New BIOS Exploiting Rootkit Discovered

First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."

This is what easy over safe design gets ya

[jmorris42]

When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.

Re:This is what easy over safe design gets ya

[fnj]

It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.

Re:This is what easy over safe design gets ya

[Dunbal]

But people wanted simple Windows based utilities to reflash the BIOS

People wanted? Or the industry thought it would be a cool marketing gimmick? Most people have no idea what BIOS stands for, much less what it does and how dangerous it can be for them if it gets subverted. The rest of the people who know should not be too bothered to have to move a jumper to re-flash the BIOS - I mean honestly how often do you do this? - when compared to the security risk. So I don't buy the "people wanted" argument.

I wish marketing people thought a little more about the decisions they make and held themselves to higher standards. I can't believe that no engineer turned around and said "hang on, if we can flash it from the OS, anyone can flash it from the OS..."

Re:This is what easy over safe design gets ya

[Baloroth]

I really, really like what Gigabyte does with their BIOSes. They quite often have 2 on each motherboard, only one of which can be written to. In case of corruption of the primary, you can always boot using the secondary. Wouldn't stop this virus, of course, but it does prevent a corruption based one from hosing your system. Editing BIOS settings from Windows can be pretty convenient, especially if you want to overclock, but it isn't really necessary and probably shouldn't be possible.

Re:This is what easy over safe design gets ya

[ifrag]

How else are you going to allow the unwashed masses to do it?

I'd expect them to NOT DO IT in the first place. I can't even recall having a flashable BIOS that was actually broken in some serious way that would make a fix mandatory. The majority of my BIOS upgrades have been to support some newer CPU that still fits the same socket, something I'd expect the unwashed masses are not going to change anyway.

Re:This is what easy over safe design gets ya

[grimmjeeper]

Given that I've worked for a major CPU company and worked with the BIOS developers on more than one occasion as they debugged problems, I think I can say with some confidence that the modern BIOS is more complex by several orders of magnitude over the primitive BIOS you would find in a PC and AT machine. This explosion in complexity means that it's just not financially possible to fund the development to have a flawless BIOS right out of the gate. There are just too many permutations to consider when developing the system to test them all. And even if you did get a "perfect" BIOS out the door, the chips on the board are so much more complex that they never leave the factory without flaws. Ever. And sometimes you just don't find them until they're in the field and you need to supply a workaround.

Re:This is what easy over safe design gets ya

[gstoddart]

But how many of the "unwashed masses" do actually flash their BIOS?

And, in fairness to the "unwashed masses"... how many of the, er, "washed masses" actually do this?

In 16 years in the computer industry, plus university and high school ... I have never flashed a BIOS. It simply doesn't come up for me. Granted, I don't build systems, but I've simply never needed to do this.

How many home users will ever do this task?

Why

[fnj]

Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

Re:Why

[hedwards]

Uh, think of the children?

Re:Why

[grimmjeeper]

I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field. Hell, there are flaws in BIOS code that don't get discovered until your product is shipped. You need to patch it just like you need to patch any other software. Another good reason is to allow you to upgrade some components in your system without having to buy a new motherboard. A new generation of processor can be dropped into many motherboards out there just by flashing the BIOS and plugging the chip in, assuming socket compatibility is maintained.

Computer systems are vastly more complex now than they were even just 10 years ago. All of the subcomponents on motherboards need a BIOS that tells the CPU where they are and how to run them. Every manufacturer ships processors that have a number of flaws that the BIOS works around. It's the nature of computer systems in the 21st century.

Sure, if we were back in the 90's and still running the pre-PCI architectures, you may have had a point about locking things down. They just didn't need the complexity we have now. But as complexity has been added on top of complexity, we absolutely cannot get by with a locked down BIOS. It just wouldn't work.

Re:Why

[X0563511]

I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field.

Intel (at least) allows you to push microcode updates right into the processor at the OS level. This doesn't need to be done by the BIOS. In fact, it shouldn't - unless you simply cannot boot without doing so!

Re:Why

[fnj]

Er, the issue is not that you don't allow BIOS updates; it's that you protect them with a "big red switch," so they just can't happen like the dog ate my homework. I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.

Re:Why

[lazyforker]

Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

I'll bite: bulk BIOS updates on thousands of PCs. My company has an enormous number of PCs - paying someone to manually flick a switch, stand by while a BIOS update is performed, then unflick it afterwards would represent an enormous cost in time and labor. We buy large numbers of identical machines every year - so when a BIOS update is needed it needs to be applied to a lot of machines, globally.

Secondly: we set BIOS passwords to prevent (or make it harder for) the machine to be booted from USB thumb drive, DVD, external hard drive etc.

How about making the PC detect signed BIOS packages?

Re:Why

[grimmjeeper]

Yeah, that's much more secure... ;)

Even though you can push fixes directly into the processor in that way, there is still a reason to have to patch the BIOS. The CPU microcode pretty much only affects the CPU. The BIOS is there to interface with the rest of the components on the motherboard. And when you need to get around a flaw in your north bridge by supplying different initialization settings, there's pretty much no way to fix that in a CPU microcode push. You have to do it with a BIOS flash.

Re:Why

[Malties]

I don't think anyone is saying there is not a reason to flash a BIOS. But what is in question is whether to allow this to be done through WIndows. Yes it is more work to flash a BIOS from the setup screen, it is much more secure in the light of viruses that attack it.

Re:Why

[multisync]

There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

Um ... no. Flashing the BIOS should be at the discretion of the owner of the hardware in question, and not restricted to software provided by the manufacturer. But I agree a physical switch to prevent unauthorized tampering by third parties is a good idea.

