New BIOS Exploiting Rootkit Discovered 205
First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."
This is some serious business (Score:2)
Re: (Score:2)
Irrespective of where it came from or it's maliciousness, you've got to admire it for how cool and sophisticated it is. Hmm, sounds French.
Re: (Score:2)
Re:This is some serious business (Score:4, Informative)
It's not just that it was first discovered by a Chinese security firm. It also appears to be targeted at Chinese PCs. From the original post [webroot.com]:
Makes one wonder who developed it and what the intent was.
Re: (Score:2)
Re:This is some serious business (Score:5, Insightful)
The option to hard-switch the BIOS into read-only would be handy; but I'm not seeing it become a default any time soon...
Re: (Score:2)
BIOS Config != BIOS
Re: (Score:2)
I'd be delighted to see the security of vital bits of a PC's guts be down to something other than sheer obscurity(and, I'd really prefer that the alternative not be a cryptographic vendor lock, those don't end well.) Defaulting to a cryptographic lock, so that Joe Blow can safely get BIOS updates without touching his hardware might be ok; but you'd really w
Re:This is some serious business (Score:4, Funny)
Not only that, but a guy in china did the same thing to all those systems of yours! :-)
This is what easy over safe design gets ya (Score:5, Insightful)
When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.
Re: (Score:3)
It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.
Re: (Score:2)
Do you have any idea how complex the BIOS code is these days? A lot of the fixes that go into BIOS releases are for the code that runs before you even hear the system beep. You really do need to be able to flash that as fixes come out.
Re: (Score:2)
Why? If it works during testing, but it turns out later to be not perfect, just put reinitialization code into the updates that change the code that comes AFTER that point. How the christ do you think we used to do it before they even used flash memory?
Re: (Score:2)
And how do you propose the units in the field get fixed? Or do they just need to pitch them and buy new ones?
BIOS on user-replaceable mask ROM (Score:2)
And how do you propose the units in the field get fixed?
Put the BIOS image on a microSD mask ROM. Then open the case, snap out the old BIOS card, insert new BIOS card, close the case.
Re: (Score:2)
Yeah, let me know how well that sells to the general public.
"What do you mean I have to open up my computer?!? That's going to void the warranty!!!"
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The general public is going to reflash their BIOS at all anyway?
I'd like to know which "general public" you deal with.
Re: (Score:2)
So put the card in question at the end of a short extension cable and mount it behind a little panel on the back of the machine - something the user can just flip open as easily as replacing a battery on a clock.
Re: (Score:2)
Read the whole thread. The idea is to have the BIOS on day one good enough to be failsafe getting to a state where it has a working video and keyboard can at least boot a floppy, CD, or USB stick. Nothing else. It's even conceivable that you don't guarantee the video and keyboard work, but as long as you can boot a DOS media with autoexec.bat you can get the reflashing accomplished.
Do you really think that's not possible? Funny; the PC and the AT could do better than that.
Re:This is what easy over safe design gets ya (Score:5, Informative)
Given that I've worked for a major CPU company and worked with the BIOS developers on more than one occasion as they debugged problems, I think I can say with some confidence that the modern BIOS is more complex by several orders of magnitude over the primitive BIOS you would find in a PC and AT machine. This explosion in complexity means that it's just not financially possible to fund the development to have a flawless BIOS right out of the gate. There are just too many permutations to consider when developing the system to test them all. And even if you did get a "perfect" BIOS out the door, the chips on the board are so much more complex that they never leave the factory without flaws. Ever. And sometimes you just don't find them until they're in the field and you need to supply a workaround.
Re: (Score:2)
Re: (Score:2)
I think everyone has a USB disk/key nowadays. If not, you can buy one for a couple of bucks. Have them make a "click here to prepare a bootable USB disk which will flash your BIOS" application and be done with it.
Re: (Score:2)
Yea, instead you have vendors handing out floppy IMG files leaving you to scratch your head. I don't understand why more don't allow you to use USB Mass Storage.
