Rootkits Head for Your BIOS

Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).

Solution

[CastrTroy]

They should just make the motherboard have a physical switch on it that stops your bios from getting written to. For the number of times i've had to flash my bios, it'd be a small price to pay to have to open my computer , just to have the piece of mind that some virus wasn't overwriting my bios. If it was a software setting, then there would be a way around it, but if there was a physical switch, that disconnected the write lines, then it would probably be pretty hard for a hacker to get around that.

Hoglund?

[IamTheRealMike]

Though this does not and should not reflect upon his findings or the articles, it should be noted that Hoglund is not only a rootkit "expert" but also a blackhat who enjoys developing cheats for World of Warcraft. When the Warden came out and put a stop to this little business [interesting-people.org] his Wow!Sharp software got nailed and (presumably) he began losing money.

In other words, anything this guy says or does is in my mind suspect .... he writes rootkits and other forms of "attacking software", so for all we know this asshole is getting ready to post example code to the net. It wouldn't be the first time.

Hard switch or external tool

[digitaldc]

"It is going to be about one month before malware comes out to take advantage of this," said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. "This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in."

Maybe add a physical unit that you need to move by hand in order to change the BIOS or Flash memory.
Or, if you suspect your computer has already been compromised, use an online/flash drive/external detection tool (independent from the O/S and all software) can be run to find out if you computer has been infected. (It works for the Microsoft Security guys)
The tool would have to check the computer's flash, BIOS, and currently running programs and notify you if it is being blocked/disabled/changed...and then fix the problem or tell you what to do to fix it.

What will be interesting

[HangingChad]

Is when security companies start checking for BIOS rootkits is if they find something there already staring back at them.

I'm wondering at the possibility this has been done before and not detected because no one looks there?

Took long enough

[SilverspurG]

I'm glad people in the mainstream are beginning to notice this. I saw proof of concept BIOS trojan code as early as '99. It honestly changed my view of the internet, law enforcement, and all of society. While everyone else is busy labelling each other,"Paranoid conspiracy theorist" I've been sitting back thinking,"You dumbass. He's probably right." In all reality the NSA doesn't need wiretaps. If they really wanted you they'd have MS serve up a specially crafted banner ad when you check your Hotmail.

Real malware doesn't let itself be known. It sits in the background to aid the people watching you.

Simple Solution

[squoozer]

Just make damn sure that there are no (huge) bugs in the bios and burn it to a chip that can't be flashed. I admit that this is perfect for _everyone_ but I'd bet that 99% of computers never have the BIOS flashed so why make it writeable at all. The people that might want to flash their BIOS are probably also the sort of people that would pay a little more for an flashable version. Assuming you want a fairly generic BIOS that will work for a number of machine configurations make one with a tiny bit of writable memory that _just_ stores settings (e.g. non-executable). I imagine this sort of arrangement would be cost effective for tier one manufacturers.

Re:What will be interesting

[SilverspurG]

You've really hit the nail on the head. Consider the state of consumer level security. Cookies? Does anyone really believe that cookies adhere to their "personally identifiable information" policy? Why is there no option to save your list of cookie sites? With respect to malware and viruses: Does everyone truly believe that the worst viruses do nothing more than propagate as proof of concept?

Consumer level security is a game of pointing the people to the right while stealing their wallet from the left. I saw proof of concept BIOS trojans as early as '99. You can't tell me that no one has been using them.

Re:Hoglund?

[7-Vodka]

I see, let's evaluate the situation:

1. He wrote a program that helped people cheat in a game (Oh noes, what a evil black hatter) -3 brownie points

2. He helped uncover a commercial company's SPYING program to catch you cheating at said game which can also spy on you in all sorts of law-breaking ways (let's see blizzard try to pull this shit in england where they have REAL privacy laws) +300 points

Giving him a total of 297 brownie points. This actually makes him the equivalent of a girl scout.

Temporary workaround?

[murderlegendre]

If the board uses one of the larger DIP style EEPROM BIOS chips, wouldn't it be simple to identify the write lines (from the manufacturer's data sheet)? You could then pull the chip, and 'flag' the associated pins (bend them out, so they no longer enter the socket) and re-insert the chip.

A little tricky maybe, but better than nothing for now..

Re:What will be interesting

[ehrichweiss]

I was at a 2600 Magazine [2600.com] meeting back in 1993 and was talking with some FBI agents, who were actually semi-knowledgeable suprisingly, about how they had found some holes in BIOS code that was big enough to fit a virus into and how it had already been accomplished. I checked into it a bit and the BIOS they described had like 120 bytes of writeable memory which was more than enough for the foundations of a virus.

Re:You Young Whippersnappers!

[Anonymous Coward]

In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.

Malware is big business now, and there's nothing to be gained from taking out the bios. The less obvious damage your software does, the longer the machine you've infected stays '0wn3d'.

FUD and beware of UFOs

[cyberbian]

This posting is clearly spreading it. This is part of a calculated attempt to fear computer users into accepting Trusted Platform Modules which currently exist as UFOs on the new Intel iMacs. When I say UFOs I mean Undocumented Functioning Object. It's installed on my motherboard. It's true that the TCG has made much of the documentation about their modus operandi and even Apple has some OLD documentation about this, the real agenda here is spreading Fear, Uncertainty, and Doubt about their platforms in their current implementations and ease our transition into the TPM future.

It's not difficult to see that these mechanisms could potentially be part of an much larger agenda. You see it happening all around you, RFID, Ubiquitous Surveillance, Presidentially Endorsed Wiretapping, etc. The controls on your movements are getting tighter and tighter. It's not paranoia, it's paying attention. Connect the dots is an easy game, even children can do it.

