Rootkits Head for Your BIOS

Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).

Really?

[TheRealMindChild]

Where are such tools? If I knew such things existed, I would have experimented in "bricking" some of my machines YEARS ago

Re:Really?

[Shanep]

Where are such tools? If I knew such things existed, I would have experimented in "bricking" some of my machines YEARS ago

Well there is UNIFLASH [uniflash.org] with source code. Then there are the likes of CBROM and AMIBCP to modify BIOS images and remove and add/enable drivers, functionality and boot screen graphics. Here [goe.net] and here [dstyles.de] are good places for info and tools.

Re:Really?

[MadTinfoilHatter]

I hear Sony is working on a version of their own, as well...

In the Good Old Days

[VernonNemitz]

Early computers came with "Mask ROM", which couldn't be reprogrammed, and were only inexpensive if manufactured in large quantities, but they were ABSOLUTEY proof against software manipulation. As a compromise, I'd like to get a "simple" PROM technolgy into the BIOS socket. These are programmable ONCE (like a CD-R), and COULD be made such that after being burned that once, never can they have anything added to it (the way a CD-R can be blocked for further recording into blank areas). Maybe I should be a little more specific. Suppose a new empty PROM has every bit set to '1'. Burning the PROM constitutes permanently changing certain bits to '0'. If not "closed", then malware could do an additional burn and change some of the '1's that you wanted to keep into more '0's, thereby trashing the BIOS. Yes, I know that this overall notion is inconvenient when you want to update the BIOS (you need a brand new blank PROM, every time). I'll accept that as the price to keep malware out of my BIOS, thank you!

Re:In the Good Old Days

[fbjon]

Actually, I think it's more because no-one has bothered yet. Users who are incompatible with moving jumpers around are likely also incompatible with BIOS updates.

What about EFI?

[Aqua OS X]

What about EFI?

Re:What about EFI?

[ObsessiveMathsFreak]

What about EFI?

That would be an ecumenical matter.

Re:What about EFI?

[damieng]

Seeing as EFI supports drivers and that the OS is to sit on top of EFI any rootkits there could hide whatever they wanted from your OS....

Unless of course your OS exposes the EFI configuration and drivers too...

[)

Re:What about EFI?

[TClevenger]

So will the EFI still be a Class 2 Relic after they remove it from... you know.

Re:What about EFI?

[Shanep]

What about EFI?

What about OpenFirmware in my Sun machines with the PROM read-only jumper set ON?

; )

Re:What about EFI?

[lintux]

I guess EFI machines have ACPI microcode somewhere too, should be just as easy to change it, unless for some reason they don't store it on flash. This is about changing ACPI code (that is probably not just active at boot-time only, like with most of the BIOS code, now that DOS is dead...), which is there in any recent (x86) machine AFAIK.

Re:What about EFI?

[Burz]

A new EFI system is what you're supposed to buy in response to BIOS-scare stories.

That's what about EFI.

Re:What about EFI?

[Anonymous Coward]

Now they are sending rootkits after my Electronic Fuel Injection too?

Solution

[CastrTroy]

They should just make the motherboard have a physical switch on it that stops your bios from getting written to. For the number of times i've had to flash my bios, it'd be a small price to pay to have to open my computer , just to have the piece of mind that some virus wasn't overwriting my bios. If it was a software setting, then there would be a way around it, but if there was a physical switch, that disconnected the write lines, then it would probably be pretty hard for a hacker to get around that.

Re:Solution

[Benanov]

The problem is, think of Joe Sixpack updating his own...

Wait. Never mind. Joe Sixpack almost would never flashes a BIOS, because he still calls the tower "my hard drive."

Re:Solution

[elrous0]

he still calls the tower "my hard drive."

I still have to explain to my parents that the box beside the monitor is actually the computer. They think it's built into the monitor.

-Eric

Re:Solution

[cogg]

I still have to explain to my parents that the box beside the monitor is actually the computer. They think it's built into the monitor.

You can blame apple on that.
*ducks*

Re:Solution

[Anonymous Coward]

How 'bout adding BIOS backup to your system backup chores. Any board I've ever worked with has a flash utility that lets you save your current BIOS contents.

1. make a bootable floppy
2. put the MB's flash utility on it
3. learn how to use the flash utility - particularly how to save and restore a bios to/from a file.
4. use the flash utility to copy the current bios to disk.
5. put the disk somewhere, and remember where it is when EVIL_BIOS_TRASHING_R00T_KIT comes knocking.

