New BIOS Exploiting Rootkit Discovered 205
First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."
Re:This is what easy over safe design gets ya (Score:5, Informative)
I really, really like what Gigabyte does with their BIOSes. They quite often have 2 on each motherboard, only one of which can be written to. In case of corruption of the primary, you can always boot using the secondary. Wouldn't stop this virus, of course, but it does prevent a corruption based one from hosing your system. Editing BIOS settings from Windows can be pretty convenient, especially if you want to overclock, but it isn't really necessary and probably shouldn't be possible.
Re:Clocks/corporotes/updates/crash dumps (Score:3, Informative)
Re:How complex can it possibly be ? (Score:5, Informative)
Me too, I did it several times. Not too hard if you have several motherboards to waste :)
Well apparently this was found on the wild, working.
You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.
This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.
True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.
Re:This is what easy over safe design gets ya (Score:5, Informative)
Given that I've worked for a major CPU company and worked with the BIOS developers on more than one occasion as they debugged problems, I think I can say with some confidence that the modern BIOS is more complex by several orders of magnitude over the primitive BIOS you would find in a PC and AT machine. This explosion in complexity means that it's just not financially possible to fund the development to have a flawless BIOS right out of the gate. There are just too many permutations to consider when developing the system to test them all. And even if you did get a "perfect" BIOS out the door, the chips on the board are so much more complex that they never leave the factory without flaws. Ever. And sometimes you just don't find them until they're in the field and you need to supply a workaround.
Re:This is some serious business (Score:4, Informative)
It's not just that it was first discovered by a Chinese security firm. It also appears to be targeted at Chinese PCs. From the original post [webroot.com]:
Makes one wonder who developed it and what the intent was.