Slashdot Mirror

← Back to Stories (view on slashdot.org)

New BIOS Exploiting Rootkit Discovered

Posted by Unknown on from the the-90s-want-their-virus-back dept.

First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."

2 of 205 comments (clear)

  1. This is what easy over safe design gets ya by jmorris42 · · Score: 5, Insightful

    When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.

    --
    Democrat delenda est
  2. Re:How complex can it possibly be ? by cachimaster · · Score: 5, Informative

    Preface: I know a thing or two about BIOS hacking.

    Me too, I did it several times. Not too hard if you have several motherboards to waste :)

    Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?

    Well apparently this was found on the wild, working.

    This doesn't leave a whole lot of space for adding an attack module.

    You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.

    Modern operating systems don't use the BIOS at all past the bootloader

    This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.

    It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.

    True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.