Re:Solution

[pilkul]

And Joe Sixpack who thinks he's a computer expert calls it "the CPU". That one always drives me up the wall.

Re:Joe Fourpack would flash the bios if...

[Anonym0us Cow Herd]

Joe Fourpack would flash the bios. All he would need is an e-mail instructing him that if he updates his computer by flipping this bios switch thingy and then clicking OK, he will be able to play the attached new pr0n file.

Note that Joe Fourpack is two short of a sixpack.

Re:Solution

[gEvil (beta)]

Covered in the article: "However, the ability to flash the memory depends on whether the motherboard allows the BIOS to be changed by default or if a jumper or setting in the machine setup program has to be changed."

Granted, a lot of mobos don't require changing a jumper to flash the BIOS, but it seems that some do (none that I've encountered, though).

Re:Solution

[gEvil (beta)]

Okay, this line from TFA got me wondering: "Almost all machines have a physical protection, such as a jumper on the motherboard, against flashing." I just downloaded a PDF of the owners manual for my mobo (Abit NF-7 S2), and there's no mention of a jumper to write-protect the BIOS. It looks like the only way to protect the BIOS is via the password, which wouldn't protect it from being overwritten by one of these nasties. I don't recall this jumper being present on any of my other Abit boards either. What ma

Re:Solution

[networkBoy]

I have two boards (intel) that require a jumper to even get into the settings. It has to be there to flash the chip as well.
-nB

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Solution

[NewToNix]

Granted, a lot of mobos don't require changing a jumper to flash the BIOS, but it seems that some do (none that I've encountered, though).

Every ASUS board I own has a jumper (and I have a lot of different model ASUS boards in use - over twenty anyway).

I don't know if all ASUS boards have BIOS jumpers, but all of mine do.

So now I guess I'll be putting those jumpers in non flash mode.

One more annoyance - but at least I got lucky that they all have the jumper.

They are all AMD boards (I don't use Intel,

Re:Solution

[MBGMorden]

I've seen some Biostar motherboards that do this. My guess (and it's just a guess) is that Biostar is more often used by the "screwdriver shops" in the computer they build for customers, so they include features like this to help the shop keep the customer from messing a system up (ie, flip the switch to disable BIOS writes - If they aren't smart enough to figure out that you need to turn the switch back off, then you probably don't need to flash a BIOS).

Other brands more common in hobbyist PC's (Abit, Asu

Simple Solution

[squoozer]

Just make damn sure that there are no (huge) bugs in the bios and burn it to a chip that can't be flashed. I admit that this is perfect for _everyone_ but I'd bet that 99% of computers never have the BIOS flashed so why make it writeable at all. The people that might want to flash their BIOS are probably also the sort of people that would pay a little more for an flashable version. Assuming you want a fairly generic BIOS that will work for a number of machine configurations make one with a tiny bit of writa

Re:Simple Solution

[SilverspurG]

One of the reasons why BIOS is flashable is to help the manufacturers. Oftentimes they have the hardware but they don't have the code written yet. Take the Dell D800 laptops for example. When they first shipped the external audio and S-video ports were nonfunctional because they hadn't written the software to put the wires together internally yet. It wasn't until rev. A13, maybe A14, of their BIOS that these ports were enabled. The D800 that I was privy to shipped with BIOS rev. A11.

Re:Simple Solution

[sjames]

In general, flash BIOS issues are poorly addressed in mainboards. They SHOULD have a write enable jumper, but they don't. Instead, there's usually some undocumented GPIO line that must be set high and a poorly documented southbridge register bit to set. In a single move they deftly prevent many from doing what they want with their own hardware and fail to protect everyone else.

Several chipsets have features to aid in recovery by swapping the top and secodn block in the address space when a jumper is set. The idea is that you never update the emergency block at all, and if an update goes wrong, you can recover with a jumper. I have yet to see a board that doesn't leave those pins disconnected.

They COULD place the emergency recovery sector in ROM, but they never do.

To make matters worse, the current trend is to solder the flash directly to the board. I suppose they save that all important penny by not using a socket.

They could have 2 flash chips and a jumper to toggle which one is enabled, but I've only seen a few blade servers that do that. (that sure would have helped those unbootable iMacs [slashdot.org]

Many newer flash chips have lock registers that once set write protect the corresponding sector, and a lock down bit that disables unlocking until power cycled. The BIOS COULD have an option (defaults to yes) for locking down the BIOS before calling the bootloader, but they don't.

There's absolutely no good reasons not to protect flash from unwanted updates AND provide absolute safety when you DO want to update.