Re: (Score:2)
That might work. But I'm not sure how much additional security that buys you. All it does is add an intermediate step.
Re: (Score:2)
Re: (Score:2)
You're forgetting social engineering. How many people fall victim to that every day? Someone who doesn't know any better will do whatever their computer tells them to do if you word it correctly.
But I will agree that the user intervention part will significantly reduce the number of incidents.
Re: (Score:2)
The "intermediate step" is user intervention, which is the whole point. At least you wouldn't get your BIOS rooted "accidentally".
Why does 'user intervention' in the context of computer security fill me with a vague sense of dread?
Re: (Score:2)
My motherboard lets me just read the new BIOS image file off the usb drive directly - no booting required. There's an update BIOS option in the config screen.
Re: (Score:3)
How else are you going to allow the unwashed masses to do it?
I'd expect them to NOT DO IT in the first place. I can't even recall having a flashable BIOS that was actually broken in some serious way that would make a fix mandatory. The majority of my BIOS upgrades have been to support some newer CPU that still fits the same socket, something I'd expect the unwashed masses are not going to change anyway.
Re: (Score:2)
In the past decade or so, the only situations in which I did BIOS updates was to get on-site support being dispatched to replace some faulty hardware (which the hardware vendor wouldn't do unless you ran the latest BIOS firmware). Hardly something what I would expect the unwashed masses to experience.
Re: (Score:3)
And, in fairness to the "unwashed masses"... how many of the, er, "washed masses" actually do this?
In 16 years in the computer industry, plus university and high school ... I have never flashed a BIOS. It simply doesn't come up for me. Granted, I don't build systems, but I've simply never needed to do this.
How many home users will ever do this task?
Re: (Score:2)
OK, so we've narrowed it down to between zero and infinity ... thanks for your useful contribution. :-P
Re: (Score:2)
Oh, I don't know. Even infinity can be a countable set [wikipedia.org].
I just think GPP has poor counting skills.
Re: (Score:2)
Re: (Score:2)
"In my 30+ years in the computer industry,"
You sir are not a part of the set titled "the unwashed masses"
Re: (Score:2)
This is exactly what IBM did with some of the Thinkpad models. There was a special chip that held the password. The problem was, that if this chip "glitched", or you forgot the p
Re: (Score:2)
I think the solution to that design flaw is pretty clear and workable.
Re:This is what easy over safe design gets ya (Score:5, Insightful)
But people wanted simple Windows based utilities to reflash the BIOS
People wanted? Or the industry thought it would be a cool marketing gimmick? Most people have no idea what BIOS stands for, much less what it does and how dangerous it can be for them if it gets subverted. The rest of the people who know should not be too bothered to have to move a jumper to re-flash the BIOS - I mean honestly how often do you do this? - when compared to the security risk. So I don't buy the "people wanted" argument.
I wish marketing people thought a little more about the decisions they make and held themselves to higher standards. I can't believe that no engineer turned around and said "hang on, if we can flash it from the OS, anyone can flash it from the OS..."
Re: (Score:2)
Yes, it was clearly market driven. One day nobody had it, and the next day somebody said "hey, look at this cool feature we have!" Nobody in the public even knew it was possible until the feature appeared.
Re: (Score:2)
That sounds more like marketing driven than market driven.
market driven: Determined by or responsive to market forces.
Re: (Score:2)
Most people never reflash a BIOS, and even after years of working on PCs I do so rarely.
I suspect the removal of BIOS-protection jumpers is mere cost-cutting. No pins, no jumper, no extra work on the production line to install the jumper.
Re:This is what easy over safe design gets ya (Score:5, Informative)
I really, really like what Gigabyte does with their BIOSes. They quite often have 2 on each motherboard, only one of which can be written to. In case of corruption of the primary, you can always boot using the secondary. Wouldn't stop this virus, of course, but it does prevent a corruption based one from hosing your system. Editing BIOS settings from Windows can be pretty convenient, especially if you want to overclock, but it isn't really necessary and probably shouldn't be possible.
