New BIOS Exploiting Rootkit Discovered

First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."

This is what easy over safe design gets ya

[jmorris42]

When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.

Re:This is what easy over safe design gets ya

[Dunbal]

But people wanted simple Windows based utilities to reflash the BIOS

People wanted? Or the industry thought it would be a cool marketing gimmick? Most people have no idea what BIOS stands for, much less what it does and how dangerous it can be for them if it gets subverted. The rest of the people who know should not be too bothered to have to move a jumper to re-flash the BIOS - I mean honestly how often do you do this? - when compared to the security risk. So I don't buy the "people wanted" argument.

I wish marketing people thought a little more about the decisions they make and held themselves to higher standards. I can't believe that no engineer turned around and said "hang on, if we can flash it from the OS, anyone can flash it from the OS..."

Re:This is what easy over safe design gets ya

[Baloroth]

I really, really like what Gigabyte does with their BIOSes. They quite often have 2 on each motherboard, only one of which can be written to. In case of corruption of the primary, you can always boot using the secondary. Wouldn't stop this virus, of course, but it does prevent a corruption based one from hosing your system. Editing BIOS settings from Windows can be pretty convenient, especially if you want to overclock, but it isn't really necessary and probably shouldn't be possible.

Re:This is what easy over safe design gets ya

[grimmjeeper]

Given that I've worked for a major CPU company and worked with the BIOS developers on more than one occasion as they debugged problems, I think I can say with some confidence that the modern BIOS is more complex by several orders of magnitude over the primitive BIOS you would find in a PC and AT machine. This explosion in complexity means that it's just not financially possible to fund the development to have a flawless BIOS right out of the gate. There are just too many permutations to consider when developing the system to test them all. And even if you did get a "perfect" BIOS out the door, the chips on the board are so much more complex that they never leave the factory without flaws. Ever. And sometimes you just don't find them until they're in the field and you need to supply a workaround.

Why

[fnj]

Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

Re:Why

[fnj]

Er, the issue is not that you don't allow BIOS updates; it's that you protect them with a "big red switch," so they just can't happen like the dog ate my homework. I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.

Re:Clocks/corporotes/updates/crash dumps

[webnut77]

Sounds like you're confusing BIOS with CMOS.

Re:Clocks/corporotes/updates/crash dumps

[maxwell+demon]

Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines

That's not in the BIOS Flash but on the CMOS RAM.

The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)

Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you are running DOS, of course).

Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown

Do you know a system where dumps are stored in the BIOS Flash? If you want to provide dumping into on-board Flash, you better make that Flash separate (even without viruses, if your system is so fucked up that it might trash the disk on dumping, it might also trash the flash memory it writes to; you definitely do not want that to be your BIOS!)

Re:How complex can it possibly be ?

[cachimaster]

Preface: I know a thing or two about BIOS hacking.

Me too, I did it several times. Not too hard if you have several motherboards to waste :)

Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?

Well apparently this was found on the wild, working.

This doesn't leave a whole lot of space for adding an attack module.

You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.

Modern operating systems don't use the BIOS at all past the bootloader

This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.

It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.

True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.

Re:This is some serious business

[fuzzyfuzzyfungus]

Last week, I updated, and then applied desired settings to, several hundred systems across multiple sites without getting up from my desk, much less getting up from my desk, visiting each site, unlocking each chassis, toggling a jumper, completing the update, toggling the jumper back, relocking the chassis, and moving on to the next... Build update package, shove update package over network. Go, settings take effect on next boot(for newly purchased systems, just plug 'em in, PXE boot, and you get your system image and BIOS config automatically).

The option to hard-switch the BIOS into read-only would be handy; but I'm not seeing it become a default any time soon...

Re:This is some serious business

[lpp]

It's not just that it was first discovered by a Chinese security firm. It also appears to be targeted at Chinese PCs. From the original post:

The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus.

Makes one wonder who developed it and what the intent was.

Re:This is some serious business

[rthille]

Not only that, but a guy in china did the same thing to all those systems of yours! :-)