Re:Simple Solution

[jeffy210]

"So, wouldn't the better solution be for manufacturers to not ship broken hardware as production units?"

They wern't broken units. The hardware functioned fine, the paths were there. They were just lacking the software support to enable it. So rather than retool their whole fabrication process just to have a model without S-Vid, it's easier to ship it without it enabled. Though I wish I would have known about that earlier. I had a D800 A01 and for the life of me I could never figure out why the S-Vid wasn'

Re:Simple Solution

[gEvil (beta)]

I believe this ties in with the article from a few days ago about the 34 bug found in the Intel Core Duo. [slashdot.org] In the comments, it was mentioned that a lot of these flaws are corrected in microcode rather than redesigning and refabbing the chip. Correct me if I'm wrong, but aren't these microcode updates contained in the BIOS updates? If so, then the need for BIOS updates goes beyond just having the motherboard hardware bugfree.

Re:Simple Solution

[KarmaPolice]

I believe this ties in with the article from a few days ago about the 34 bug found in the Intel Core Duo. [slashdot.org] In the comments, it was mentioned that a lot of these flaws are corrected in microcode rather than redesigning and refabbing the chip. Correct me if I'm wrong, but aren't these microcode updates contained in the BIOS updates...
You're wrong. The microcode is a rom on the processor that gives bitmasks to the entities in the processor. The microcode can be several lines for a single instruct

Further off-topic: Firmware upgrades.

[Myself]

I have a great follow-on idea: How about writing a perfect OS, so patches are never needed?

Seriously, even your cellphone is complex enough to need bugfixes via firmware updates. Better testing would be nice, but until then, I'd prefer fixable bugs over unfixable ones.

However, nothing sucks worse than having a bug that you know can be fixed, and a manufacturer who's abandoned the product line. That's the argument for open firmware, where the users can support their own devices long after the commercial ince

Re:Solution

[Jeff DeMaagd]

The old Matrox video cards had a "write protect" DIP switch that would prevent or allow video BIOS flashing. It might have been something to prevent errant code from messing things up, I don't know.

Re:Solution

[SatanicPuppy]

Most motherboards have a jumper setting that prohibits BIOS flashing. I always set mine, just to make me think a few times before I go ahead and update my bios.

Really, there is no reason why that can't default to "on"...Anyone who's going to need to flash a bios ought to be savvy enough to pull a jumper off a motherboard.

Thinkpads don't have jumpers

[hal9000(jr)]

At least the ones in the T and G series either don't have jumpers, or they are shipped with the jumpers set to enable. I have had to flash my BIOS a few times on different models and opening the case would have been a real hassle.

Re:Solution

[darkmeridian]

iMacs require the user to hold down a button on the case in order to flash their ROM.

Re:Solution

[Stan Vassilev]

Another solution in software: have the BIOS password be required to flash your BIOS.

Not all people have passwords on their BIOS, but that'll teach em...

But switch would default to ON.

[antdude]

Even if there was a switch, it would enabled by default. :(

Re:Solution

[CastrTroy]

No, on the inside would stop it from being tripped by accident, or by users who have no idea what it does and decide to start playing with it. Also, all updates to the BIOS should just be stored on a secondary chip, and have to be confirmed when the user boots up the next time before it is copied to the actual bios. And there should be a third read only chip containing the original bios, which could somehow be loaded in the case of an emergency/mistake. BIOS chips can't really be that expensive, so putting extra security measures in place to not get your system hosed are important.

Re:Solution

[Dave_M_26]

And there should be a third read only chip containing the original bios, which could somehow be loaded in the case of an emergency/mistake. BIOS chips can't really be that expensive, so putting extra security measures in place to not get your system hosed are important.

Gigabyte have had this for a few years now. They call it Dual Bios.

Dave

Re:Solution

[Peeteriz]

Electronics component manufacturing is so low-margin that if you can save 25 cents per unit by not putting a chip there, that might easily double your profit. And spending 25 cents more per unit can turn it from a profit making item into a loss.

These small things do add up to real money, and margins are so low that nobody will add anything unless it's a feature that makes sales (and no, "slightly better security measures for motherboard " are not something that Joe Sixpack will notice on the feature list).

Re:Solution

[Peeteriz]

Well, that's the point.

    For everyone that builds his own computer, there are a hundred Dell's, so in any discussion of potential rootkit spreads and security situation of the whole networked population, you can just disregard anyone with self-built computers and premium motherboards (which could have the backup BIOS'es proposed in the post above), since their impact on the total situation is completely insignificant.

