Researchers Demo BIOS Attack That Survives Disk Wipes 396
suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe.
Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."
Requires root privileges or physical access (Score:5, Interesting)
"Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope."
Hmm, I'd say you are pretty much pwned in that case even before the attacker infecting the BIOS.
No surprise (Score:5, Interesting)
Of course you can infect a BIOS. It has drawbacks, however. One is very limited space. A second one is that BIOSes flash differently on different mainboards. Maybe not too differently, which would be a real problem. Hoperfully, there is not enough space in the average BIOS for self-relication (which would need exploit code and flasher code at least).
The fact that this is possible is mildly entertaining, nothing revolutionary. Would have been possible (and obviously possible) with the first Flash BIOSES around.
Dance of the Seven Veils (Score:1, Interesting)
What were the editors thinking of when they wrote "perform unveil"?
Re:Requires root privileges or physical access (Score:3, Interesting)
I think the point is that once this happens that you cannot fix it by reflashing the BIOS.
Would something like OpenBIOS help?
Re:Requires root privileges or physical access (Score:5, Interesting)
It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.
I've been thinking that this is necessary ever since I lost a nearly-new DVD Rom drive to a rogue piece of software that managed to wipe out one bit in sixteen of the drive's firmware.
Re:Intel only? (Score:5, Interesting)
Better question is what typeof BIOS? Is EFI vulnerable? How about open firmware? Or is this limited to just plain ole BIOS that should have been killed a decade ago but remains as msft doesn't support anything else for most versions of it's OS?
Limited scope (Score:3, Interesting)
Not only do you need root or physical access, you also need the victim to be using a particular type of BIOS. While you could abstract this up to a module, so that it nailed all Phoenix BIOSes, or all Award BIOSes, you'd still need semi-specific payloads for each BIOS OEM. Also, you'd need the target to be using a mainstream commercial BIOS, not UEFI, OpenFirmware, or anything similar.
UEFI will be here and widespread very soon (it's in some machines already, and more every day), and the only real power this 'new' malware has is the persistence/difficulty in removal.
Not impressed.
How fun! (Score:3, Interesting)
And here I thought that all the virus writers were just wimps using XSS and Word macros to run generic malware. I wondered where the old school BIOS viruses had gone.
there were number of BIOS attacks (Score:2, Interesting)
When can I expect the commercial version? (Score:3, Interesting)
Let me get this straight:
It pretty much requires physical access and root. If a malicious person gets that sort of access, I'm screwed anyway.
Ok, so I'm not too worried about anyone installing this on my computer without my knowledge.
What I am interested in is the sort of equipment-tracking possibilities this creates. If I could install a tracking rootkit on a laptop which could silently persist and survive disk wipes and ROM flashes, automatically reporting in whenever it gets net access, it would be a huge advantage if the machine were ever stolen. An OS reinstall is likely, because it's a simple way to circumvent the user account password, but this would even protect against a BIOS flash (which is less likely, but still not out of the question).
Eventually, somebody somewhere would hook the laptop up to the web, probably with a completely fresh OS install, and a subpoena on the IP would reveal their location.
Re:Of course. (Score:3, Interesting)
Sounds like they've somehow written a BIOS that detects code that would overwrite it and either kills the code, causes it to silently fail, or silently infects the new BIOS.
Obviously a failed BIOS flash would be suspicious; a silent fail would be slightly harder to notice. If they could somehow infect the new BIOS, it'd be truly devious and almost impossible to detect.
Re:PDF (Score:4, Interesting)
Perhaps you haven't seen Pontypool [wikipedia.org], a Canadian horror film about a virus that adapts to transmit itself through language. The film itself treats the premise as improbable but the best fit for the observed circumstances.
I liked the film most because of how much imagery they convey through the lack of film footage; the story centers around a small-town morning radio team and what they hear and broadcast. Almost everything is left to the imagination. As I was watching it, all I could do was think back to Cloverleaf and how Pontypool was the same thing, but better, because shakey-cam was replaced with no-cam.
Re:Of course. (Score:3, Interesting)
ISTR firmware viruses infecting C64 floppy disk drives......
After reading the article, I don't think this is novel or new, rather a friendly reminder that firmware viruses are still a potential threat.
Re:Requires root privileges or physical access (Score:5, Interesting)
I've been using Windows based BIOS flashers for a decade. It was originally a feature limited to enthusiast boards but now it's standard. You can even sometimes flash from within Linux for boards that support it via /dev/nvram.
Re:I guess it's official. (Score:5, Interesting)
Heh this did happen to me a few times, very cool virus. From then on I pulled my BIOSes and cut the write-enable pin off the chips, no problems then.
Re:Requires root privileges or physical access (Score:2, Interesting)
Many, many years ago I had a couple of guys from the FBI come "incognito" to our first 2600 meeting and they WERE talking about using space in BIOS as malware(we're talking 1993-ish, IIRC). Why they thought we wouldn't notice them I have no idea since they stuck out like sore thumbs.
So while some will label you paranoid, I'd label you paranoid, but possibly rightfully so.
Re:Requires root privileges or physical access (Score:3, Interesting)
It doesnt require physical access, it requires root level access, ie ring0 (which can almost always be gained trivially when you have physical access) even if you have to swap the hard disk for one that contains your malicious code.
Re:I guess it's official. (Score:3, Interesting)
Re:Intel only? (Score:2, Interesting)
Ever since they've removed the physical jumper to prevent unintentional flashing of the BIOS it's become probable.
The scum that make most viruses and other malware wouldn't be able to do this, and even believed it impossible. Now that a researcher has done it, and made that knowledge public means it's only a matter of time before we see real ones in the wild.
It doesn't matter which BIOS you have if it is flashable without a physical restriction active (like a jumper that has to be moved). It's easy to give your software the access codes for multiple BIOSs. All you need to do is a little research, especially since most BIOS manufacturers have already given you the tools to do it with.
I almost find it hard to believe those idiots did this. It's been an unwritten research area for decades because of the known risk.
(Or more accurately, what the unintended effect would be, the eventual creation of a BIOS infector.)
Well, when the inevitable happens, the only way to fix it will to be getting a fresh BIOS chip, or New Motherboard, or New Computer. Hmmm... Maybe a side effect will be a rise in home brewed BIOS and chip burners.
Then again, 99% of the users out there wouldn't open their case for anything, they're afraid the magic pixies will escape...
Re:Of course. (Score:2, Interesting)
Some BIOSes have an option for flash protection; would that be an effective countermeasure?
Re:When can I expect the commercial version? (Score:3, Interesting)
Yeah, I know that such things exist, but they don't protect against a disk wipe and re-flashing the BIOS, which this apparently does. I'm sure the companies that make that sort of tracking software would love to get their hands on this.
Re:Intel only? (Score:3, Interesting)
Now that a researcher has done it, and made that knowledge public means it's only a matter of time before we see real ones in the wild.
I almost find it hard to believe those idiots did this. It's been an unwritten research area for decades because of the known risk.
(Or more accurately, what the unintended effect would be, the eventual creation of a BIOS infector.)
Sounds like you're advocating security through obscurity? I'm not a computer security expert but it seems to me that keeping a research area unstudied for this reason is not the best approach to any kind of intellectual endeavor.