apparently I'm not alone. It's a neat concept, but the BIOS is generally just configured and ignored for most people, including geeks.

--
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Re:As long as you can update from Windows... by Dunbal · 2011-09-14 05:05 · Score: 1

Another solution is to make sure your BIOS is bug free when you ship. That involves paying your coders slightly more than minimum Chinese wage.

--
Seven puppies were harmed during the making of this post.
How complex can it possibly be ? by billcopc · 2011-09-14 05:05 · Score: 2

Preface: I know a thing or two about BIOS hacking.
Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ? Many of them only have 2MB, already close to capacity with just the stock BIOS. This doesn't leave a whole lot of space for adding an attack module, and it would have to do some fancy footwork to survive past the protected-mode switch. Modern operating systems don't use the BIOS at all past the bootloader, once the native device drivers take over. It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.
CIH was a very trivial virus. All it did was blindly clobber things with zeroes. It had no way of "rooting" a box. It would simply toast your OS, and if your BIOS chip supported the one flash command CIH knew, it would blank that out as well, rendering your machine unbootable. That's what we get for outsourcing even our virus writing ot China :P

--
-Billco, Fnarg.com
1. Re:How complex can it possibly be ? by bWareiWare.co.uk · 2011-09-14 05:12 · Score: 1
  
  The only payload they need is to load the MBR from somewhere unexpected (i.e. probably one address change). This ensures all the current AntiVirus code will be scanning the wrong MBR and given a false negative.
2. Re:How complex can it possibly be ? by networkBoy · 2011-09-14 05:28 · Score: 1
  
  I would imagine it loads some item as an option ROM, reads more code from disk at a fixed offset location, loads into a modified bootloader that loads the actual payload then steps back to the real MBR to bring up the host OS. The BIOS code can be fairly trivial at that point, but hides that the MBR has been compromised by leaving the original MBR intact.
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
3. Re:How complex can it possibly be ? by maxwell+demon · 2011-09-14 05:29 · Score: 2
  
  Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?
  Just loading a different sector than the standard MBR sector on startup (maybe after a check that the virus code is there, e.g. by CRC) would probably already defeat a lot of tools protecting against MBR infections. Your "MBR" disk virus would no longer reside on the MBR, and thus not be detected/protected against by the standard antivirus code. Doing so should in the simplest case (no check) require to change no more than one number in the BIOS (the sector to read and execute when booting). The new "MBR" could then load and execute an arbitrary amount of extra code before handing over to the real (unchanged) MBR. Maybe even start a virtual machine to run the OS in.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
4. Re:How complex can it possibly be ? by cachimaster · 2011-09-14 05:31 · Score: 5, Informative
  
  Preface: I know a thing or two about BIOS hacking.
  Me too, I did it several times. Not too hard if you have several motherboards to waste :)
  
  Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?
  
  Well apparently this was found on the wild, working.
  
  This doesn't leave a whole lot of space for adding an attack module.
  You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.
  
  Modern operating systems don't use the BIOS at all past the bootloader
  This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.
  
  It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.
  True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.
5. Re:How complex can it possibly be ? by X0563511 · 2011-09-14 05:35 · Score: 1
  
  You apparently can't read. The MBR is not the BIOS, and the BIOS is not the MBR.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
6. Re:How complex can it possibly be ? by aix+tom · 2011-09-14 05:39 · Score: 1
  
  Well, 2MB is 32 times the memory the C64 needed to do A LOT of "fancy" stuff, including it's own viruses.
7. Re:How complex can it possibly be ? by Gaygirlie · 2011-09-14 06:06 · Score: 2
  
  Many of them only have 2MB, already close to capacity with just the stock BIOS.
  Tbh, I haven't seen that small flash chips used in motherboards for YEARS. All the modern motherboards I've personally seen have had two 4MB chips, and my current one has as large as 8MB. And no, the BIOS usually takes only about 50% of the space available, the rest is for system builders and such for customizations. Ie. a BIOS virus would easily fit there and wouldn't even need to compress itself.
8. Re:How complex can it possibly be ? by ajlitt · 2011-09-14 06:53 · Score: 1
  
  This.
9. Re:How complex can it possibly be ? by cachimaster · 2011-09-14 18:07 · Score: 1
  
  What can I do to lessen the risk of this happening?
  Use a signed-BIOS. All Intel motherboard have a signed BIOS (Actually it's EFI).
  I would use Intel motherboards.
Same question every time by ThatsNotPudding · 2011-09-14 05:13 · Score: 1