The most damning aspect of this technology is the lack of transparency required by the implementor, in that they can (at their discretion) use closed source to track users, enforce DRM restrictions where previous 'fair use' and other uses were traditionally allowed. The real question is, even for shareholders, how much is too much? Is the quest for maximizing profit hobbling our society?

Don't look to the skies for UFOs, look on your motherboard, and demand answers for undocumented ICs

Re:Good thing I don't use the BIOS's code anyway

[SilverspurG]

You want to talk about broken hardware? I have an FIC PA-2013 mobo which has LM75 sensors under the CPU. They're labelled on the mobo. The sensor is there. But there never was a BIOS released which puts the wires together and makes them accessible to the rest of the system.

If you look in the user's manual there are screenshots of the BIOS configuration page showing the temperatures... that must've been a development screenshot because it was never made available to consumers.

BIOS viruses and Chernobyl revisited

[Daruka Krishna Das]

All this talk of rootkits, but little about BIOS viruses.

I have a scary scenario for y'all.

A virus that spreads over networks, stays quiet until a certain date/time GMT and then BOOM wipes the BIOS of hundreds of thousands of Windows boxes around the world in one fell swoop.

Can you spell "Black Screen of Death"?

Does anyone remember the Chernobyl virus? It worked on a good number of BIOSes, even though it was poorly written. Imagine if someone took the time to do it right.

Re:You Young Whippersnappers!

[btpier]

Although there are more and more cases of malware authors trying to hold systems for ransom. Being able to take someone off the net via a DDoS or deleting files is a lot less effective than permanently taking out their hardware when the victim refuses to pay up. I too remember the bios AV systems, they were a PITA but effective and necessary.

move along.

[Eil]

This is just a bunch of worthless FUD. Programs have been able to write to the BIOS flash ROM for years now. It's not by any means a new concept. What suddenly makes next month the date that all of these thousands of BIOS-infecting rootkits are going to be released?

And what, exactly, would a rootkit or virus want with the BIOS? Does a BIOS even have enough "extra room" to accomodate either? How about platform-independent versions? That's just an idiotic claim if I've ever seen one.

Just sounds to me like this John Heasman is your average "computer security expert" trying to stir up issues and catch some rays in the media spotlight thanks to some worthless but impressive-sounding (to idiots) premise. He needs to go back and finish his MSCE so he can do something useful with his life.

Re:BIOS viruses and Chernobyl revisited

[SimonH_1978]

Ah yes, I remember it well. It took out 25 of our PC's in one day, all because Management figured that they didn't like paying the annual Dr Solomon AV subscription fee. Needless to say, they do now.

We were lucky in that it didn't wipe the BIOS, just the FAT on the hard disk IIRC.

This isn't anything new . . .

In the Good Old Days

[VernonNemitz]

Early computers came with "Mask ROM", which couldn't be reprogrammed, and were only inexpensive if manufactured in large quantities, but they were ABSOLUTEY proof against software manipulation. As a compromise, I'd like to get a "simple" PROM technolgy into the BIOS socket. These are programmable ONCE (like a CD-R), and COULD be made such that after being burned that once, never can they have anything added to it (the way a CD-R can be blocked for further recording into blank areas). Maybe I should be a little more specific. Suppose a new empty PROM has every bit set to '1'. Burning the PROM constitutes permanently changing certain bits to '0'. If not "closed", then malware could do an additional burn and change some of the '1's that you wanted to keep into more '0's, thereby trashing the BIOS. Yes, I know that this overall notion is inconvenient when you want to update the BIOS (you need a brand new blank PROM, every time). I'll accept that as the price to keep malware out of my BIOS, thank you!

Re:Simple Solution

[sjames]

In general, flash BIOS issues are poorly addressed in mainboards. They SHOULD have a write enable jumper, but they don't. Instead, there's usually some undocumented GPIO line that must be set high and a poorly documented southbridge register bit to set. In a single move they deftly prevent many from doing what they want with their own hardware and fail to protect everyone else.

Several chipsets have features to aid in recovery by swapping the top and secodn block in the address space when a jumper is set. The idea is that you never update the emergency block at all, and if an update goes wrong, you can recover with a jumper. I have yet to see a board that doesn't leave those pins disconnected.

They COULD place the emergency recovery sector in ROM, but they never do.

To make matters worse, the current trend is to solder the flash directly to the board. I suppose they save that all important penny by not using a socket.

They could have 2 flash chips and a jumper to toggle which one is enabled, but I've only seen a few blade servers that do that. (that sure would have helped those unbootable iMacs [slashdot.org]

Many newer flash chips have lock registers that once set write protect the corresponding sector, and a lock down bit that disables unlocking until power cycled. The BIOS COULD have an option (defaults to yes) for locking down the BIOS before calling the bootloader, but they don't.

There's absolutely no good reasons not to protect flash from unwanted updates AND provide absolute safety when you DO want to update.

Re:You Young Whippersnappers!

[sjames]

Like natural biological pathogens, they have evolved over time to avoid killing their host outright. However, I agree with you, in spite of the billions in productivity loosses in recent years, it COULD be a whole lot worse.

Imagine the problems if one of the many worms spread a little more slowly (to avoid alerting the network admin), and then wiped BIOS on a given day far enough in the future to have time to spread, but not so far that it gets detected and cleaned off. Whole companies (even large ones) might wake up one morning to discover they don't have even one functional computer to their name.

Add to that viruses that re-write ACPI in creative ways and you have a really big problem!