Re: (Score:2)
I really, really hate what Gigabyte does with their BIOSes, considering their BIOS backed itself up on the end on some of my disks, changed the OS-visible size of the disk using Host Protected Area (HPA [forensicswiki.org]), squashing the mdraid metadata that was happily living there.
By the time I understood what was happening, I had had 3 of my 6 RAID disks screwed, as I had swapped the disks around ignorantly thinking it was some controller error.
That feature was not advertised, and that version of the BIOS had a bug where t
Re: (Score:2)
I'm sure manufacturers added the ability to flash the BIOS from a Windows based utility because they were tired of having to explain to non-technical people how to create a boot disk especially now that the floppy has more or less disappeared. Of course you could boot from a USB drive but a bootable USB drive is more problematic than a boot floppy for non-techies.
A safer solution might be to have the BIOS read only with a writable update area where the update utility could save a compressed copy of the new
Re: (Score:2)
computer makers didn't want to spend a dime to add a switch and a wire to every case, if it didn't help people steal music or view pr0n or frag n00bs.
Re: (Score:2)
and nobody wanted end users to have to open the case and move a jumper
That's just more cost-cutting. An A/B switch would have worked fine, but added 20 cents to the cost of a PC.
I like how ASUS (and others, no doubt) have BIOS's that know how to read VFAT and can pull a flash image off a USB drive directly. The user just needs to know how to copy a file to a flash drive.
How about if only the ability to toggle 'boot into BIOS' was exposed to the OS? A Windows utility could then copy the file to the flash
Why (Score:5, Insightful)
Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
Re: (Score:3)
Uh, think of the children?
Re: (Score:3)
I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field. Hell, there are flaws in BIOS code that don't get discovered until your product is shipped. You need to patch it just like you need to patch any other software. Another good reason is to allow you to upgrade some compone
Re: (Score:3)
I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field.
Intel (at least) allows you to push microcode updates right into the processor at the OS level. This doesn't need to be done by the BIOS. In fact, it shouldn't - unless you simply cannot boot without doing so!
Re: (Score:3)
Yeah, that's much more secure... ;)
Even though you can push fixes directly into the processor in that way, there is still a reason to have to patch the BIOS. The CPU microcode pretty much only affects the CPU. The BIOS is there to interface with the rest of the components on the motherboard. And when you need to get around a flaw in your north bridge by supplying different initialization settings, there's pretty much no way to fix that in a CPU microcode push. You have to do it with a BIOS flash.
Re: (Score:2)
Nevermind microcode. Most of the silicon bug workarounds that BIOS implements are in the form of "chicken bits": undocumented (or not publicly documented) configuration bits that the chip designers put in to turn off or tweak new features to a design. Also, a lot of features in modern processors and chipsets have a large analog component. A CPU could have hundreds of SERDES links, each with DLLs, equalization, not to mention chip-wide PLLs, power supply controls, voltage references, and more. Similar ad
Re: (Score:2)
I forgot to mention that most of these things are accessed easily through MSRs or PCI config space, both of which are easy to access from an OS driver.
Re: (Score:2)
Yeah, I spent a couple years dancing through the BKDG tweaking a few of those bits a couple of years back. Enough that I have a feeling you and I have worked together IRL. At the very least, your name is very familiar to me...
Re: (Score:2)
Well, microcode doesn't persist beyond booting, so while it's not perfect, it's not permanently damaging. You usually can't just reboot to resolve a corrupted/tampered BIOS flash.
Re:Why (Score:5, Insightful)
Er, the issue is not that you don't allow BIOS updates; it's that you protect them with a "big red switch," so they just can't happen like the dog ate my homework. I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.
Re: (Score:2)
I can agree with that concept.
Re: (Score:2)
Re: (Score:2)
Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.
