Are BIOS Threats Increasing With Home PC's?

[Scoop]

I read a post over at the Norton Forum in their Malware Discussion section that described an old (circia 2011 according to what I read in searches) threat called "Mebromi" which targets a certain manufactures's BIOS ("Award" Bios).

 

Here's the thread at the Norton Forum:

 

Norton Forum Malware Discussion Thread

 

I didn't receive a reply that was helpful but I was basically curious if anyone here has encountered or heard about this particular threat that infects the BIOS.

 

If I'm understanding BIOS correctly, if I was infected with "Mebromi" or a similar attack that infected my BIOS, I think I'd be able to clear the CMOS on my MotherBoard and then flash the BIOS from a USB Flash Drive.

 

I have my BIOS backed up in a couple of locations in a .rom file so I think I'd be able to recover from a BIOS attack.

 

Fortunately, I don't hear much about BIOS infections occurring but perhaps they're more prevalent than I'm guessing they are.

 

Has anyone here encountered such an attack or heard about it elsewhere?

[David H. Lipman]

The BIOS and CMOS scratchpad memory have been the focus of numerous discussions over the years.  Malware such as the CIH (aka; Chernobyl) targeted the BIOS and the result was a corrupted BIOS.  Since the Basic Input Output System (BIOS) routines are the middleware of hardware and an Operating System of choice, its proper operation is crucial.  Due to the complexity of targeting a particular motherboard BIOS chip-set and BIOS vendor (Phoenix, Award, AMI, etc) it is extremely difficult to inject code into the BIOS so at best it corrupted the BIOS.  When middleware of the BIOS is dysfunctional, the Power On Self Test (POST) is inhibited from running and the system won't boot.  That failure would be OS independent.  There was one time where there was a success but it was due to what's called the Insider Threat.  That is where an employee of a company goes "rogue" and is a threat to the security of said company, their assets and their products.  In that case a disgruntled employee was able to slip some code into the BIOS that played simple MIDI-like music on the computer speaker.

 

Over the years some others have tried but no malicious code was injected into the BIOS successfully.  That meant, in the past, there were no BIOS RootKits and there were no trojanized BIOS' either.  Some have managed to wipe the CMOS.  That would just cause an error upon system reboot because the BIOS defaults are not set. (BIOS defaults are things like date/time and user chosen settings for various hardware like Bluetooth, WiFi, boot order, etc.)

 

A couple of years ago a science experiment was set free in China.  The Trojan.Mebromi affected a specific brand of Chinese manufactured systems.  They had the same problems to overcome; a myriad of systems using different BIOS vendors and different BIOS chip-sets.  In the days of Chernobyl the BIOS chip was usually a socketed Programmable Read Only Memory (PROM) that may ne removed.  Strong Ultraviolet Light was used to "erase" the device through a window on the chip and then could be "re-burned" with new BIOS routines (an adhesive label was affixed and covered the glass window on the chip).  Those systems that had soldered PROM chips were, for all intense and purposes, left impotent.  Later chips used Erasable Programmable Read Only Memory (EPROM) and Electrically Erasable Programmable Read Only Memory (EEPROM) chips.  Then Flash RAM was used (a newer type of EEPROM) and that changed the scene in that it was easy to update/upgrade a BIOS and it gave the authors of the Trojan.Mebromi an "edge" in that the myriad of systems using different BIOS vendors and different BIOS chip-sets was greatly reduced and by targeting one Chinese manufacturer in particular the malware authors were able to trojanize the BIOS.  They were able to modify the BIOS code without having the BIOS generate a checksum error or without having a BIOS corruption and thus a new attack vector was realized.  Using AV software to detect a trojanized BIOS isn't easy even if the the BIOS is shadow cached.  Therefore motherboard manufacturers have tried some added protection schemes.  One is the Trusted Platform Module (TPM) to increase the security of the interface of any Operating System with motherboard hardware.

 

The thing is, trojanizing the BIOS is still extremely hard and isn't a present "in-the-wild" threat.  If you buy any named brand motherboard or a pre-manufactured system from a from a "well known" company you can be sure that security has been built-in to thwart the possibility of a trojanized BIOS.  One should not be worried over this threat.  While the likelihood of this possibility has increased over the past dozen or so years, the likelihood of this possibility hitting people's computers is still extremely low.

[CWB]

and , it used to be that updating or flashing the bios was a risky business and was the last thing that even an experienced operator (note the distinction between that term and "user") would attempt ...

this is because faster than you can say "bricked" ... it was .