Can we really trust sky-falling advisories from companies such as Symantec? #ProfitMotive
Re:Whose idiotic idea was it to make BIOSes writab by networkBoy · 2011-09-14 05:16 · Score: 1

And DDR2/3/4
And PCIe/16 Graphics
All timings & lane skews handled by BIOS
-nB

--
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
BIOS on user-replaceable mask ROM by tepples · 2011-09-14 05:18 · Score: 1

And how do you propose the units in the field get fixed?
Put the BIOS image on a microSD mask ROM. Then open the case, snap out the old BIOS card, insert new BIOS card, close the case.
1. Re:BIOS on user-replaceable mask ROM by grimmjeeper · 2011-09-14 05:23 · Score: 1
  
  Yeah, let me know how well that sells to the general public.
  "What do you mean I have to open up my computer?!? That's going to void the warranty!!!"
2. Re:BIOS on user-replaceable mask ROM by maxwell+demon · 2011-09-14 05:32 · Score: 1
  
  Yeah, let me know how well that sells to the general public.
  "What do you mean I have to open up my computer?!? That's going to void the warranty!!!"
  And reflashing the BIOS doesn't?
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
3. Re:BIOS on user-replaceable mask ROM by tepples · 2011-09-14 05:40 · Score: 1
  
  Most people don't replace CPUs or do anything that would require adding features to the BIOS. And if the PC is still warranted, bring it into an authorized repair shop and a tech will snap in the new BIOS card for you.
4. Re:BIOS on user-replaceable mask ROM by JLennox · 2011-09-14 05:53 · Score: 1
  
  Dell really wants BIOS updates to involve them fronting the $40-$120 min shop charge or paying for an onsite call.
5. Re:BIOS on user-replaceable mask ROM by tepples · 2011-09-14 06:21 · Score: 1
  
  How often does a BIOS update happen, other than to support new CPUs?
6. Re:BIOS on user-replaceable mask ROM by Fjandr · 2011-09-14 07:54 · Score: 1
  
  The general public is going to reflash their BIOS at all anyway?
  I'd like to know which "general public" you deal with.
7. Re:BIOS on user-replaceable mask ROM by VanessaE · 2011-09-14 08:28 · Score: 1
  
  So put the card in question at the end of a short extension cable and mount it behind a little panel on the back of the machine - something the user can just flip open as easily as replacing a battery on a clock.
8. Re:BIOS on user-replaceable mask ROM by Fnord666 · 2011-09-14 09:16 · Score: 1
  
  I'd like to know which "general public" you deal with.
  You probably know him as Colonel Public. He was promoted recently.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
9. Re:BIOS on user-replaceable mask ROM by smash · 2011-09-14 15:51 · Score: 1
  
  Normally not very often. However with shitty untested hardware that was rushed out the door, such as the Dell E6500 series latitudes, we got 20 bios versions in 18 months. And still there was heaps of problems outstanding with heat.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
10. Re:BIOS on user-replaceable mask ROM by sumdumass · 2011-09-14 22:13 · Score: 1
  
  that's probably why he mentioned that colonel public got promoted recently.
Re:As long as you can update from Windows... by 0123456 · 2011-09-14 05:20 · Score: 1

Another solution is to make sure your BIOS is bug free when you ship. That involves paying your coders slightly more than minimum Chinese wage.
Which is great until a new CPU is released and you don't support it and can't upgrade the BIOS to do so. I've seen a number of AMD users complaining because they'd been told that if they bought an AMD motherboard today they would still be able to use it for future generations of AMD CPUs, only to find that the motherboard manufacturer couldn't be bothered to issue a new BIOS two years later to support the new chips even though the hardware would work with them.
Re:Whose idiotic idea was it to make BIOSes writab by grimmjeeper · 2011-09-14 05:22 · Score: 1

And HT/QPI. Hell, you have to get the PCIe buses walked enough to even see the BIOS boot ROM on the south bridge. Not a full initialization but enough to read the contents of the boot ROM into cache and/or RAM.
Re:Welcome to the bios infestation by cyberchondriac · 2011-09-14 05:26 · Score: 1

"In Russia, BIOS rootkit exploits YOU!"
"Al Gore invented the rootkit"
"It's Bush's fault"
"All your BIOS are belong to us!" (Okay, haven't heard this one for a while)

There.. now we're done with all the /. memes and can move on, right? ;)

--

Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
Re:Whose idiotic idea was it to make BIOSes writab by fnj · 2011-09-14 05:27 · Score: 1

ACPI is a cluster fuck, but do you have any ready reason why it could not all be done in the OS, perhaps a unique module particular to the individual motherboard, rather than the BIOS?
Re:Whose idiotic idea was it to make BIOSes writab by X0563511 · 2011-09-14 05:27 · Score: 1

... in other words, ACPI?

