Forgot your password?
typodupeerror
Security Hardware

Researchers Demo BIOS Attack That Survives Disk Wipes 396

Posted by CmdrTaco
from the can't-believe-it-took-this-long dept.
suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe. Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."
This discussion has been archived. No new comments can be posted.

Researchers Demo BIOS Attack That Survives Disk Wipes

Comments Filter:
  • by Rosco P. Coltrane (209368) on Monday March 23, 2009 @09:43AM (#27297293)

    preinstalled, on ASUS boards: it was the BIOS itself. It too survived hard disk wipes, but it didn't survive my sledgehammer.

  • by amazeofdeath (1102843) on Monday March 23, 2009 @09:44AM (#27297301)

    "Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope."

    Hmm, I'd say you are pretty much pwned in that case even before the attacker infecting the BIOS.

    • Re: (Score:2, Insightful)

      I think the point is that once this happens that you cannot fix it by reflashing the BIOS.
      • Re: (Score:3, Interesting)

        by Jurily (900488)

        I think the point is that once this happens that you cannot fix it by reflashing the BIOS.

        Would something like OpenBIOS help?

      • by bev_tech_rob (313485) on Monday March 23, 2009 @10:45AM (#27298149)
        The nice thing about this exploit requiring physical access is that you may have a fairly decent chance to catching the perp and applying a size 13 (my shoe size) patch upside their head or backside. Then make them pay for a new systemboard after they trashed your current one with this nasty bit of code....
        • Re: (Score:3, Interesting)

          by Bert64 (520050)

          It doesnt require physical access, it requires root level access, ie ring0 (which can almost always be gained trivially when you have physical access) even if you have to swap the hard disk for one that contains your malicious code.

    • by Leafheart (1120885) on Monday March 23, 2009 @09:58AM (#27297495)

      Needing root privileges means that an attacker could put this code on another malware he writes, get an user infected and upload this to the bios. From that point onwards, if they can really disable the AV (both article and presentation are light on details), they can ensure that the box will remain infected, by injecting more code.

      Think of it as a sure fire way to get people infect for a botnet without any recourse to stop it. Except updating the EEPROM of the bios (although I couldn't see how it can survive a re-flashing.)

    • by wvmarle (1070040) on Monday March 23, 2009 @10:03AM (#27297569)

      Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.

      It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.

      • by cowbutt (21077) on Monday March 23, 2009 @10:10AM (#27297663) Journal

        It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.

        I've been thinking that this is necessary ever since I lost a nearly-new DVD Rom drive to a rogue piece of software that managed to wipe out one bit in sixteen of the drive's firmware.

      • by berashith (222128)

        The BIOS isnt protected because the guys in the black helicopters have been doing this for years.

      • I have not seen a BIOS flashing program that runs from within Windows. Every one I have used required some sort of boot disk to flash the BIOS. Are there now versions that can run under Windows? If so that is a big problem - it allows remote execution. You used to need physical access to flash a BIOS.
        • by idontgno (624372)

          ...required some sort of boot disk to flash the BIOS. Are there now versions that can run under Windows?

          Here, LMGTFY [google.com].

        • by Nick Ives (317) on Monday March 23, 2009 @11:50AM (#27299105)

          I've been using Windows based BIOS flashers for a decade. It was originally a feature limited to enthusiast boards but now it's standard. You can even sometimes flash from within Linux for boards that support it via /dev/nvram.

      • Re: (Score:3, Insightful)

        by sjames (1099)

        Because adding that useful safety feature might cost a WHOLE NICKLE!!

        Similarly, I have seen a number of chipsets where the top and second from top erase blocks can be swapped just by pulling a logic line down (with a jumper for example). The idea is that even a screwed up re-flash of the boot block can be recovered easily just by setting a jumper.

        Too bad I have NEVER seen a board that actually hooked that line up nor a BIOS image that had a second emergency boot sector programmed.

      • by Asic Eng (193332)
        Maybe because it's so much easier to infect a machine by other means. There is no way to protect against physical access in any case, and once you have gained admin privileges why even bother with the BIOS? There are so many botnets out there already, so apparently it's quite easy to infect large numbers of machines in the first place. Putting in extra effort to make an infected machine withstand a re-install doesn't make economical sense. It would only become interesting for attackers if a significant perc
    • by Yvanhoe (564877)
      Well, when an attacker gained root access over one of your machines, the procedure until recently was to wipe its disks completely. Now, even that fails.
      It does not make privilege escalation easier, it just makes it more serious.
    • by sjames (1099)

      The problem is that even if you follow the recommended procedure for when a virus is discovered, wipe and reinstall from backup or fresh from the install media, you're still screwed.

      If the virus is smart enough to lay low for a while when you do that, it could become a truly maddening 'recurring' infection in spite of following best practices (after the initial infection, of course).

  • by davidwr (791652) on Monday March 23, 2009 @09:45AM (#27297317) Homepage Journal

    If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.

    If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.