Re:Solution

[ScottCooperDotNet]

Real Estate on motherboards is costly. Think of Shuttle PCs and notebooks, where would they keep the 3 BIOS chips you're recommending?

write protect swith

[Anonymous Coward]

it worked for floppy disk.. I want a little hardware switch that cuts the write lines @ the bios

Disable writing to the BIOS?

[raygundan]

Is there an easy way to disable BIOS writes? A jumper or some such? The sort of person who would be upgrading their BIOS could reasonably be expected to move one jumper.

I have always wondered why viruses didn't do this before-- virus rewriting tools are all over the place waiting to be bundled up with a worm for internet delivery.

BIOS viruses and Chernobyl revisited

[Daruka Krishna Das]

All this talk of rootkits, but little about BIOS viruses.

I have a scary scenario for y'all.

A virus that spreads over networks, stays quiet until a certain date/time GMT and then BOOM wipes the BIOS of hundreds of thousands of Windows boxes around the world in one fell swoop.

Can you spell "Black Screen of Death"?

Does anyone remember the Chernobyl virus? It worked on a good number of BIOSes, even though it was poorly written. Imagine if someone took the time to do it right.

Re:BIOS viruses and Chernobyl revisited

[SimonH_1978]

Ah yes, I remember it well. It took out 25 of our PC's in one day, all because Management figured that they didn't like paying the annual Dr Solomon AV subscription fee. Needless to say, they do now.

We were lucky in that it didn't wipe the BIOS, just the FAT on the hard disk IIRC.

This isn't anything new . . .

Hoglund?

[IamTheRealMike]

Though this does not and should not reflect upon his findings or the articles, it should be noted that Hoglund is not only a rootkit "expert" but also a blackhat who enjoys developing cheats for World of Warcraft. When the Warden came out and put a stop to this little business [interesting-people.org] his Wow!Sharp software got nailed and (presumably) he began losing money.

In other words, anything this guy says or does is in my mind suspect .... he writes rootkits and other forms of "attacking software", so for all we know this asshole is getting ready to post example code to the net. It wouldn't be the first time.

Re:Hoglund?

[SilverspurG]

He's also the author of a well-known book on rootkits. It's a pretty good read. Maybe you should revise your ill-informed personal opinion.

He doesn't just write rootkits. He teaches seminars on how to write them. He's not a blackhat any more than the this guy [slashdot.org]. I guess that puts you on par with Oracle.

Re:Hoglund?

[Eivind Eklund]

That's very much a point of view issue. Most people that aren't gamers would disagree, I think.

In my book, it's not a black hat issue. Black hats steal, destroy, and break laws. Game cheats mostly do not do this. What they do is create a tool for helping a user. Sure, this mess with game balance, as long as the game is based on the user having limited reaction ability etc. My view (as a programmer, former games programmer, former security consultant, former black hat, etc) is that that's basically t

Re:Hoglund?

[7-Vodka]

I see, let's evaluate the situation:

1. He wrote a program that helped people cheat in a game (Oh noes, what a evil black hatter) -3 brownie points

2. He helped uncover a commercial company's SPYING program to catch you cheating at said game which can also spy on you in all sorts of law-breaking ways (let's see blizzard try to pull this shit in england where they have REAL privacy laws) +300 points

Giving him a total of 297 brownie points. This actually makes him the equivalent of a girl scout.

Re:Hoglund?

[F_Scentura]

"2. He helped uncover a commercial company's SPYING program to catch you cheating"

Blizzard makes this program known through the licensing agreement. While that's not quite an obvious admission, this guy's not some valiant knight. He's an obnoxious twat that can't sell his cheat software anymore. Oh nos!

"at said game which can also spy on you in all sorts of law-breaking ways (let's see blizzard try to pull this shit in england where they have REAL privacy laws) +300 points"

It doesn't though, and Blizzard ha

Re:Hoglund?

[IamTheRealMike]

The Warden doesn't "spy" on you, that's a ridiculous assertion ... what it did/does do is hash various bits of data including open window titles then send the hashes to Blizzard for checking against a database of known bad signatures (ie cheating apps). Hashes are one-way, there's no method Blizzard has for finding out what porn you're surfing, and they're unlikely to care even if they could.

In other words, at no point is the actual title of any windows transmitted.

Let's review this situation:

• Hoglund makes money off letting people cheat in WoW. This damages the enjoyability of the game for many people, making him in my mind what is commonly called an "asshat".

• Blizzard hand his backside to him on a plate [wowsharp.net] when the Warden becomes a polymorphic, encrypted maze of interlocking checks and scans.