 

now with the advent of programs such as "ez flash" and others from different manufacturers , the bios upgrades/patching/fixes are much easier to incorporate successfully ... ergo ; blind button pushing .

i would suspicion that attacking the bios indirectly via "social engineering" (say a spoofed "important bios update" on the screen) would be appealing to those of an ignoble bent .

[AdvancedSetup]

Now, now... Of the hundreds of firmware BIOS updates I've done in my career knock on silicone I've only bricked one computer - just my luck it was my own computer instead of a work computer

[CWB]

heh ... yeah ... but the "average user" is just that ... i can just see what someone like that would have done to a comp by playing with the bios (or the equivalent) 20 years (or more) ago .

 

i bricked two machines years ago ... they were notorious for failing to be flashed .

actually , i recently bricked an older toshiba laptop trying to load a 'nix OS on it ... from what i have read , toshiba and 'nix do not like to play together very well .

it was a beater machine ... no loss ... i wanted to see if i could load ubuntu 10.04 on it ... evidently not .

[Scoop]

↑  David, 

 

for that post.  A lot of technical info there.  I've personally have yet to flash or update my BIOS since I haven't seen the need to do it and I know one needs to be careful with the BIOS.

 

I used my Asus Utility CD to back up the BIOS a few months ago in case of the unlikely event of a BIOS issue, either by me   or a rare case of getting hit by "Mebromi".

 

It's good to know that these incidences are rare.  I've wondered about this for a while, ie, BIOS vulnerability to malware / virus intrusions.

 

I was surprised when I read that post over at the Norton Forum.  I'd read some articles about BIOS infections a few months ago and since I'd not yet (until this week) read anyone's post at the Norton Forum (or elsewhere in any significant numbers), I'd forgotten about it until I read that post a couple of days ago.

 

The resident malware expert at the Norton Forum did reply yesterday and he was saying that it wasn't clear whether the OP that posted about the BIOS issues had actually been affected by a "Mebromi" type of intrusion.

 

When I did a search about Mebromi, some of the articles painted a nightmare scenario where reloading / restoring the BIOS may not get rid of the infection.  The way some articles described it is that, even after a BIOS flash, the infection would re-infect the MBR during the OS boot.

 

David,

 

Do I have the following correct?

 

↓

 

Since the BIOS is stored in an EEPROM and by it's nature, that device can be erased / reset, etc, and then can be re-loaded / flashed with an unaffected BIOS .rom file, wouldn't that be a fix for any BIOS infections?

 

If the BIOS can be erased and reloaded by flashing it via a utility, how can one render one's PC useless and, as you guys said, "brick" it? (good phrase btw )

 

Since I always have a spare HDD ready to use for any type of infection that's affected only the HDD, I'm not concerned about the cleanup/recovery requirements for most attacks/infections.  From what I've read over the past couple of years at AV forums, that would include virtually all attacks unless I'm not understanding this right.

 

Since (I think) that's the case, the BIOS is the only other area, besides hardware errors, that would render my PC unusable or remaining infected.

 

I have to say that, after reading many posts about PC users getting shut down or dealing with multiple pop-up's, browsers beng blocked, being locked out of recovery tools, by malware / virus hits,  I've not understood why there aren't more PC users that clone or image on a scheduled basis.

 

To me, plugging in that spare HDD is by far an easier way to recover from these infections / intrusions unless one is experienced at downloading and using the correct cleanup tools. 

 

Even then it would seem to me to be less time-consuming to update one's cloned HDD or image rather than investing the time necessary to recover the originally affected HDD.

[David H. Lipman]

Since the BIOS is stored in an EEPROM and by it's nature, that device can be erased / reset, etc, and then can be re-loaded / flashed with an unaffected BIOS .rom file, wouldn't that be a fix for any BIOS infections?

 

If the BIOS can be erased and reloaded by flashing it via a utility, how can one render one's PC useless and, as you guys said, "brick" it? (good phrase btw )

 

Since I always have a spare HDD ready to use for any type of infection that's affected only the HDD, I'm not concerned about the cleanup/recovery requirements for most attacks/infections.  From what I've read over the past couple of years at AV forums, that would include virtually all attacks unless I'm not understanding this right.

 

Since (I think) that's the case, the BIOS is the only other area, besides hardware errors, that would render my PC unusable or remaining infected.

 

I have to say that, after reading many posts about PC users getting shut down or dealing with multiple pop-up's, browsers beng blocked, being locked out of recovery tools, by malware / virus hits,  I've not understood why there aren't more PC users that clone or image on a scheduled basis.

 

To me, plugging in that spare HDD is by far an easier way to recover from these infections / intrusions unless one is experienced at downloading and using the correct cleanup tools. 

