Jump to content

Bios rootkits


Guest BlairWitch

Recommended Posts

Guest BlairWitch

Hello everyone. I just thought to ask if anyone knows any good links to some articles about bios rootkits and also to removal tools. Since some bios got the sound and other things embedded in them is it then possible that some virus might infect the bios through some windows sound driver or codec or something? I am sorry if this is a stupid question...

Link to post
Share on other sites

There's a good article about rootkits on wikipedia. Unfortunately they are participating in the Internet Blackout so the site is down. Yes this is very possible and actually exist if I'm correct. Unlike MBR bootkits these infect the BIOS making removal almost impossible even with a reformat. By doing this through a fake firmware update or similar tactics they can easily reinfect the system.

Link to post
Share on other sites

Infecting a BIOS or firmware with malicious code is of course possible, and I would believe that it has been done in the past, however there is a problem with it. Not every motherboard uses the same BIOS. Even when two different motherboards use the same BIOS, I'm not certain if the configuration would be similar enough for you to inject code via the same method.

Note that they wouldn't need to use drivers to inject things into the BIOS. Direct access to the hardware is possible, otherwise the drivers wouldn't have access and neither would BIOS flash utilities that motherboard manufacturers make for you to update the BIOS on your motherboard.

The area of hardware infection is sort of an odd one, because so far it hasn't been necessary. Rootkits can load from the boot sector, and the operating system really can't do anything to protect itself from that as it is, so until this "Secure Boot" thing gets forced upon us, we probably won't see a lot of hardware infections. As for how many we see after Secure Boot, that just depends on how easy it is to crack it or bypass it. Something tells me that it isn't going to be as secure as they claim.

Link to post
Share on other sites

It should be realized that while BIOS RootKits are possible, they are impropable. It is very difficult to overcome the varioations in BIOS vendors, motherboards and chip-sets used, Thus it mostly has been relagated to science experiments and labratory proof of concept. As Triple Helix noted Mebromi is the *FIRST* one to leave the petri dish and was isolated to China. If your read the any write-up on Mebromi you can see its limitations.

While it may be possible, this is not something one can expect to see. One should look to common malware seen in the wild.

I should note that there is always the possibility of the "Insider Threat" that is a digruntled employee who has access to the firmware code and modifies it at the factory. This is something that has happened in the past.

I should also note that this concept has alos been applied in a White Hat mode in Computrace and other products. This is designed into the BIOS by the vendor for central authority reporting, monitoring, remote disablement or purging data if the computer is stolen. The reason this is accomplished is because it is done at the factory. This can not be easily accomplished ouside the factory environment without the "Insider Threat".

Note also that introduction of Microsoft Windows to Unified Extensible Firmware Interface (UEFI) based computers may completely mitigate the future possibility of a BIOS RootKit. Some may also inquire about firmware on periphery. Hard disks, video cards and other I/O controllers may have their own BIOS (firmware). Again due to the vast numbers of varying manufacturers and chip-sets this is a very large obstacle to overcome. This too is mitigated by the Trusted Platform Module (TPM) intended for system integrity and in conjunction with the BIOS TPM forms what has been referred to as the "Root of Trust".

References:

Trusted Platform Module

Unified Extensible Firmware Interface

PS: UEFI is controversial. It is feared the Microsoft may collude with hardware vendors to lock out competing OS'

Microsoft confirms UEFI fears, locks down ARM devices

Link to post
Share on other sites

Guest BlairWitch

Thanks for the replies and information. I wonder if the usual antirootkit programs are any good in detecting bios rootkits? I know that they are very rare and now only one have been detected which is that Mebromi. I think there was also some virus in the 1990's that screwed the bios... Well talking about the petri dish i am also interested about real viruses and bacterias. I have read that they are quite easy to grow in home laboratory. All one needs is some contaminated thing like dirt and then put it in water and mix and take a sample with some stick and put it to petri dish to grow and a microscope would also be great to see what bacter or virus it is. It is strange that the Earth creates these bacters and viruses which infect humans and humans create these computer viruses to infect computers.

Link to post
Share on other sites

It is strange that the Earth creates these bacters and viruses which infect humans and humans create these computer viruses to infect computers.

There are many infectors of humans; molds/yeasts/fungi, bacteria, viruses, parasites and prions. Humans are just one small part of life on Earth and exemplified by the Gaia Principle.

RootKits are not viruses, they are trojans. Humans make malware because humans have a tendency to act maliciously. It is an unfortunate side effect of humanity and is not part of the Gaia Principle.

RootKits of any/all kinds do not "live" in a vacuum. Their effects and counterparts are detectable.

In my humble opinion, worry about BIOS RootKits is way overblown and edges on FUD. The REAL worry should be malware that effects SCADA hardware!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.