    • by wastedlife (1319259) on Monday March 23, 2009 @10:10AM (#27297651) Homepage Journal

      This is why there should always be 2 copies of the BIOS. One that is physically read-only and contains the BIOS as shipped. And another writable one that can be disabled with a jumper. If your BIOS is corrupted or hijacked, you could always go back to the backup BIOS and restore.

      An alternative would be replaceable BIOS chips like the ones from the days before writable BIOS. If a customer gets a BIOS corruption or virus, they could call and order a replacement and not have to buy a whole new mobo. That would also be a good way to distribute BIOS updates to people afraid of bricking their system.

      • Re: (Score:3, Insightful)

        by Lost Race (681080)

        Or a friggin' write-protect jumper on the flash, which is actually present in the PCB wiring of most motherboards but 99% of the time the manufacturer is too cheap to solder on the pins. Actually it's not the 1 cent manufacturing cost they save but the zillions of tech support calls from clueless users desperate to reflash their BIOS (usually for no good reason) but unable to locate the WP jumper with both hands and a map.

        Hardware flash WP has been high on my list of mobo spec priorities for years but it's

  • No surprise (Score:5, Interesting)

    by gweihir (88907) on Monday March 23, 2009 @09:47AM (#27297335)

    Of course you can infect a BIOS. It has drawbacks, however. One is very limited space. A second one is that BIOSes flash differently on different mainboards. Maybe not too differently, which would be a real problem. Hoperfully, there is not enough space in the average BIOS for self-relication (which would need exploit code and flasher code at least).

    The fact that this is possible is mildly entertaining, nothing revolutionary. Would have been possible (and obviously possible) with the first Flash BIOSES around.

    • Re:No surprise (Score:4, Insightful)

      by jellomizer (103300) on Monday March 23, 2009 @09:58AM (#27297503)

      Them Old Time Viruses ran with a lot less then what modern BIOS have, so I wouldn't focus to much on size to save us.
      When the Virus initially runs it is probably in the Hard Drive to the RAM which can can fit a LOT of configurations to break into a lot of BIOS manufactures.

      • by gweihir (88907)

        The old viruses sometimes fit into 300 bytes floppy boot code. But these did not need any exploit (i.e. attack) code, no network functionality and no flasher code.

        While very small worms are possible today (think Witty which was about 470 bytes worm code), whou cannot do a lot with them, certainly not include a generic FLASH writer.

    • by Cyberax (705495)

      There are OpenSource tools which handle re-flashing of most BIOSes.

      Also, there are just a few BIOS manufacturers. So it might be not that hard to write semi-unversal code.

      Now I wish my computer had a TPM module....

    • by wkk2 (808881)
      The real question is why the boards no longer have BIOS write protect jumpers given that infections are only getting worse.
    • The virus could check if the motherboard is compatible with coreboot [coreboot.org] or something similar before flashing a modified version. If coreboot can boot a linux kernel directly without any other bootloader, it is likely possible that the average BIOS has enough room for self-replicating code.

      I do agree that it is not revolutionary, I've heard of BIOS viruses for a while, but the general consensus was that they are too motherboard-specific to be of any real threat. However, coreboot claims it is supported on over

    • by sjames (1099)

      Flash code can be crammed into 50 bytes or less, counting the code that sets the GPIO lines to allow the flashing.

      The part that determines which MB you have and loads the correct 'driver' can be fetched over the net. Many BIOS images have over 16K of free space on the chip. That's well more than enough for a polling UDP network stack (w/ DHCP), code to exploit the SMM vulnerability, and patch the bootloader.

      A simple jumper on the write enable line of the flash chip could stop BIOS infections cold, but that

  • PDF (Score:5, Funny)

    by JewGold (924683) on Monday March 23, 2009 @09:51AM (#27297399)
    Wait, you want me to open a PDF [slashdot.org] from folks who know how to create such a supervirus? Hmm.
    • Re:PDF (Score:5, Funny)

      by L4t3r4lu5 (1216702) on Monday March 23, 2009 @10:31AM (#27297969)
      It's already too late for you, I'm afraid. You've already read the stub of the article which was copied from the original website by another person. The virus jumped through their monitor (writing directly onto their retina using a zero-day exploit) which was then transcoded into nerve pulses. These were transfered to the poster's fingers which caused very small, but significant, induced current in their keyboard. The virus travelled through the USB port and into the PC, and got posted to slashdot. It now resides in your brain, and mine, ready to be exploited at the author's whim.

      Or, you really need to take off the tinfoil hat.
      • by berashith (222128)

        great! Now I am a botnet zombie.

        BRAAAAAIIIINNSSSSSS

      • Re:PDF (Score:4, Interesting)

        by SydShamino (547793) on Monday March 23, 2009 @11:18AM (#27298623)

        Perhaps you haven't seen Pontypool [wikipedia.org], a Canadian horror film about a virus that adapts to transmit itself through language. The film itself treats the premise as improbable but the best fit for the observed circumstances.

        I liked the film most because of how much imagery they convey through the lack of film footage; the story centers around a small-town morning radio team and what they hear and broadcast. Almost everything is left to the imagination. As I was watching it, all I could do was think back to Cloverleaf and how Pontypool was the same thing, but better, because shakey-cam was replaced with no-cam.