I'll bite: bulk BIOS updates on thousands of PCs. My company has an enormous number of PCs - paying someone to manually flick a switch, stand by while a BIOS update is performed, then unflick it afterwards would represent an enormous cost in time and labor. We buy large numbers of identical machines every year - so when a BIOS update is needed it needs to be applied to a lot of machines, globally.
Secondly: we set BIOS passwords to prevent (or make it harder for) the machine to be booted from USB thumb dri
Re: (Score:3)
Um ... no. Flashing the BIOS should be at the discretion of the owner of the hardware in question, and not restricted to software provided by the manufacturer. But I agree a physical switch to prevent unauthorized tampering by third parties is a good idea.
Re: (Score:2)
on your smartphone?
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
That's not in the BIOS Flash but on the CMOS RAM.
Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you
Re: (Score:3)
Setting the real time clock just writes to data-only CMOS and maybe syncs the registers.
I strongly suspect changing the BIOS password, boot device settings, etc., work the same way or a very similar way - i.e., don't use program flash. If they don't, it's obvious they COULD.
Saving a crash dump to BIOS flash? Don't THINK so. Just say no. I doubt anybody does this, but again, if it's that important, it could be done to a hypothetical data-only flash or other storage. There is no excuse to save it to prog
Re: (Score:2)
The only legit argument you have is doing a large-scale bios update in a corp/enterprise environment.
and to be fair with that, some vendors (i'm familiar with Intel on this one) already support it in a secure manner that does not require the user to do anything and isn't done at the OS level. Please look into Intel's AMT work.
CIH NEVER Infected BIOS (Score:3)
Most of the time all CIH succeeded at was trashing the BIOS settings stored in CMOS. Clean the infector, reset the BIOS, save the changes and you were done.
It's amazing how low the understanding of what malware is and does has fallen. By the way, the antivirus industry has been aware that it would be possible to write a bios infector the moment software the update-able bios became available. Fortunately most writers of malware are pretty incompetent as far as programming goes, though this did take about 6 years longer than I expected.
Re: (Score:2)
Most of the time, yes, that's reassuring, but you're implying there is some of the time when it succeeded in actually infecting the BIOS in a non-bricking way.
Re: (Score:2)
No, CIH was a virus that trashed the BIOS as part of it's payload.
On some systems it was unable to modify the BIOS and so the *payload* wasn't delivered - so to speak. But it never "infected" the BIOS - in that there was never any attempt to get running code in the BIOS.
And if somewhere somehow it placed running code in the BIOS, it should be viewed as like a million monkeys at a million keyboards. Eventually one will type something readable.
That's a FAR, FAR cry from writing code that intentionally infects
How complex can it possibly be ? (Score:3)
Preface: I know a thing or two about BIOS hacking.
Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ? Many of them only have 2MB, already close to capacity with just the stock BIOS. This doesn't leave a whole lot of space for adding an attack module, and it would have to do some fancy footwork to survive past the protected-mode switch. Modern operating systems don't use the BIOS at all past the bootloader, once the native device drivers take over. It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.
CIH was a very trivial virus. All it did was blindly clobber things with zeroes. It had no way of "rooting" a box. It would simply toast your OS, and if your BIOS chip supported the one flash command CIH knew, it would blank that out as well, rendering your machine unbootable. That's what we get for outsourcing even our virus writing ot China :P
Re: (Score:2)
The only payload they need is to load the MBR from somewhere unexpected (i.e. probably one address change). This ensures all the current AntiVirus code will be scanning the wrong MBR and given a false negative.
Re: (Score:2)
I would imagine it loads some item as an option ROM, reads more code from disk at a fixed offset location, loads into a modified bootloader that loads the actual payload then steps back to the real MBR to bring up the host OS. The BIOS code can be fairly trivial at that point, but hides that the MBR has been compromised by leaving the original MBR intact.
