Rootkits Head for Your BIOS 287
Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).
Solution (Score:5, Interesting)
Hoglund? (Score:5, Interesting)
In other words, anything this guy says or does is in my mind suspect .... he writes rootkits and other forms of "attacking software", so for all we know this asshole is getting ready to post example code to the net. It wouldn't be the first time.
Hard switch or external tool (Score:4, Interesting)
Maybe add a physical unit that you need to move by hand in order to change the BIOS or Flash memory.
Or, if you suspect your computer has already been compromised, use an online/flash drive/external detection tool (independent from the O/S and all software) can be run to find out if you computer has been infected. (It works for the Microsoft Security guys)
The tool would have to check the computer's flash, BIOS, and currently running programs and notify you if it is being blocked/disabled/changed...and then fix the problem or tell you what to do to fix it.
What will be interesting (Score:5, Interesting)
I'm wondering at the possibility this has been done before and not detected because no one looks there?
Took long enough (Score:5, Interesting)
Real malware doesn't let itself be known. It sits in the background to aid the people watching you.
Simple Solution (Score:2, Interesting)
Just make damn sure that there are no (huge) bugs in the bios and burn it to a chip that can't be flashed. I admit that this is perfect for _everyone_ but I'd bet that 99% of computers never have the BIOS flashed so why make it writeable at all. The people that might want to flash their BIOS are probably also the sort of people that would pay a little more for an flashable version. Assuming you want a fairly generic BIOS that will work for a number of machine configurations make one with a tiny bit of writable memory that _just_ stores settings (e.g. non-executable). I imagine this sort of arrangement would be cost effective for tier one manufacturers.
Re:What will be interesting (Score:3, Interesting)
Consumer level security is a game of pointing the people to the right while stealing their wallet from the left. I saw proof of concept BIOS trojans as early as '99. You can't tell me that no one has been using them.
Re:Hoglund? (Score:3, Interesting)
1. He wrote a program that helped people cheat in a game (Oh noes, what a evil black hatter) -3 brownie points
2. He helped uncover a commercial company's SPYING program to catch you cheating at said game which can also spy on you in all sorts of law-breaking ways (let's see blizzard try to pull this shit in england where they have REAL privacy laws) +300 points
Giving him a total of 297 brownie points. This actually makes him the equivalent of a girl scout.
Temporary workaround? (Score:4, Interesting)
If the board uses one of the larger DIP style EEPROM BIOS chips, wouldn't it be simple to identify the write lines (from the manufacturer's data sheet)? You could then pull the chip, and 'flag' the associated pins (bend them out, so they no longer enter the socket) and re-insert the chip.
A little tricky maybe, but better than nothing for now..
Re:What will be interesting (Score:3, Interesting)
Re:You Young Whippersnappers! (Score:1, Interesting)
Malware is big business now, and there's nothing to be gained from taking out the bios. The less obvious damage your software does, the longer the machine you've infected stays '0wn3d'.
FUD and beware of UFOs (Score:2, Interesting)
This posting is clearly spreading it. This is part of a calculated attempt to fear computer users into accepting Trusted Platform Modules which currently exist as UFOs on the new Intel iMacs. When I say UFOs I mean Undocumented Functioning Object. It's installed on my motherboard. It's true that the TCG has made much of the documentation about their modus operandi and even Apple has some OLD documentation about this, the real agenda here is spreading Fear, Uncertainty, and Doubt about their platforms in their current implementations and ease our transition into the TPM future.
It's not difficult to see that these mechanisms could potentially be part of an much larger agenda. You see it happening all around you, RFID, Ubiquitous Surveillance, Presidentially Endorsed Wiretapping, etc. The controls on your movements are getting tighter and tighter. It's not paranoia, it's paying attention. Connect the dots is an easy game, even children can do it.
The most damning aspect of this technology is the lack of transparency required by the implementor, in that they can (at their discretion) use closed source to track users, enforce DRM restrictions where previous 'fair use' and other uses were traditionally allowed. The real question is, even for shareholders, how much is too much? Is the quest for maximizing profit hobbling our society?
Don't look to the skies for UFOs, look on your motherboard, and demand answers for undocumented ICs
Re:Good thing I don't use the BIOS's code anyway (Score:3, Interesting)
If you look in the user's manual there are screenshots of the BIOS configuration page showing the temperatures... that must've been a development screenshot because it was never made available to consumers.
BIOS viruses and Chernobyl revisited (Score:4, Interesting)
I have a scary scenario for y'all.
A virus that spreads over networks, stays quiet until a certain date/time GMT and then BOOM wipes the BIOS of hundreds of thousands of Windows boxes around the world in one fell swoop.
Can you spell "Black Screen of Death"?
Does anyone remember the Chernobyl virus? It worked on a good number of BIOSes, even though it was poorly written. Imagine if someone took the time to do it right.
Re:You Young Whippersnappers! (Score:2, Interesting)
move along. (Score:3, Interesting)
And what, exactly, would a rootkit or virus want with the BIOS? Does a BIOS even have enough "extra room" to accomodate either? How about platform-independent versions? That's just an idiotic claim if I've ever seen one.
Just sounds to me like this John Heasman is your average "computer security expert" trying to stir up issues and catch some rays in the media spotlight thanks to some worthless but impressive-sounding (to idiots) premise. He needs to go back and finish his MSCE so he can do something useful with his life.
Re:BIOS viruses and Chernobyl revisited (Score:2, Interesting)
We were lucky in that it didn't wipe the BIOS, just the FAT on the hard disk IIRC.
This isn't anything new . . .
In the Good Old Days (Score:5, Interesting)
Re:Simple Solution (Score:5, Interesting)
In general, flash BIOS issues are poorly addressed in mainboards. They SHOULD have a write enable jumper, but they don't. Instead, there's usually some undocumented GPIO line that must be set high and a poorly documented southbridge register bit to set. In a single move they deftly prevent many from doing what they want with their own hardware and fail to protect everyone else.
Several chipsets have features to aid in recovery by swapping the top and secodn block in the address space when a jumper is set. The idea is that you never update the emergency block at all, and if an update goes wrong, you can recover with a jumper. I have yet to see a board that doesn't leave those pins disconnected.
They COULD place the emergency recovery sector in ROM, but they never do.
To make matters worse, the current trend is to solder the flash directly to the board. I suppose they save that all important penny by not using a socket.
They could have 2 flash chips and a jumper to toggle which one is enabled, but I've only seen a few blade servers that do that. (that sure would have helped those unbootable iMacs [slashdot.org]
Many newer flash chips have lock registers that once set write protect the corresponding sector, and a lock down bit that disables unlocking until power cycled. The BIOS COULD have an option (defaults to yes) for locking down the BIOS before calling the bootloader, but they don't.
There's absolutely no good reasons not to protect flash from unwanted updates AND provide absolute safety when you DO want to update.
Re:You Young Whippersnappers! (Score:3, Interesting)
Like natural biological pathogens, they have evolved over time to avoid killing their host outright. However, I agree with you, in spite of the billions in productivity loosses in recent years, it COULD be a whole lot worse.
Imagine the problems if one of the many worms spread a little more slowly (to avoid alerting the network admin), and then wiped BIOS on a given day far enough in the future to have time to spread, but not so far that it gets detected and cleaned off. Whole companies (even large ones) might wake up one morning to discover they don't have even one functional computer to their name.
Add to that viruses that re-write ACPI in creative ways and you have a really big problem!