CIH NEVER Infected BIOS

[meerling]

It tried to overwrite it with garbage, thus corrupting it. Kind of like blowing up your car with dynamite isn't the same thing as stealing it.
Most of the time all CIH succeeded at was trashing the BIOS settings stored in CMOS. Clean the infector, reset the BIOS, save the changes and you were done.

It's amazing how low the understanding of what malware is and does has fallen. By the way, the antivirus industry has been aware that it would be possible to write a bios infector the moment software the update-able bios became available. Fortunately most writers of malware are pretty incompetent as far as programming goes, though this did take about 6 years longer than I expected.

Re:Whose idiotic idea was it to make BIOSes writab

[jmorris42]

> The only real reason a computer needs a BIOS is to run a bootloader...

Oh how I wish that were still true. Got one word for ya, ACPI.

How complex can it possibly be ?

[billcopc]

Preface: I know a thing or two about BIOS hacking.

Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ? Many of them only have 2MB, already close to capacity with just the stock BIOS. This doesn't leave a whole lot of space for adding an attack module, and it would have to do some fancy footwork to survive past the protected-mode switch. Modern operating systems don't use the BIOS at all past the bootloader, once the native device drivers take over. It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.

CIH was a very trivial virus. All it did was blindly clobber things with zeroes. It had no way of "rooting" a box. It would simply toast your OS, and if your BIOS chip supported the one flash command CIH knew, it would blank that out as well, rendering your machine unbootable. That's what we get for outsourcing even our virus writing ot China :P

Re:How complex can it possibly be ?

[maxwell+demon]

Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?

Just loading a different sector than the standard MBR sector on startup (maybe after a check that the virus code is there, e.g. by CRC) would probably already defeat a lot of tools protecting against MBR infections. Your "MBR" disk virus would no longer reside on the MBR, and thus not be detected/protected against by the standard antivirus code. Doing so should in the simplest case (no check) require to change no more than one number in the BIOS (the sector to read and execute when booting). The new "MBR" could then load and execute an arbitrary amount of extra code before handing over to the real (unchanged) MBR. Maybe even start a virtual machine to run the OS in.

Re:How complex can it possibly be ?

[cachimaster]

Preface: I know a thing or two about BIOS hacking.

Me too, I did it several times. Not too hard if you have several motherboards to waste :)

Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?

Well apparently this was found on the wild, working.

This doesn't leave a whole lot of space for adding an attack module.

You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.

Modern operating systems don't use the BIOS at all past the bootloader

This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.

It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.

True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.

Re:How complex can it possibly be ?

[Gaygirlie]

Many of them only have 2MB, already close to capacity with just the stock BIOS.

Tbh, I haven't seen that small flash chips used in motherboards for YEARS. All the modern motherboards I've personally seen have had two 4MB chips, and my current one has as large as 8MB. And no, the BIOS usually takes only about 50% of the space available, the rest is for system builders and such for customizations. Ie. a BIOS virus would easily fit there and wouldn't even need to compress itself.

Re:Clocks/corporotes/updates/crash dumps

[webnut77]

Sounds like you're confusing BIOS with CMOS.

Re:Clocks/corporotes/updates/crash dumps

[maxwell+demon]

Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines

That's not in the BIOS Flash but on the CMOS RAM.

The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)

Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you are running DOS, of course).

Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown

Do you know a system where dumps are stored in the BIOS Flash? If you want to provide dumping into on-board Flash, you better make that Flash separate (even without viruses, if your system is so fucked up that it might trash the disk on dumping, it might also trash the flash memory it writes to; you definitely do not want that to be your BIOS!)

Re:Clocks/corporotes/updates/crash dumps

[fnj]

Setting the real time clock just writes to data-only CMOS and maybe syncs the registers.

I strongly suspect changing the BIOS password, boot device settings, etc., work the same way or a very similar way - i.e., don't use program flash. If they don't, it's obvious they COULD.

Saving a crash dump to BIOS flash? Don't THINK so. Just say no. I doubt anybody does this, but again, if it's that important, it could be done to a hypothetical data-only flash or other storage. There is no excuse to save it to program flash.

The ability to update critical early parts of the BIOS is just a bit harder to work around. I think it's primarily a matter of coming up on day one of hardware release with always-safe defaults that will always allow you to reach a point with a working display and keyboard. I doubt it would be that big a deal. It might require cooperation with CPU and video card makers. If it's harder than I think, then for god's sake let's get some smart people working on it.

when uefi becomes more widely adopted.

[Truekaiser]

Expect more of this. a full command environment with access to all the hardware on the system before the os boots? it's almost as if it was written 'for' virus and malware makers.

Re:This is some serious business

[fuzzyfuzzyfungus]

Last week, I updated, and then applied desired settings to, several hundred systems across multiple sites without getting up from my desk, much less getting up from my desk, visiting each site, unlocking each chassis, toggling a jumper, completing the update, toggling the jumper back, relocking the chassis, and moving on to the next... Build update package, shove update package over network. Go, settings take effect on next boot(for newly purchased systems, just plug 'em in, PXE boot, and you get your system image and BIOS config automatically).

The option to hard-switch the BIOS into read-only would be handy; but I'm not seeing it become a default any time soon...

Re:This is some serious business

[lpp]

It's not just that it was first discovered by a Chinese security firm. It also appears to be targeted at Chinese PCs. From the original post:

The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus.

Makes one wonder who developed it and what the intent was.

Re:This is some serious business

[rthille]

Not only that, but a guy in china did the same thing to all those systems of yours! :-)