The oft-given advice of 'reformat the site from orbit, it's the only way to be sure' in the event of virus attack may soon be rendered obsolete by new malware capable of remaining resident in a system's BIOS.
Security researchers Alfredo Ortega and Anibal Sacco of Core Security Technologies – as reported over on ZDNet
– have successfully demonstrated methods for injecting persistent code into the Basic Input Output System (BIOS) of a computer, with the result that the infection is capable of surviving a complete OS reinstall and even a BIOS flash.
The code has been used successfully on both Windows and OpenBSD platforms, and even on a virtualised system via the VMware Player application. In all cases, the infection would re-initialise each time the computer was rebooted. Even by removing and re-installing the hard drive, the researchers were unable to remove the malware from the system.
Speaking to Threatpost.com
, Ortega claimed that the pair could “put the code wherever we want.
” Although the current demonstration is a proof of concept, the pair are working on a fully implemented rootkit – which would provide complete control over an infected system, even after a full OS reinstall – with Ortega saying that they can “patch a driver to drop a fully working rootkit,
” and even stating that the pair has “ a little code that can remove or disable antivirus.
While the malware developed by the team is certainly persistent, infection is not a trivial matter. The pair readily admit that the code is only of use to an attacker who has already compromised a system by traditional means – or who has physical access to the box. In either of these cases, however, it certainly holds the possibility of making cleanup significantly more complicated.
Does the thought of resident malware that can survive an OS reinstall leave you worried, or do you think the techniques are beyond your average VXer? Share your thoughts over in the forums