  • So what's the only way to be sure?
  • "The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player." If it's an attack on the BIOS, why would it be dependant on the OS
    • by Drakkenmensch (1255800) on Monday March 23, 2009 @10:05AM (#27297583)
      Because without direct access to the physical computer, it requires (as any other malware or virus does) an entryway from the internet and cooperation from the operating system. Anyone can destroy my laptop with the keys to my appartment and a sledgehammer, but doing it from a distance requires a windows flaw to exploit.
  • by I.M.O.G. (811163) <spamisyummy@gmail.com> on Monday March 23, 2009 @10:11AM (#27297679) Homepage

    The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player.

    I was with the summary until that last part... A windows machine, I can accept that. An OpenBSD machine, I can accept that too. But another machine running VMware Player? Thats not an OS, so I don't even know what they were trying to say.

    • by jimicus (737525)

      It isn't but it certainly simulates a BIOS to the guest OS. My guess is they infected the simulated BIOS.

      This seems curious to me - why on Earth would VMWare want to make a virtual BIOS "flashable"? (in inverted commas because it's not a real BIOS so it isn't flashable in the true sense of the word)

  • Limited scope (Score:3, Interesting)

    by RMingin (985478) on Monday March 23, 2009 @10:21AM (#27297827) Homepage

    Not only do you need root or physical access, you also need the victim to be using a particular type of BIOS. While you could abstract this up to a module, so that it nailed all Phoenix BIOSes, or all Award BIOSes, you'd still need semi-specific payloads for each BIOS OEM. Also, you'd need the target to be using a mainstream commercial BIOS, not UEFI, OpenFirmware, or anything similar.

    UEFI will be here and widespread very soon (it's in some machines already, and more every day), and the only real power this 'new' malware has is the persistence/difficulty in removal.

    Not impressed.

    • by sjames (1099)

      Grab BIOS signature, send query to server in wheresthatistan, receive back instructions and code for that configuration.

  • How fun! (Score:3, Interesting)

    by Bandman (86149) <bandman@g[ ]l.com ['mai' in gap]> on Monday March 23, 2009 @10:25AM (#27297885) Homepage

    And here I thought that all the virus writers were just wimps using XSS and Word macros to run generic malware. I wondered where the old school BIOS viruses had gone.

  • In April 26, 1999, I turned on my computer, and it met me with a black screen. Turned out that my BIOS was flashed because of this virus: http://en.wikipedia.org/wiki/Chernobyl_virus . Had to re-flash the BIOS. Obviously BIOS could have been loaded with something else other than simply erased.
  • I thought since that really nasty virus that would brick PCs by writing to bios' that every mobo maker put in write protection that, if enabled, would halt the system when something tried to write to the BIOS.

    Wouldn't this prevent this kind of attack?

    • by sjames (1099)

      Most of them depend on SMM/SMI to 'protect' the BIOS. There's an exploit out there that can overwrite the SMM and nullify that protection.

  • by clone53421 (1310749) on Monday March 23, 2009 @10:53AM (#27298247) Journal

    Let me get this straight:

    It pretty much requires physical access and root. If a malicious person gets that sort of access, I'm screwed anyway.

    Ok, so I'm not too worried about anyone installing this on my computer without my knowledge.

    What I am interested in is the sort of equipment-tracking possibilities this creates. If I could install a tracking rootkit on a laptop which could silently persist and survive disk wipes and ROM flashes, automatically reporting in whenever it gets net access, it would be a huge advantage if the machine were ever stolen. An OS reinstall is likely, because it's a simple way to circumvent the user account password, but this would even protect against a BIOS flash (which is less likely, but still not out of the question).

    Eventually, somebody somewhere would hook the laptop up to the web, probably with a completely fresh OS install, and a subpoena on the IP would reveal their location.

    • by jimicus (737525)

      Let me get this straight:

      It pretty much requires physical access and root. If a malicious person gets that sort of access, I'm screwed anyway.

      You are but you can be un-screwed by reloading the operating system and restoring data from backup (being careful not to restore whatever it was caused the compromise in the first place, of course).

      This effectively neutralises your ability to do that.

    • by Endo13 (1000782)

      What I am interested in is the sort of equipment-tracking possibilities this creates. If I could install a tracking rootkit on a laptop which could silently persist and survive disk wipes and ROM flashes, automatically reporting in whenever it gets net access, it would be a huge advantage if the machine were ever stolen. An OS reinstall is likely, because it's a simple way to circumvent the user account password, but this would even protect against a BIOS flash (which is less likely, but still not out of the question).

      Interesting indeed. It would also be invaluable for rental companies that lease out computers.

  • by NotQuiteReal (608241) on Monday March 23, 2009 @11:19AM (#27298631) Journal
    I boot without a bios - by toggling in raw machine code from the front panel switches!
  • by MarkvW (1037596) on Monday March 23, 2009 @11:27AM (#27298757)

    You're being watched . . .

Brain off-line, please wait.

Working...