• He writes some bullshit article comparing the Warden to spyware, despite it sharing no characteristics with spyware at all. It doesn't try and prevent itself being uninstalled, users are perfectly aware it is there and comes with WoW - many like it, as it helps make the game fairer - and it does not send personally identifiable information back to Blizzard. In fact the hashing seems to have been put in specifically in order to preserve privacy.

It amazes me that such a transparent piece of bullshittery could have got as much press as it did, given that it's clearly a case of him trying to spite Blizzard after they shut down the money-making business of Wow!Sharp (it only went open source after they felt it had become useless). Ever since this sordid incident, Hoglund has been a dirty name to me and many others familiar with it, and I don't trust him at all.

Like I said, it wouldn't surprise me a bit if he released code showing how to hack the BIOS, just like he teaches people how to write rootkits despite them having (as far as I'm aware) no legitimate uses.

Long live security by obscurity.

[jotaeleemeese]

And long live to the assholes that keep proposing it as a sane method to keep things secure.

How does he make a buck now

[Burz]

...by scaring people into upgrading to newer DRM'd systems?

It makes me wonder.

If McAfee can cry wolf to get Mac users to subscribe, then I wouldn't be surprised if Hoglund accepted pay to write something like this.

Obligatory smug Mac user comment

[Hieronymus Howard]

I've just switched to Macs after 17 years of PC ownership* (Dos, then Windows, then Linux). Boy, am I feeling smug right at this moment.

* I first typed 'ownershit' by mistake - Thinking about it, this might actually be a more accurate word to describe the joys of being a PC user.

Re:Obligatory smug Mac user comment

[ObsessiveMathsFreak]

I've just switched to Macs after 17 years of PC ownership* (Dos, then Windows, then Linux). Boy, am I feeling smug right at this moment.

There are layers or irony here [slashdot.org] I just can't begin to elucidate on.

Re:Obligatory smug Mac user comment

[tpgp]

Obligatory smug Mac user comment

You mean Obligatory offtopic pro-mac (and doesn't understand the issues invloved) troll?

I've just switched to Macs after 17 years of PC ownership* (Dos, then Windows, then Linux). Boy, am I feeling smug right at this moment.

1) PC stands for 'Personal Computer' this is what your mac is.
2) Mac Bioses are flashable.
3) You were just as safe under linux (if not safer) then you are under a Mac.

* I first typed 'ownershit' by mistake - Thinking about it, this might actually be a more

Re:Obligatory smug Mac user comment

[ceeam]

Why do (some) mac people feel the need to but into any discussion with their pro-mac trolls?

Why do (some) linux people feel the need to but(t) into any discussion with their pro-linux trolls? ;) /ducks

Re:Obligatory smug Mac user comment

[Creepy]

technically, you're not safe from this on any OS that uses BIOS, though the deployment method may depend on Windows. I don't think EFI offers much help, either, as I've read that it includes a BIOS emulation layer that may be exploitable, so Intel mac users shouldn't be too smug.

For that matter, it would be possible to write a cross-platform executable if the interface to ACPI is written in x86 assembly without dependence on any libraries (target the instruction set rather than the OS).

sigh... someone will proabably exploit programmable GPUs next.

Re:Obligatory smug Mac user comment

[SilverspurG]

It's not even about the OS anymore. Take my FIC PA-2013 mobo. There are LM75 sensors under the CPU chip. They're there. They're labelled on the mobo. They do not work. The mobo user's manual has a screenshot of a temperature settings page. I've never ever ever seen it on my system. The wires are there but the consumer released BIOS simply does not put the wires together.

People can say that their OS does not rely on BIOS all they like. The fact is that there are some things which require the right b

Hard switch or external tool

[digitaldc]

"It is going to be about one month before malware comes out to take advantage of this," said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. "This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in."

Maybe add a physical unit that you need to move by hand in order to change the BIOS or Flash memory.
Or, if you suspect your computer has already been compromised, use an online/flash drive/external detection tool (independent from the O/S and all software) can be run to find out if you computer has been infected. (It works for the Microsoft Security guys)
The tool would have to check the computer's flash, BIOS, and currently running programs and notify you if it is being blocked/disabled/changed...and then fix the problem or tell you what to do to fix it.

What will be interesting

[HangingChad]

Is when security companies start checking for BIOS rootkits is if they find something there already staring back at them.

I'm wondering at the possibility this has been done before and not detected because no one looks there?

