Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

New BIOS Exploiting Rootkit Discovered 205

First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."
This discussion has been archived. No new comments can be posted.

New BIOS Exploiting Rootkit Discovered

Comments Filter:
  • Is it really a total surprise that it was discovered initially by a Chinese security firm? Their reaction should have been, " look at this virus we just found that we just made!"
    • by dintech ( 998802 )

      Irrespective of where it came from or it's maliciousness, you've got to admire it for how cool and sophisticated it is. Hmm, sounds French.

    • by lpp ( 115405 ) on Wednesday September 14, 2011 @12:50PM (#37401204) Homepage Journal

      It's not just that it was first discovered by a Chinese security firm. It also appears to be targeted at Chinese PCs. From the original post [webroot.com]:

      The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus.

      Makes one wonder who developed it and what the intent was.

  • by jmorris42 ( 1458 ) * <jmorris@@@beau...org> on Wednesday September 14, 2011 @11:40AM (#37400238)

    When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.

    • by fnj ( 64210 )

      It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.

      • Do you have any idea how complex the BIOS code is these days? A lot of the fixes that go into BIOS releases are for the code that runs before you even hear the system beep. You really do need to be able to flash that as fixes come out.

        • by fnj ( 64210 )

          Why? If it works during testing, but it turns out later to be not perfect, just put reinitialization code into the updates that change the code that comes AFTER that point. How the christ do you think we used to do it before they even used flash memory?

          • And how do you propose the units in the field get fixed? Or do they just need to pitch them and buy new ones?

            • And how do you propose the units in the field get fixed?

              Put the BIOS image on a microSD mask ROM. Then open the case, snap out the old BIOS card, insert new BIOS card, close the case.

              • Yeah, let me know how well that sells to the general public.

                "What do you mean I have to open up my computer?!? That's going to void the warranty!!!"

                • by tepples ( 727027 )
                  Most people don't replace CPUs or do anything that would require adding features to the BIOS. And if the PC is still warranted, bring it into an authorized repair shop and a tech will snap in the new BIOS card for you.
                • by Fjandr ( 66656 )

                  The general public is going to reflash their BIOS at all anyway?

                  I'd like to know which "general public" you deal with.

                • So put the card in question at the end of a short extension cable and mount it behind a little panel on the back of the machine - something the user can just flip open as easily as replacing a battery on a clock.

            • by fnj ( 64210 )

              Read the whole thread. The idea is to have the BIOS on day one good enough to be failsafe getting to a state where it has a working video and keyboard can at least boot a floppy, CD, or USB stick. Nothing else. It's even conceivable that you don't guarantee the video and keyboard work, but as long as you can boot a DOS media with autoexec.bat you can get the reflashing accomplished.

              Do you really think that's not possible? Funny; the PC and the AT could do better than that.

              • by grimmjeeper ( 2301232 ) on Wednesday September 14, 2011 @12:48PM (#37401168) Homepage

                Given that I've worked for a major CPU company and worked with the BIOS developers on more than one occasion as they debugged problems, I think I can say with some confidence that the modern BIOS is more complex by several orders of magnitude over the primitive BIOS you would find in a PC and AT machine. This explosion in complexity means that it's just not financially possible to fund the development to have a flawless BIOS right out of the gate. There are just too many permutations to consider when developing the system to test them all. And even if you did get a "perfect" BIOS out the door, the chips on the board are so much more complex that they never leave the factory without flaws. Ever. And sometimes you just don't find them until they're in the field and you need to supply a workaround.

            • That's how apple does it!
      • It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.

        This is exactly what IBM did with some of the Thinkpad models. There was a special chip that held the password. The problem was, that if this chip "glitched", or you forgot the p

        • by fnj ( 64210 )

          I think the solution to that design flaw is pretty clear and workable.

    • by Dunbal ( 464142 ) * on Wednesday September 14, 2011 @11:59AM (#37400476)

      But people wanted simple Windows based utilities to reflash the BIOS

      People wanted? Or the industry thought it would be a cool marketing gimmick? Most people have no idea what BIOS stands for, much less what it does and how dangerous it can be for them if it gets subverted. The rest of the people who know should not be too bothered to have to move a jumper to re-flash the BIOS - I mean honestly how often do you do this? - when compared to the security risk. So I don't buy the "people wanted" argument.

      I wish marketing people thought a little more about the decisions they make and held themselves to higher standards. I can't believe that no engineer turned around and said "hang on, if we can flash it from the OS, anyone can flash it from the OS..."

      • by fnj ( 64210 )

        Yes, it was clearly market driven. One day nobody had it, and the next day somebody said "hey, look at this cool feature we have!" Nobody in the public even knew it was possible until the feature appeared.

        • That sounds more like marketing driven than market driven.

          market driven: Determined by or responsive to market forces.

