Rootkits Head for Your BIOS 287
Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).
What about EFI? (Score:3, Insightful)
write protect swith (Score:2, Insightful)
Re:Solution (Score:5, Insightful)
Wait. Never mind. Joe Sixpack almost would never flashes a BIOS, because he still calls the tower "my hard drive."
Re:Solution (Score:1, Insightful)
Also, the BIOS-flashing process should have a user confirmation screen on the next boot. I don't only want to stop potential malicious writes to my BIOS, but to know when they happen.
one-button functionality is to blame (Score:4, Insightful)
There are two contradicting principles here.
Many home users want that second kind of functionality. Partly because they don't want to bother with the details, partly because they are mentally challenged. They really like to be able to update the Computer's BIOS as easy as visiting a web site or running any kind of program. Unfortunately, this is what they get. And so do we.
Re:Solution (Score:5, Insightful)
You Young Whippersnappers! (Score:5, Insightful)
Grandad Admin.
In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.
Watch Out!! (Score:3, Insightful)
Re:You Young Whippersnappers! (Score:4, Insightful)
Computer viruses today are hardly an annoyance to their "victims", only to the rest of the world.
Re:What about EFI? (Score:5, Insightful)
That's what about EFI.
Re:What about EFI? (Score:1, Insightful)
No, what about Trusted Computing and having a nice helpful TPM in your machine to ensure that this doesn't happen.. .and that only trusted updates are made.
At least, that's what the latest Intel press release (being drafted now) will say once they whip this up into a massive scare story.
Re:Hoglund? (Score:5, Insightful)
In other words, at no point is the actual title of any windows transmitted.
Let's review this situation:
It amazes me that such a transparent piece of bullshittery could have got as much press as it did, given that it's clearly a case of him trying to spite Blizzard after they shut down the money-making business of Wow!Sharp (it only went open source after they felt it had become useless). Ever since this sordid incident, Hoglund has been a dirty name to me and many others familiar with it, and I don't trust him at all.
Like I said, it wouldn't surprise me a bit if he released code showing how to hack the BIOS, just like he teaches people how to write rootkits despite them having (as far as I'm aware) no legitimate uses.
Re:move along. (Score:2, Insightful)
And what, exactly, would a rootkit or virus want with the BIOS?
A very insightful question—and one with a scary answer. Currently, if I have a machine that's infected with a rootkit/virus/other malware, I can boot Knoppix or other favourite live CD of choice, and be sure that the malware isn't running (and thus can't prevent me detecting/removing it, log my keystrokes, wipe my HD, or any other things I'd rather it didn't do). Once malware starts overwriting the BIOS, I can't even be sure of that: as soon as I apply power to the machine, it's already compromised...
Re:You Young Whippersnappers! (Score:5, Insightful)
No, today's malware got serious. Used to be it was kids proving how 133t they were, now it is professionals implanting spyware and rootkits to make spam zombies, both of which are highly profitable. Destroying a machine earns you zero dollars, owning it makes the cash register go DING!
What scares the shit outta me, and should scare everyone else with a clue, is the thought of terrorism via the Internet. Imagine the damage a well heeled outfit could inflict.
Follow me here for a minute. Source code for Windows is out there. Obviously source for Linux, BSD and now Solaris is out there. It isn't just motherboards that have a flash chip. Almost every DVD/CD drive has one and many hard drives even load firmware from flash. Now lets imagine a well funded effort to locate a day zero exploit in two or more popular platforms. And remember, Windows and PC Linux aren't the only ones. Add in Linksys access points, Cisco IOS, etc. While one team works the exploit problem others work on a propagation engine that won't suffer from the crippling flaws seen in previous attempts and a deadly payload. Plant a kaboom in the BIOS instantly, so if the machine is rebooted it, along with the drives, goes bye bye. Then attempt to infect other hosts for 24-48 hours before triggering a reboot into death.
If done correctly it could destroy outright 10-25% (or even more) of the client's on the Internet and a good percentage of the servers, access points and other infrastructure. This alone would probably be enough to tank the world economy, but the real effect would be a widespread FEAR of reconnecting to the Internet. Kiss Google, Amazon, Dell, etc goodbye if that happened.
Re:In the Good Old Days (Score:3, Insightful)
Re:You Young Whippersnappers! (Score:3, Insightful)
An owned PC is worth more to an attacker than a destroyed machine. (I'm talking about "large numbers" here, not pointed efforts to take a site/machine down.)
I'm surprised there are *any* large-scale malicious viruses anymore... Only because "ownership" means cash to the person who can deliver the botnets. And, for identity thieves, a crashed machine doesn't serve up personal information.
Follow the money.
You are wrong and I can prove it. (Score:1, Insightful)
You may have a reasonable point. This use is in contravention of the EULA. However, they run the Warden on ALL computers because they cannot know which ones belong to cheaters ahead of time. As I will show, this seriously compromises the security and privacy of anyone running WoW.
Furthermore, I for one adamantly refuse to play any such game on principle. I will not submit to this sort of digital strip search for any reason. There are plenty of games which do not require this sort of draconian intrusion onto one's computer.
The Warden doesn't "spy" on you, that's a ridiculous assertion
You say "doesn't." That verb is in the present tense. The Warden is code downloaded from WoW whose content can be changed at any time. ANY TIME. Please let that sink in. That makes it a trojan with a remotely downloaded payload. Although they can change that, of course. Granted, they do disclose that there may be some vague code doing something in the EULA. Kinda sorta. Assuming it hasn't changed to contradict the EULA since the EULA was written. And we all know how the EULA defense worked for Sony. The only difference here is that the code is required to play the game at all and that we don't actually know exactly what information it sends out (although, as I'll show below, we can get a pretty good idea thanks to a side channel attack).
As for "only sends back hashes" you do NOT know that. If you'd even bothered to read the whole description, you'd see that it sends back encrypted packets. So yes, it does root through all open windows, all processes in memory, etc. and it does hash them, but you have NO way of knowing what's in those packets. They can send the contents of any section of memory out with the hashes. They can throw the hashes away and send only content. Hell, someone on the very forum linked to described several megabytes of bandwidth getting used up by this over a few seconds. That's pretty clearly inconsistant with sending only the hashed information back.
Worse, even with the "only hashes" line of reasoning, it checked all the email addresses of his friends, etc. If they can ban you merely for *communicating* with the wrong folks, dammit, that's a problem.
it does not send personally identifiable information back to Blizzard
The information sent back is personally identifiable in that it's linked to your WoW account, which is linked to a credit card, which had better be linked back to the account holder. How do you think they ban people if they cannot identify them? Do you not think that they'll not know which account to cancel if a given credit card is maxed?
Please explain to me how you could possibly think otherwise. You cannot add that together and say it's "not personally identifiable" without utterly distorting the meaning of that phrase. Even if you try to justify that by saing that mom & dad are the ones actually paying for your account, it's pretty trivial to trace it back to you, in the end, and it's certainly identifiable.
Ever since this sordid incident, Hoglund has been a dirty name to me and many others familiar with it, and I don't trust him at all.
[...]
Like I said, it wouldn't surprise me a bit if he released code showing how to hack the BIOS, just like he teaches people how to write rootkits despite them having (as far as I'm aware) no legitimate uses.
That's a completely illogical line of reasoning. It's kinda like saying "I don't like you, so I'll assume that you'll do something criminal." Moreover, giving out information on ho