Re:What will be interesting

[SilverspurG]

You've really hit the nail on the head. Consider the state of consumer level security. Cookies? Does anyone really believe that cookies adhere to their "personally identifiable information" policy? Why is there no option to save your list of cookie sites? With respect to malware and viruses: Does everyone truly believe that the worst viruses do nothing more than propagate as proof of concept?

Consumer level security is a game of pointing the people to the right while stealing their wallet from the left

Re:What will be interesting

[ehrichweiss]

I was at a 2600 Magazine [2600.com] meeting back in 1993 and was talking with some FBI agents, who were actually semi-knowledgeable suprisingly, about how they had found some holes in BIOS code that was big enough to fit a virus into and how it had already been accomplished. I checked into it a bit and the BIOS they described had like 120 bytes of writeable memory which was more than enough for the foundations of a virus.

Awfully specific

[truthsearch]

It is going to be about one month before malware comes out to take advantage of this.

That's an extremely specific prediction. I think we know who they should look at first when these rootkits show up...

Re:Awfully specific

[Alioth]

Hrm. Just imagine if these root kits were destructive to the BIOS. The amount of spam would fall by an order of magnitude overnight, since the malware would be taking out the spam zombies.

one-button functionality is to blame

[AndyST]

There are two contradicting principles here.

1. a hardware jumper on the motherboard, the BIOS flashing procedure with a floppy disk, done by some tech-savvy user.
2. the average non-technical home user wants one-button simplicity

Many home users want that second kind of functionality. Partly because they don't want to bother with the details, partly because they are mentally challenged. They really like to be able to update the Computer's BIOS as easy as visiting a web site or running any kind of program. Unfortunately, this is what they get. And so do we.

Re:one-button functionality is to blame

[lxs]

The average non-technical home user shouldn't be messing around with the BIOS in the first place.

Re:Poor design is to blame

[lxs]

I wonder, do you do you perform your own appendectomies too?

If you want to mess with your computers internals that's fine by me, but don't go crying that IT'S TOO HARD!!! Get the expertise, it's freely available on teh intarweb, and do a proper job. If you can't do it, that proves that it's a valuable skill and you should pay someone else to do it for you.

(I know, responding to an AC is a sign of madness, like talking to trees)

Re:one-button functionality is to blame

[Arimus]

Mention flasing your bios to the average home user and you'll get typically one of two responses:

One an offer of much more interesting time than you planned for, or more likely,
a threat of arrest for obscene behaviour :)

Re:one-button functionality is to blame

[Zaiff Urgulbunger]

One specific time I had to upgrade my BIOS was on a Packard Bell iGo 4450 laptop (aka NEC Vesa something or other) because when using a Netgear WG511T PCMCIA wireless card, it would just lock up after a minute or three of use. Updating the BIOS to a newer version fixed this.

My point is that all this kit is totally consumer grade stuff... although I agree that likely the "average" user would need to get someone "professional" (in quotes, because I need to include PC World employees!) to do this, not least

Took long enough

[SilverspurG]

I'm glad people in the mainstream are beginning to notice this. I saw proof of concept BIOS trojan code as early as '99. It honestly changed my view of the internet, law enforcement, and all of society. While everyone else is busy labelling each other,"Paranoid conspiracy theorist" I've been sitting back thinking,"You dumbass. He's probably right." In all reality the NSA doesn't need wiretaps. If they really wanted you they'd have MS serve up a specially crafted banner ad when you check your Hotmail.

Real malware doesn't let itself be known. It sits in the background to aid the people watching you.

Re:Took long enough

[Beryllium Sphere(tm)]

http://www.info-mech.com/drm_dictionary.html#A [info-mech.com]

Check out "Ancoratech", a company whose pitch is to put DRM in the BIOS. At one point they were talking to AMI about including an "identity management" feature in AMI BIOSes. Essentially, a poor man's Trusted Computing.

I get really scared when I think about the proposed BIOSes with system rescue facilities including a network stack. Imagine malware in the BIOS with network access.

Re:Took long enough

[SilverspurG]

What frightened me most was when I found out that my monitor has 64kb of writeable memory--most monitors do. It doesn't take 64kb to save skew/size/color settings. Can you imagine being rooted by X accessing your monitor?

It's truly enlightening when you realize that your computer, most likely, is compromised in some form or another. It changes your point of view for everything that you do on the 'net.

You Young Whippersnappers!

[Anonymous Coward]

Way way back in the summer of 1994 we use to have viruses that would write themselves to the boot sector of our hard drives and some of them would even overwrite our Bios. I wouldn't expect you to know about it, since it happened so long ago but, those were tough times. Some PC manufacturers would even put antivirus detection software in their Bios to detect and prevent these Bios viruses. Sometimes it worked. Other times your system was hosed!

