Rootkits Head for Your BIOS

Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).

Re:Really?

[Shanep]

Where are such tools? If I knew such things existed, I would have experimented in "bricking" some of my machines YEARS ago

Well there is UNIFLASH [uniflash.org] with source code. Then there are the likes of CBROM and AMIBCP to modify BIOS images and remove and add/enable drivers, functionality and boot screen graphics. Here [goe.net] and here [dstyles.de] are good places for info and tools.

Re:Hoglund?

[SilverspurG]

He's also the author of a well-known book on rootkits. It's a pretty good read. Maybe you should revise your ill-informed personal opinion.

He doesn't just write rootkits. He teaches seminars on how to write them. He's not a blackhat any more than the this guy [slashdot.org]. I guess that puts you on par with Oracle.

Re:Disable writing to the BIOS?

[Anonymous Coward]

Not currently. I've looked at LinuxBIOS, at http://www.linuxbios.org/ [linuxbios.org], and the way they seem to be protected right now is through massive fragementation and extremely poor documentation of the BIOS editing facilities. There really is no fundamental defense in place against editing the BIOS, since Microsoft's operating systems sometimes do it as part of their normal system manipulations. The result is amazing contortions that software vendors do to get things set just the right way for their particular requirements.

Microsoft and their friends are actually looking at this with their "Trusted Computing" tool, formerly called "Palladium". The danger of Palladium is that it can be used to lock out non-Microsoft-signed boot loaders or hardware drivers that the user may actually want to use, especially the master-boot-record or MBR. That can directly prevent the use of non-Microsoft-signed operating systems by any means whatsoever on PC hardware.

Re:Solution

[Jeff DeMaagd]

The old Matrox video cards had a "write protect" DIP switch that would prevent or allow video BIOS flashing. It might have been something to prevent errant code from messing things up, I don't know.

Re:Simple Solution

[SilverspurG]

One of the reasons why BIOS is flashable is to help the manufacturers. Oftentimes they have the hardware but they don't have the code written yet. Take the Dell D800 laptops for example. When they first shipped the external audio and S-video ports were nonfunctional because they hadn't written the software to put the wires together internally yet. It wasn't until rev. A13, maybe A14, of their BIOS that these ports were enabled. The D800 that I was privy to shipped with BIOS rev. A11.

Re:Solution

[NewToNix]

Granted, a lot of mobos don't require changing a jumper to flash the BIOS, but it seems that some do (none that I've encountered, though).

Every ASUS board I own has a jumper (and I have a lot of different model ASUS boards in use - over twenty anyway).

I don't know if all ASUS boards have BIOS jumpers, but all of mine do.

So now I guess I'll be putting those jumpers in non flash mode.

One more annoyance - but at least I got lucky that they all have the jumper.

They are all AMD boards (I don't use Intel, no flame, just a personal choice), so maybe the mother board chip sets have something to do with them putting BIOS jumpers on board. I don't know if that would have anything to do with it or not.

But I can see where having the BIOS jumper is about to become a mother board selling point...

Re:Solution

[Dave_M_26]

And there should be a third read only chip containing the original bios, which could somehow be loaded in the case of an emergency/mistake. BIOS chips can't really be that expensive, so putting extra security measures in place to not get your system hosed are important.

Gigabyte have had this for a few years now. They call it Dual Bios.

Dave

Re:Solution

[MBGMorden]

I've seen some Biostar motherboards that do this. My guess (and it's just a guess) is that Biostar is more often used by the "screwdriver shops" in the computer they build for customers, so they include features like this to help the shop keep the customer from messing a system up (ie, flip the switch to disable BIOS writes - If they aren't smart enough to figure out that you need to turn the switch back off, then you probably don't need to flash a BIOS).

Other brands more common in hobbyist PC's (Abit, Asus, Gigabyte, etc) focus on a different type of feature-set.

Re:Solution

[Anonymous Coward]

How 'bout adding BIOS backup to your system backup chores. Any board I've ever worked with has a flash utility that lets you save your current BIOS contents.

1. make a bootable floppy
2. put the MB's flash utility on it
3. learn how to use the flash utility - particularly how to save and restore a bios to/from a file.
4. use the flash utility to copy the current bios to disk.
5. put the disk somewhere, and remember where it is when EVIL_BIOS_TRASHING_R00T_KIT comes knocking.

Re:root access needed?

[cyberbian]

The BIOS or Basic Input Output System is a series of low level instructions to help set up the basic functionality of hardware and initialize the bootstrap process. As this device is typically created in hardware in a CMOS (Complimentary Metal Oxide Semiconductor) based firmware usually called EEPROM (Electrically Eraseable Programmable Read Only Memory) you need a low level EEPROM programming utility to access and write to this firmware. As BIOS is after POST (Power On Self Test) the first device initialized during the boot process and is used to identify local and external devices and provide for their initialization and map their resource entries for later use by the operating system. Motherboard manufacturers have been aware of this vulnerability for years, and have taken appropriate steps including but not limited to jumpers (can't flash BIOS unless jumped) and other protections. This is why you'll not find a software writable BIOS implementation receive C2 certification.

EFI is equally 'hackable' and potentially even more so. By increasing complexity, you increase the exposure to compromise. It is not true that security by obscurity works for all cases, so in truth you're not going to be secure any way you slice it. IBM proved in the 1960s and early 1970s that physical access to the equipment and the appropriate knowledge can render any security system including the attempts at secure kernels useless ( a project starting with 'M' comes to mind here.)

It very true that there are inherent dangers in the use of computers, esp. with respect to sensitive data. It is equally true that any lock created is already insecure by the nature of the fact that a key must exist. The FUD is getting spread a little thick here, that's why it's important to understand that TPM is just a Dongle you can't see, touch, or remove.

Re:Obligatory smug Mac user comment

[Creepy]

technically, you're not safe from this on any OS that uses BIOS, though the deployment method may depend on Windows. I don't think EFI offers much help, either, as I've read that it includes a BIOS emulation layer that may be exploitable, so Intel mac users shouldn't be too smug.

For that matter, it would be possible to write a cross-platform executable if the interface to ACPI is written in x86 assembly without dependence on any libraries (target the instruction set rather than the OS).

sigh... someone will proabably exploit programmable GPUs next.