      • Most people never reflash a BIOS, and even after years of working on PCs I do so rarely.
        I suspect the removal of BIOS-protection jumpers is mere cost-cutting. No pins, no jumper, no extra work on the production line to install the jumper.

    • by Baloroth ( 2370816 ) on Wednesday September 14, 2011 @12:09PM (#37400606)

      I really, really like what Gigabyte does with their BIOSes. They quite often have 2 on each motherboard, only one of which can be written to. In case of corruption of the primary, you can always boot using the secondary. Wouldn't stop this virus, of course, but it does prevent a corruption based one from hosing your system. Editing BIOS settings from Windows can be pretty convenient, especially if you want to overclock, but it isn't really necessary and probably shouldn't be possible.

      • I really, really hate what Gigabyte does with their BIOSes, considering their BIOS backed itself up on the end on some of my disks, changed the OS-visible size of the disk using Host Protected Area (HPA [forensicswiki.org]), squashing the mdraid metadata that was happily living there.

        By the time I understood what was happening, I had had 3 of my 6 RAID disks screwed, as I had swapped the disks around ignorantly thinking it was some controller error.

        That feature was not advertised, and that version of the BIOS had a bug where t

    • by S.O.B. ( 136083 )

      I'm sure manufacturers added the ability to flash the BIOS from a Windows based utility because they were tired of having to explain to non-technical people how to create a boot disk especially now that the floppy has more or less disappeared. Of course you could boot from a USB drive but a bootable USB drive is more problematic than a boot floppy for non-techies.

      A safer solution might be to have the BIOS read only with a writable update area where the update utility could save a compressed copy of the new

    • by blair1q ( 305137 )

      computer makers didn't want to spend a dime to add a switch and a wire to every case, if it didn't help people steal music or view pr0n or frag n00bs.

    • and nobody wanted end users to have to open the case and move a jumper

      That's just more cost-cutting. An A/B switch would have worked fine, but added 20 cents to the cost of a PC.

      I like how ASUS (and others, no doubt) have BIOS's that know how to read VFAT and can pull a flash image off a USB drive directly. The user just needs to know how to copy a file to a flash drive.

      How about if only the ability to toggle 'boot into BIOS' was exposed to the OS? A Windows utility could then copy the file to the flash

  • Why (Score:5, Insightful)

    by fnj ( 64210 ) on Wednesday September 14, 2011 @11:41AM (#37400246)

    Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

    • Uh, think of the children?

    • I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field. Hell, there are flaws in BIOS code that don't get discovered until your product is shipped. You need to patch it just like you need to patch any other software. Another good reason is to allow you to upgrade some compone

      • I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field.

        Intel (at least) allows you to push microcode updates right into the processor at the OS level. This doesn't need to be done by the BIOS. In fact, it shouldn't - unless you simply cannot boot without doing so!

        • Yeah, that's much more secure... ;)

          Even though you can push fixes directly into the processor in that way, there is still a reason to have to patch the BIOS. The CPU microcode pretty much only affects the CPU. The BIOS is there to interface with the rest of the components on the motherboard. And when you need to get around a flaw in your north bridge by supplying different initialization settings, there's pretty much no way to fix that in a CPU microcode push. You have to do it with a BIOS flash.

          • by ajlitt ( 19055 )

            Nevermind microcode. Most of the silicon bug workarounds that BIOS implements are in the form of "chicken bits": undocumented (or not publicly documented) configuration bits that the chip designers put in to turn off or tweak new features to a design. Also, a lot of features in modern processors and chipsets have a large analog component. A CPU could have hundreds of SERDES links, each with DLLs, equalization, not to mention chip-wide PLLs, power supply controls, voltage references, and more. Similar ad

            • by ajlitt ( 19055 )

              I forgot to mention that most of these things are accessed easily through MSRs or PCI config space, both of which are easy to access from an OS driver.

              • Yeah, I spent a couple years dancing through the BKDG tweaking a few of those bits a couple of years back. Enough that I have a feeling you and I have worked together IRL. At the very least, your name is very familiar to me...

          • Well, microcode doesn't persist beyond booting, so while it's not perfect, it's not permanently damaging. You usually can't just reboot to resolve a corrupted/tampered BIOS flash.

      • Re:Why (Score:5, Insightful)

        by fnj ( 64210 ) on Wednesday September 14, 2011 @12:38PM (#37401006)

        Er, the issue is not that you don't allow BIOS updates; it's that you protect them with a "big red switch," so they just can't happen like the dog ate my homework. I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.

      • I don't think anyone is saying there is not a reason to flash a BIOS. But what is in question is whether to allow this to be done through WIndows. Yes it is more work to flash a BIOS from the setup screen, it is much more secure in the light of viruses that attack it.
    • Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

      I'll bite: bulk BIOS updates on thousands of PCs. My company has an enormous number of PCs - paying someone to manually flick a switch, stand by while a BIOS update is performed, then unflick it afterwards would represent an enormous cost in time and labor. We buy large numbers of identical machines every year - so when a BIOS update is needed it needs to be applied to a lot of machines, globally.