Grandad Admin.

In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.

Re:You Young Whippersnappers!

[lintux]

Problem with today's malware is that the authors don't want their stuff to be noticed. Not by the owner of the infected machine, at least. They want to continue spreading spam, viruses and credit card numbers for as long as they can. Breaking things on purpose is not the way to go then.

Computer viruses today are hardly an annoyance to their "victims", only to the rest of the world. :-(

Re:You Young Whippersnappers!

[jmorris42]

> In comparison, todays "malware" seems rather tame or even benign.

No, today's malware got serious. Used to be it was kids proving how 133t they were, now it is professionals implanting spyware and rootkits to make spam zombies, both of which are highly profitable. Destroying a machine earns you zero dollars, owning it makes the cash register go DING!

What scares the shit outta me, and should scare everyone else with a clue, is the thought of terrorism via the Internet. Imagine the damage a well heeled outfit could inflict.

Follow me here for a minute. Source code for Windows is out there. Obviously source for Linux, BSD and now Solaris is out there. It isn't just motherboards that have a flash chip. Almost every DVD/CD drive has one and many hard drives even load firmware from flash. Now lets imagine a well funded effort to locate a day zero exploit in two or more popular platforms. And remember, Windows and PC Linux aren't the only ones. Add in Linksys access points, Cisco IOS, etc. While one team works the exploit problem others work on a propagation engine that won't suffer from the crippling flaws seen in previous attempts and a deadly payload. Plant a kaboom in the BIOS instantly, so if the machine is rebooted it, along with the drives, goes bye bye. Then attempt to infect other hosts for 24-48 hours before triggering a reboot into death.

If done correctly it could destroy outright 10-25% (or even more) of the client's on the Internet and a good percentage of the servers, access points and other infrastructure. This alone would probably be enough to tank the world economy, but the real effect would be a widespread FEAR of reconnecting to the Internet. Kiss Google, Amazon, Dell, etc goodbye if that happened.

Re:You Young Whippersnappers!

[sjames]

Like natural biological pathogens, they have evolved over time to avoid killing their host outright. However, I agree with you, in spite of the billions in productivity loosses in recent years, it COULD be a whole lot worse.

Imagine the problems if one of the many worms spread a little more slowly (to avoid alerting the network admin), and then wiped BIOS on a given day far enough in the future to have time to spread, but not so far that it gets detected and cleaned off. Whole companies (even large ones)

Re:You Young Whippersnappers!

[duh_lime]

Why is that surprising?

An owned PC is worth more to an attacker than a destroyed machine. (I'm talking about "large numbers" here, not pointed efforts to take a site/machine down.)

I'm surprised there are *any* large-scale malicious viruses anymore... Only because "ownership" means cash to the person who can deliver the botnets. And, for identity thieves, a crashed machine doesn't serve up personal information.

Follow the money.

Re:You Young Whippersnappers!

[btpier]

Although there are more and more cases of malware authors trying to hold systems for ransom. Being able to take someone off the net via a DDoS or deleting files is a lot less effective than permanently taking out their hardware when the victim refuses to pay up. I too remember the bios AV systems, they were a PITA but effective and necessary.

Temporary workaround?

[murderlegendre]

If the board uses one of the larger DIP style EEPROM BIOS chips, wouldn't it be simple to identify the write lines (from the manufacturer's data sheet)? You could then pull the chip, and 'flag' the associated pins (bend them out, so they no longer enter the socket) and re-insert the chip.

A little tricky maybe, but better than nothing for now..

Re:Temporary workaround?

[Myself]

You could just as easily cut the trace leading to the chip, or slip a bit of mylar film between the pins of a PLCC socket. As another poster pointed out, if it only affects 0.5% of the PC-owning population, it's not a fix for a grand pandemic-scale malware problem.

This needs to be beaten into the hardware makers' heads: Make the thing write-protected by default, or you'll have some incredible problems down the line.

Watch Out!!

[mslinux]

I can't wait until one of these is widespread AND badly written. Once several thousand computers stop booting and are potential ruined (umm... you need a new motherboard... this is not covered under warranty). God help whoever wrote and distributed it. He will hang.

Good thing I don't use the BIOS's code anyway

[quantum bit]

Since my BIOS sucks and is broken anyway (horribly wrong IRQ routing table, references to nonexistent variables in the battery status), I override the whole DSDT with my own AML code and just ignore what the BIOS says.