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:As long as you can update from Windows... by Dunbal · 2011-09-14 05:27 · Score: 1

Your example is the exception because usually a new CPU means a new socket, which means a new motherboard. Besides last minute patches are usually to fix bugs that get discovered through having a large number of users, not to support new hardware. And your argument is irrelevant in the context of being able to update your BIOS through moving a jumper or even changing the physical chip like in the old days. What happens is that if you allow a company a path of least resistance, then management and employees will make sure to do the minimum effort required. Just like software patches were a rare thing before the prevalence of the internet. Now multi-hundred gigabyte release day patches are the norm. Why? Because companies are fucking lazy and sloppy and if you give them an inch they take a mile. I'm in favor of not giving them that inch.

--
Seven puppies were harmed during the making of this post.
when uefi becomes more widely adopted. by Truekaiser · 2011-09-14 05:28 · Score: 2

Expect more of this. a full command environment with access to all the hardware on the system before the os boots? it's almost as if it was written 'for' virus and malware makers.
Re:Whose idiotic idea was it to make BIOSes writab by networkBoy · 2011-09-14 05:29 · Score: 1

no, DMI training (AFAIK that is not part of ACPI)

--
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
UEFI, anyone? by ttong · 2011-09-14 05:32 · Score: 1

So what about UEFI, will it make this type of threat more difficult or (much) easier? Also, it seems all my servers are safe from this even if they'd be running MS-Windows, because they use a cheap RAID card to detect the hard drives and then boots from one of them. Another mitigation is an encrypted root filesystem because hook.com won't be able to find a login program. Until they modify it to infect the encryption software, of course. Best way to defend against this would be to use TPM with a signed kernel, which is virtually non-existent today.
Re:As long as you can update from Windows... by tepples · 2011-09-14 05:37 · Score: 1

I guess conventional wisdom is that formal verification to ensure that a BIOS is bug free is too expensive for this market segment.
Re:As long as you can update from Windows... by maxwell+demon · 2011-09-14 05:39 · Score: 1

If you change the CPU, you must open your case and manipulate the hardware anyway. Changing a jumper to allow BIOS update wouldn't be a big deal in that case.

--
The Tao of math: The numbers you can count are not the real numbers.
Re:As long as you can update from Windows... by 0123456 · 2011-09-14 05:46 · Score: 1

If you change the CPU, you must open your case and manipulate the hardware anyway. Changing a jumper to allow BIOS update wouldn't be a big deal in that case.
In case you didn't notice, the post I was replying to was suggesting that you make the BIOS bug-free and not upgradeable at all rather than making the BIOS upgrade more complex.
Sign the bios? by im3w1l · 2011-09-14 06:35 · Score: 1

When the OS requests the BIOS to flash itself, the old bios should check that the new one has a correct public key signature from the manufacturer. Three could be a physical switch on the mobo for (the tiny minority of) people who wanted to use an unsigned bios.
Correct me if I'm wrong here... by idbeholda · 2011-09-14 06:37 · Score: 1

But wouldn't the use of a BIOS password pretty much put a quick end to this? Ignoring backdoor/default passwords, of course.
Correct me if I'm wrong here... by idbeholda · 2011-09-14 06:41 · Score: 1

But wouldn't using a BIOS password pretty much put a quick end to this? Ignoring backdoor/default passwords, of course.
Re:Virus by couchslug · 2011-09-14 06:43 · Score: 1

Superstition IS a virus!
No modern man runs that code or respects the ideas behind it.

--
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Old news. by hot+soldering+iron · 2011-09-14 07:08 · Score: 1

My house mate and I caught a virus back in 1997 that infected executables, MBR, and lodged itself in his BIOS. He had to run McAfee 7 times before it finally cleared out. A BIOS infecter isn't new.
Flash BIOS is a convenience to manufacturers, normal end users usually couldn't give a shit. They have no idea what it is, what it does, or why they should care. If it doesn't make their system play games or run Office faster, they don't care.

