Researchers create BIOS malware
If you thought that reformatting your hard drive and replacing the operating system was enough to clear out even the most stubborn virus, think again.
Security researchers Alfredo Ortega and Anibal Sacco of Core Security Technologies – as reported over on ZDNet – have successfully demonstrated methods for injecting persistent code into the Basic Input Output System (BIOS) of a computer, with the result that the infection is capable of surviving a complete OS reinstall and even a BIOS flash.
The code has been used successfully on both Windows and OpenBSD platforms, and even on a virtualised system via the VMware Player application. In all cases, the infection would re-initialise each time the computer was rebooted. Even by removing and re-installing the hard drive, the researchers were unable to remove the malware from the system.
Speaking to Threatpost.com, Ortega claimed that the pair could “put the code wherever we want.” Although the current demonstration is a proof of concept, the pair are working on a fully implemented rootkit – which would provide complete control over an infected system, even after a full OS reinstall – with Ortega saying that they can “patch a driver to drop a fully working rootkit,” and even stating that the pair has “ a little code that can remove or disable antivirus.”
While the malware developed by the team is certainly persistent, infection is not a trivial matter. The pair readily admit that the code is only of use to an attacker who has already compromised a system by traditional means – or who has physical access to the box. In either of these cases, however, it certainly holds the possibility of making cleanup significantly more complicated.
Does the thought of resident malware that can survive an OS reinstall leave you worried, or do you think the techniques are beyond your average VXer? Share your thoughts over in the forums.
Previous Article
29 Comments
Discuss in the forums Replyhttp://www.insidetech.com/news_feeds/visit?uri=http%3A%2F%2Fwww.maximumpc.com%2Farticle%2Fnews%2Fthis_no_joke_confickerc_strike_april_fools_day
And now this, great!
I know no one that is capable of doing this too my computer, I'm a lone ranger with non-tech friends. :( If there was somebody, I have two guest computers in the house they would use, and I'm guessing you have to have admin privileges to do this, they would not. My computer,.... no one gets on, and if so they would have to get past security and decrypts first, what a challenge. :)
I have a huge library or viruses, Trojans, malware, rootkits, creators, etc. Can't wait to add this to the library one day. I don't use them. I just quarantine them and keep them like preservation of once wild animals now for study.
Is the BIOS gonna have to get bigger to adapt ? lol.
Get a typewriter... ;)
Soooooo.... This should not be any problem, unless I am dumb to allow permission to "picture.exe".
Same applies to Major thread. If I put a USB stick... I would be prompted for Admin... again a failed attempt.
Somebody could swap the keys on the typewriter, you've been hackereeeerd:)
Only good for attacking specific machines, too many different BIOS implementations to write a code "good for all motherboards".
I guess physically replacing the the BIOS with a new one which contains a clean BIOS would get it shifted...
I see soo many infected systems I can see how this will be a problem!!
And switching around some of those swingarm letter things around would really annoy someone...
it could spread and being immune to bios flash which mean the manifaturer to replace the bios With a whole new one all clean
At a Step Flash bios can't do or a Big enterprise in security will need to find a Cure :P
anyway did you hear of the Possible Confiker C : i hope it a joke lol cause by reading spec of it Devastation IS increidbly high
as the Blue Screen of Death Virus which made you unable to even try to Reformat ur hard drive if i remember
so you add to find a way To reformat hard Drive :D
Who's idea was it to save the odd 2p per motherboard and REMOVE the BIOS write protect jumper ?
Re read this again and again, go to all the links and read them again and again, then look up words and google tech stuff you don't understand and read it again....... and again.
Maybe if you loan your computer to a hacker convention (with admin rights open) for the weekend it might come back with this malware. But otherwise if it's sitting safe in your room and your looking at all the porn, opening all the e-mail coming your way, excepting every script on pages, and visiting shady sites that could infect your computer. You still have nothing to worry about when it comes to this.
Read, absorb, understand. I call this a "smoke and mirrors malware". I would not even call it malware. It's more like a couple of guys got creative and had their way with their own computer. They could not do the same to yours unless you "physically" let them.
With todays software and hardware components we use, this simply can not be done with out physically doing it, and I doubt what ever we innovate too in the future with computers the chances are this will not work remotely but only physically. So keep your computers close at hand and don't let untrusting people open up your case or give them admin rights to break down security to get busy "destroying" your property. And even then if that happens regardless of what any one says this could be resolved. It's only permanent to the non literate computer user.
Actually, the other way around. EFI is (at least in theory) far more standardized by design than BIOS, thus making it more vulnerable. Only thing that makes developing BIOS-targeted attacks/exploits/etc. not worth the time is the fact that you'd need to write separate code for almost every motherboard available.
GG
CMOS and BIOS are not one and the same.
As far as I can tell the code re-flashes the bios image with the malware code attached.
As stated earlier in the thread, a simple BIOS write protect jumper/switch is all that needs to be implemented in future motherboards to stop this in it's tracks.
I could do it lol you forget all your admin rights are on your os.. what's to stop someone from just booting a linux distro or any tool- even just a dos boot with flash from a dvd.. and before you say password protect the bios.. it's as simple as popping the battery out or using the cmos clear jumper on the mb
I'll agree with the fear end of it.. I'm sure guys like the geek squad who are nothing more than salesmen- would love something like this to be deved and go wild.. far as it sticking, the cmos clear jumper won't clear everything- popping out the battery for a few does.. alot of peeps had to do this on the 680i mb's because of the c1 error- it would act like a dead board even with a clear.. pop the battery out, put it back and it magically worked.. nvidia ntune guy to thank for this :D
I was one of them, dealt with it, I have a MSI 680i.
Personally no one is going to get inside my computer, I have a eletric fence around it. :)
But don't forget it's easy through admin rights to stop any boot disk from working. A few years ago the company I worked for did that on the laptops they gave us employees. For fun I tried cracking it... and I admitted to it, he just snickered and siad "Boot disk did not work?". (I wasn't going to physically do anything) I spent some time with the IT guy and learned how it was done and traded a few programs with him to even the scale. But of course that only helps if you do it, then again I would/did not on my desk top but did on my personal laptop since its placed in vulnerable situations and holds no valuable info. I use the boot disk when necessary or experimentations with the desktop.
It's like rock paper scissors. But I know you got me. It's just not happening to people like us,... but for the others, its the price you pay for not knowing about what you have and how to protect it. They just run around with there heads cut off screaming viruses and handing there computers over to Best Buy's Geek Squad and buying expensive virus protection software.
There is no fear to be had with this so called "malware".
is it possible to keep track/scan of changing 2^32 memory bits, by just some little assemply level program writtn in <16KB :?