      Secondly: we set BIOS passwords to prevent (or make it harder for) the machine to be booted from USB thumb dri

    • There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

      Um ... no. Flashing the BIOS should be at the discretion of the owner of the hardware in question, and not restricted to software provided by the manufacturer. But I agree a physical switch to prevent unauthorized tampering by third parties is a good idea.

    • by blair1q ( 305137 )

      on your smartphone?

  • by meerling ( 1487879 ) on Wednesday September 14, 2011 @11:46AM (#37400326)
    It tried to overwrite it with garbage, thus corrupting it. Kind of like blowing up your car with dynamite isn't the same thing as stealing it.
    Most of the time all CIH succeeded at was trashing the BIOS settings stored in CMOS. Clean the infector, reset the BIOS, save the changes and you were done.

    It's amazing how low the understanding of what malware is and does has fallen. By the way, the antivirus industry has been aware that it would be possible to write a bios infector the moment software the update-able bios became available. Fortunately most writers of malware are pretty incompetent as far as programming goes, though this did take about 6 years longer than I expected.
    • by fnj ( 64210 )

      Most of the time, yes, that's reassuring, but you're implying there is some of the time when it succeeded in actually infecting the BIOS in a non-bricking way.

      • by GSloop ( 165220 )

        No, CIH was a virus that trashed the BIOS as part of it's payload.

        On some systems it was unable to modify the BIOS and so the *payload* wasn't delivered - so to speak. But it never "infected" the BIOS - in that there was never any attempt to get running code in the BIOS.

        And if somewhere somehow it placed running code in the BIOS, it should be viewed as like a million monkeys at a million keyboards. Eventually one will type something readable.

        That's a FAR, FAR cry from writing code that intentionally infects

  • by billcopc ( 196330 ) <vrillco@yahoo.com> on Wednesday September 14, 2011 @12:05PM (#37400552) Homepage

    Preface: I know a thing or two about BIOS hacking.

    Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ? Many of them only have 2MB, already close to capacity with just the stock BIOS. This doesn't leave a whole lot of space for adding an attack module, and it would have to do some fancy footwork to survive past the protected-mode switch. Modern operating systems don't use the BIOS at all past the bootloader, once the native device drivers take over. It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.

    CIH was a very trivial virus. All it did was blindly clobber things with zeroes. It had no way of "rooting" a box. It would simply toast your OS, and if your BIOS chip supported the one flash command CIH knew, it would blank that out as well, rendering your machine unbootable. That's what we get for outsourcing even our virus writing ot China :P

    • The only payload they need is to load the MBR from somewhere unexpected (i.e. probably one address change). This ensures all the current AntiVirus code will be scanning the wrong MBR and given a false negative.

    • I would imagine it loads some item as an option ROM, reads more code from disk at a fixed offset location, loads into a modified bootloader that loads the actual payload then steps back to the real MBR to bring up the host OS. The BIOS code can be fairly trivial at that point, but hides that the MBR has been compromised by leaving the original MBR intact.
      -nB

    • Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?

      Just loading a different sector than the standard MBR sector on startup (maybe after a check that the virus code is there, e.g. by CRC) would probably already defeat a lot of tools protecting against MBR infections. Your "MBR" disk virus would no longer reside on the MBR, and thus not be detected/protected against by the standard antivirus code. Doing so should in the simplest case (no check) require t

    • by cachimaster ( 127194 ) on Wednesday September 14, 2011 @12:31PM (#37400914)

      Preface: I know a thing or two about BIOS hacking.

      Me too, I did it several times. Not too hard if you have several motherboards to waste :)

      Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?

      Well apparently this was found on the wild, working.

      This doesn't leave a whole lot of space for adding an attack module.

      You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.

      Modern operating systems don't use the BIOS at all past the bootloader

      This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.

      It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.

      True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.

    • Comment removed based on user account deletion
  • Can we really trust sky-falling advisories from companies such as Symantec? #ProfitMotive
  • by Truekaiser ( 724672 ) on Wednesday September 14, 2011 @12:28PM (#37400860)

    Expect more of this. a full command environment with access to all the hardware on the system before the os boots? it's almost as if it was written 'for' virus and malware makers.

  • My house mate and I caught a virus back in 1997 that infected executables, MBR, and lodged itself in his BIOS. He had to run McAfee 7 times before it finally cleared out. A BIOS infecter isn't new.

    Flash BIOS is a convenience to manufacturers, normal end users usually couldn't give a shit. They have no idea what it is, what it does, or why they should care. If it doesn't make their system play games or run Office faster, they don't care.

  • Real old school, and I am very surprised we even allow this to happen even today after all this time.

Computer programmers do it byte by byte.

Working...