--
When you want something built, come see me. If you want correct grammar and spelling, get a F*ing liberal arts student.
Only part of the BIOS needs protecting by davidwr · 2011-09-14 07:43 · Score: 1

If your bootstrap code and code that allows for an "emergency BIOS reload from CD" early in the boot process is read-only, there will be a way to recover from any BIOS infection.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
old school by hesaigo999ca · 2011-09-14 08:23 · Score: 1

Real old school, and I am very surprised we even allow this to happen even today after all this time.
Re:As long as you can update from Windows... by Colourspace · 2011-09-14 08:29 · Score: 1

And of course, do they really care if Joe Average needs to buy a new mobo or laptop because theirs is bricked....? Possibly not, chances are it might even be from the same vendor... Writing this from my ASUS - not my choice an insurance replacement. My favoured method of bricking is spilt beer :D
Re:As long as you can update from Windows... by Colourspace · 2011-09-14 08:31 · Score: 1

I would love to live in your perfect world. Silicon development is HUGELY complex. Yes you could theoretically release perfect hardware (from the device to the gate level) but the R+D costs would prevent anyone actually buying it.
Re:Coreboot is a joke by WorBlux · 2011-09-14 08:51 · Score: 1

There's a few newer ones, and AMD is supporting it for all of thier 14h cpu and chipsets so I think its just a matter of time till you get more options.
Flashable bios by nurb432 · 2011-09-14 08:52 · Score: 1

Should have never got rid of that jumper that required a little bit of human protection.

--
---- Booth was a patriot ----
Signed Code? by imjustmatthew · 2011-09-14 09:14 · Score: 1

It seems like the trivial fix here is to sign the code and only allow flashing of signed images after boot. It would be nice to be able to flash anything during boot for hacking/testing/whatever, but anyone using the windows-based flash software is likely to be okay with just signed code from the manufacturer.
Isn't this what those TPM chips were designed for in the first place before they hijacked into being tools for draconian DRM?
"The Notorious CIH?" by Jeremiah+Cornelius · 2011-09-14 09:38 · Score: 1

Didn't he get gunned down in LA, after that Vibe magazine party?
Hey! I'm a west-coast, DU / Tupac kind of guy!

--
"Flyin' in just a sweet place,
Never been known to fail..."
OT: BIOS password by maxwells_deamon · 2011-09-14 10:49 · Score: 1

It used to be IBM would reset these for you if you could prove you owned the machine. I think you had to send them into to IBM or have an onsite visit, but it was possible.
I did this back in 1986. by John+Sokol · 2011-09-14 11:05 · Score: 1

It's not quite the same as back then they were EPROM's and not EEPROM's or flash. So you'd have to actually pull the chips out, erase them with a UV Lamp and then programming then in a Burner.
It's a long story but after I left high school in New Jersey I had entrusted a friend Mark to ship my possession to California where I had moved to. Instead it stole it all.
After moving I started a large collection of BIOS for XT, AT 80286 motherboards. I had written code that was floating around the BBS's that would harvest the BIOS and dump out ROM images that you could burn on to EPROM and install in to another Motherboard.
So I had made several sets of the latest AMI bios for some friends back home. Well Mark asked a mutual friend to get a copy of the BIOS from me, but not tell me who it was really for.
Well I found out and prepared a special BIOS just for him.
Mark was a big warez guy. He was sharing floppies with everyone.
So I took a copy of the Friday the 13th virus. Also know as Jerusalem B that would slow your PC down to a crawl and every time you ran a program it's file size would grow. It was very easy to detect and clean and mostly harmless. I removed the malicious payload , but made sure it still propagated normally.
The virus was only around 2000 bytes, and ran as a TSR.
I found some empty space in the ROM image, and xor encrypted it and placed it in and added hooks so when you format a floppy (Int 13) it would install the virus TSR.
From there it would then attach itself to any exe file that get's ran.
So I burned the EPROM's and sent them over. I was hearing story's from friends how he was loosing his mind. He'd clean all his disks. Then go to make someone a copy and it would be infected. No one would trade disk with him.
He never did figure out how he kept getting infected.
Revenge is sweet.

--
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
some boards have dual bios and now update from bio by Joe_Dragon · 2011-09-14 12:34 · Score: 1

some boards have dual bios and now update from bios as well.
BIOS should have a read/write switch. by antdude · 2011-09-14 12:55 · Score: 1

Like those floppy disks or something. Enable/Disable physical write option for CMOS/BIOS.

--
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Re:Whose idiotic idea was it to make BIOSes writab by Zilog · 2011-09-15 00:55 · Score: 1

The problem with signed BIOSes is that the verifying process could fail due to a current BIOS defect resulting from, at your choice, obsolescence, incompabilities from motherboards/CPUs's, previous failed BIOS update, etc..
In that case, the BIOS update becomes impossible, even for many dual-BIOS motherboards.