Of course this is on FreeBSD. Linux has the capability to override the BIOS's ACPI code as well. Unfortunately Windows doesn't -- or more accurately only the checked (debug) builds of Windows do. I can change the annoying S4 behavior of my laptop, but my friend who runs Windows on the same

Re:Good thing I don't use the BIOS's code anyway

[SilverspurG]

You want to talk about broken hardware? I have an FIC PA-2013 mobo which has LM75 sensors under the CPU. They're labelled on the mobo. The sensor is there. But there never was a BIOS released which puts the wires together and makes them accessible to the rest of the system.

If you look in the user's manual there are screenshots of the BIOS configuration page showing the temperatures... that must've been a development screenshot because it was never made available to consumers.

FUD and beware of UFOs

[cyberbian]

This posting is clearly spreading it. This is part of a calculated attempt to fear computer users into accepting Trusted Platform Modules which currently exist as UFOs on the new Intel iMacs. When I say UFOs I mean Undocumented Functioning Object. It's installed on my motherboard. It's true that the TCG has made much of the documentation about their modus operandi and even Apple has some OLD documentation about this, the real agenda here is spreading Fear, Uncertainty, and Doubt about their platforms in the

The Sony BIOS

[doublem]

On the bright side, Sony Vio owners don't need to worry. Their BIOS comes pre-hacked, so there's no room for more malware!

This is why companies are looking to the TPM

[SalesEngineer]

On a platform designed to Trusted Computing Group standards, this type of BIOS hack would be a lot harder to pull off. It's not all about using the TPM for DRM to stop music piracy ... there are legitimate security concerns like this that cause companies & business to look at security standards.

move along.

[Eil]

This is just a bunch of worthless FUD. Programs have been able to write to the BIOS flash ROM for years now. It's not by any means a new concept. What suddenly makes next month the date that all of these thousands of BIOS-infecting rootkits are going to be released?

And what, exactly, would a rootkit or virus want with the BIOS? Does a BIOS even have enough "extra room" to accomodate either? How about platform-independent versions? That's just an idiotic claim if I've ever seen one.

Just sounds to me like this John Heasman is your average "computer security expert" trying to stir up issues and catch some rays in the media spotlight thanks to some worthless but impressive-sounding (to idiots) premise. He needs to go back and finish his MSCE so he can do something useful with his life.

Re:move along.

[SilverspurG]

Heh. We used to write fully functional terminal programs in less than 10k. Many BIOS have capacities of 256k, 512k, or even 1meg. There's more than enough extra room to plant the infrastructure to have a fully functional communication program with Xterm, Yterm, or Punter protocol transfer.

I love how...

[Anti-Trend]

...the article portrays this as an exploitable OS vulnerability:

"We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on Linux."

Problem is, we have to actually exploit and infiltrate the system itself to be able to access the BIOS. Of course having root access to a system one can compromise the system's firmware, given that the the BIOS is not write-protected. Similar virii existed in the '80's, but IIRC they would simply nuke the BIOS to prevent the system fro

Re:From TFA

[oakbox]

I caught that too. I just assumed he was being humorous.

Re:password protect

[mslinux]

Yes, in general, any BIOS can be password protected. On newer Dell systems their flashBIOS utility (which runs from the OS) stops and prompts for a password during the flash process.

Re:password protect

[ScottCooperDotNet]

Can't you password protect your bios from being accessed? Or does that have nothing to do with overwriting it? Someone more knowledgeable give me clue.

Depends on the BIOS, I assume.

I imagine every /.er has run into the person who saw a news story on TV about hackers and thinks a BIOS password is somehow going to protect them. Meanwhile they have a handful of viruses running because Norton AV 2001 expired and they keep closing the warning window.

Re:Bad for new PCs, Good for old ones!

[jacksonj04]

Minor point here, but surely making the BIOS FOSS won't exactly help matters? Admittedly it probably won't make them worse, but how is it supposed to make them better?

Re:Bad for new PCs, Good for old ones!

[smittyoneeach]

Transparency? That which would help both the code, and the government...

Memory protection'n'stuff?

[porneL]

Shouldn't operating system be able to block BIOS updates?

Re:root access needed?

[cyberbian]

The BIOS or Basic Input Output System is a series of low level instructions to help set up the basic functionality of hardware and initialize the bootstrap process. As this device is typically created in hardware in a CMOS (Complimentary Metal Oxide Semiconductor) based firmware usually called EEPROM (Electrically Eraseable Programmable Read Only Memory) you need a low level EEPROM programming utility to access and write to this firmware. As BIOS is after POST (Power On Self Test) the first device initializ