-nB
Re: (Score:2)
Just loading a different sector than the standard MBR sector on startup (maybe after a check that the virus code is there, e.g. by CRC) would probably already defeat a lot of tools protecting against MBR infections. Your "MBR" disk virus would no longer reside on the MBR, and thus not be detected/protected against by the standard antivirus code. Doing so should in the simplest case (no check) require t
Re:How complex can it possibly be ? (Score:5, Informative)
Me too, I did it several times. Not too hard if you have several motherboards to waste :)
Well apparently this was found on the wild, working.
You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.
This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.
True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.
Re: (Score:3)
Re: (Score:2)
You apparently can't read. The MBR is not the BIOS, and the BIOS is not the MBR.
Re: (Score:2)
This.
Same question every time (Score:2)
when uefi becomes more widely adopted. (Score:3)
Expect more of this. a full command environment with access to all the hardware on the system before the os boots? it's almost as if it was written 'for' virus and malware makers.
Old news. (Score:2)
My house mate and I caught a virus back in 1997 that infected executables, MBR, and lodged itself in his BIOS. He had to run McAfee 7 times before it finally cleared out. A BIOS infecter isn't new.
Flash BIOS is a convenience to manufacturers, normal end users usually couldn't give a shit. They have no idea what it is, what it does, or why they should care. If it doesn't make their system play games or run Office faster, they don't care.
old school (Score:2)
Real old school, and I am very surprised we even allow this to happen even today after all this time.
Re: (Score:2)
The only real reason a computer needs a BIOS is to run a bootloader, and if that functionality works, then it's probably going to continue to work.
You're obviously nostalgic for the days when software was debugged as thoroughly as possible before shipping because it couldn't be upgraded later, rather than released with known major bugs because 'we can always fix it with a flash upgrade'.
Re: (Score:3)
> The only real reason a computer needs a BIOS is to run a bootloader...
Oh how I wish that were still true. Got one word for ya, ACPI.
Re: (Score:2)
And DDR2/3/4
And PCIe/16 Graphics
All timings & lane skews handled by BIOS
-nB
Re: (Score:2)
And HT/QPI. Hell, you have to get the PCIe buses walked enough to even see the BIOS boot ROM on the south bridge. Not a full initialization but enough to read the contents of the boot ROM into cache and/or RAM.
Re: (Score:2)
... in other words, ACPI?
Re: (Score:2)
no, DMI training (AFAIK that is not part of ACPI)
Re: (Score:2)
ACPI is a cluster fuck, but do you have any ready reason why it could not all be done in the OS, perhaps a unique module particular to the individual motherboard, rather than the BIOS?
Re: (Score:2)
I kind of forgot about coreboot/OpenBIOS. Looking at their motherboard support page, apparently I'm not alone. It's a neat concept, but the BIOS is generally just configured and ignored for most people, including geeks.
Re: (Score:2)
Re: (Score:2)
Another solution is to make sure your BIOS is bug free when you ship. That involves paying your coders slightly more than minimum Chinese wage.
Which is great until a new CPU is released and you don't support it and can't upgrade the BIOS to do so. I've seen a number of AMD users complaining because they'd been told that if they bought an AMD motherboard today they would still be able to use it for future generations of AMD CPUs, only to find that the motherboard manufacturer couldn't be bothered to issue a new BIOS two years later to support the new chips even though the hardware would work with them.
Re: (Score:2)
Re: (Score:2)
If you change the CPU, you must open your case and manipulate the hardware anyway. Changing a jumper to allow BIOS update wouldn't be a big deal in that case.
In case you didn't notice, the post I was replying to was suggesting that you make the BIOS bug-free and not upgradeable at all rather than making the BIOS upgrade more complex.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
"Al Gore invented the rootkit"
"It's Bush's fault"
"All your BIOS are belong to us!" (Okay, haven't heard this one for a while)
There.. now we're done with all the
Re: (Score:2)
How does that have anything to do with the BIOS at all?
Re: (Score:2)
Superstition IS a virus!
No modern man runs that code or respects the ideas behind it.