Rootkits Head for Your BIOS 287
Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).
Re:Really? (Score:5, Informative)
Well there is UNIFLASH [uniflash.org] with source code. Then there are the likes of CBROM and AMIBCP to modify BIOS images and remove and add/enable drivers, functionality and boot screen graphics. Here [goe.net] and here [dstyles.de] are good places for info and tools.
Re:Hoglund? (Score:5, Informative)
He doesn't just write rootkits. He teaches seminars on how to write them. He's not a blackhat any more than the this guy [slashdot.org]. I guess that puts you on par with Oracle.
Re:Disable writing to the BIOS? (Score:1, Informative)
Microsoft and their friends are actually looking at this with their "Trusted Computing" tool, formerly called "Palladium". The danger of Palladium is that it can be used to lock out non-Microsoft-signed boot loaders or hardware drivers that the user may actually want to use, especially the master-boot-record or MBR. That can directly prevent the use of non-Microsoft-signed operating systems by any means whatsoever on PC hardware.
Re:Solution (Score:3, Informative)
Re:Simple Solution (Score:5, Informative)
Re:Solution (Score:3, Informative)
Every ASUS board I own has a jumper (and I have a lot of different model ASUS boards in use - over twenty anyway).
I don't know if all ASUS boards have BIOS jumpers, but all of mine do.
So now I guess I'll be putting those jumpers in non flash mode.
One more annoyance - but at least I got lucky that they all have the jumper.
They are all AMD boards (I don't use Intel, no flame, just a personal choice), so maybe the mother board chip sets have something to do with them putting BIOS jumpers on board. I don't know if that would have anything to do with it or not.
But I can see where having the BIOS jumper is about to become a mother board selling point...
Re:Solution (Score:2, Informative)
Gigabyte have had this for a few years now. They call it Dual Bios.
Dave
Re:Solution (Score:3, Informative)
Other brands more common in hobbyist PC's (Abit, Asus, Gigabyte, etc) focus on a different type of feature-set.
Re:Solution (Score:2, Informative)
Re:root access needed? (Score:3, Informative)
The BIOS or Basic Input Output System is a series of low level instructions to help set up the basic functionality of hardware and initialize the bootstrap process. As this device is typically created in hardware in a CMOS (Complimentary Metal Oxide Semiconductor) based firmware usually called EEPROM (Electrically Eraseable Programmable Read Only Memory) you need a low level EEPROM programming utility to access and write to this firmware. As BIOS is after POST (Power On Self Test) the first device initialized during the boot process and is used to identify local and external devices and provide for their initialization and map their resource entries for later use by the operating system. Motherboard manufacturers have been aware of this vulnerability for years, and have taken appropriate steps including but not limited to jumpers (can't flash BIOS unless jumped) and other protections. This is why you'll not find a software writable BIOS implementation receive C2 certification.
EFI is equally 'hackable' and potentially even more so. By increasing complexity, you increase the exposure to compromise. It is not true that security by obscurity works for all cases, so in truth you're not going to be secure any way you slice it. IBM proved in the 1960s and early 1970s that physical access to the equipment and the appropriate knowledge can render any security system including the attempts at secure kernels useless ( a project starting with 'M' comes to mind here.)
It very true that there are inherent dangers in the use of computers, esp. with respect to sensitive data. It is equally true that any lock created is already insecure by the nature of the fact that a key must exist. The FUD is getting spread a little thick here, that's why it's important to understand that TPM is just a Dongle you can't see, touch, or remove.
Re:Obligatory smug Mac user comment (Score:4, Informative)
For that matter, it would be possible to write a cross-platform executable if the interface to ACPI is written in x86 assembly without dependence on any libraries (target the instruction set rather than the OS).
sigh... someone will proabably exploit programmable GPUs next.