 

Even then it would seem to me to be less time-consuming to update one's cloned HDD or image rather than investing the time necessary to recover the originally affected HDD.

 

With an Electrically Erasable Programmable ROM if every byte within the EEPROM is; wiped or zeroed then, Yes.  If something malicious was there, it is now gone.  If there is a OS based "peer" or "protective" utility running under the OS and that OS is used to erase the EEPROM then actual performance can be suspect.  Thus if the BIOS were trojanized and the OS is say Windows 7 and you tried to wipe the BIOS under Windows 7 the process would be suspect.  If however you booted from a different OS such as DOS or in a 'NIX then you can trust the results of the EEPROM being wiped.  But, if you just wipe the BIOS the motherboard would become impotent so that actual course of action is to use the manufacturer's BIOS update so that a known good BIOS has been installed.  In that scenario my concerns would be if the BIOS Upgrade Utility does properly zero-out all bytes prior to the BIOS write.

 

In the past a BIOS update (I use update and upgrade in this monologue interchangeably) had a greater propensity of "going bad".  It usually required a DOS based program and a binary image of the BIOS in a .BIN or .ROM disk file.  Matching the utility to the BIOS vendor (Phoenix, Award, AMI, etc) was important and so was matching the correct BIOS image file needed for that motherboard.  Another possibility is a write failure.  If a write failure occurs then the BIOS could be corrupted and the motherboard would become impotent.  Thus proper power during the process *MUST* be ensured.  This means a charged notebook battery as well as a good power supply.  This also means that one would not consider a BIOS upgrade under adverse conditions such as during a storm where you may have a brownout, blackout or power-surge conditions or where there may be excessive  static electricity discharges.  If the environmental conditions are met as well as the proper BIOS Upgrade Utility was used along with the appropriate BIOS image file then one can expect success.  If one of those conditions are not met or is not met properly then a "bricked" PC may be the outcome. (A "brick" is a term used when the system can't boot and is impotent and can't do anything so it is now as dumb as a brick).

 

Today the premanufactured systems use Windows or DOS/Windows utilities (there are programs that can run under DOS or Windows)  and they are coupled with logic, an Upgrade Utility and the BIOS image.  The logic is used to examine the system and verify that the utility being used is apropos for the system (and that some conditions are met) the end user chooses to upgrade.  The environmental conditions must be still met (charged notebook battery, a good power supply and not performed under adverse conditions such as during a storm where you may have a brownout, blackout or power-surge conditions or where there may be excessive  static electricity discharges).  Thus with a Windows based utility and the proper environmental conditions being met, upgrading the BIOS does not pose a danger to the same degree as it did 7 or more years ago.

 

Thus "Flashing a BIOS" (upgrading the BIOS) has been simplified and rendered safer, to a degree.  Motherboard manufacturers haven't gotten as sophisticated but their process have improved over the years.  Some however haven't and still use the older, unsophisticated, methodology.

 

Based upon the make and model of a given platform and the version of BIOS, I add upgrading the BIOS to a service regimen such as in Preventative Maintenance routines, OS migrations and platform servicing.

 

Examples:

*  Problems with working with devices and USB ports, CPU cooling and hardware.

*  Migrating from OS version X to OS version Y

*  Preparation of a computer to be deployed to a new user

*  System has original BIOS or much older version and there have been many BIOS revisions released to-date (Ex: now at A01 and presently the BIOS released is A16)

 

One example I have expressed from time to time was a situation where a particular notebook was not being cooled properly.  Upgrading the BIOS corrected the issue. ( notebooks use logic to control when the notebook's CPU fan will come on, how long and at what speed thus new logic was instituted in  newer BIOS version )

 

OT:

You mentioned imaging a platform.  I agree, imaging a platform on a periodic basis is part of one's "disaster recovery" preparedness scenario.  However the average person doesn't understand "backup up" data let alone the concept of imaging.  I don't want to digress into that subject matter but to backup up one's data is an ounce of prevention as indicated by the old saying "An ounce of prevention is worth a pound of cure" and I'll add  my own saying that I have expressed numerous times over the years...  "Hardware is cheap, data is expensive".

[AdvancedSetup]

Most aftermarket motherboard manufacturers these days often have dual BIOS/UEFI support just in case of corruption or other unexpected failure that can be used to prevent an accident that might make the system non bootable.  I've not seen that though on most of the Retail computers like Dell and HP.

[Scoop]

↑  David,

 

Thanks again for the tech info.  I recall that "no power interruption" rule of thumb during BIOS updates.  I've read up on some of this BIOS updating/flashing topic but haven't done it on my home PC's as yet.

 

I need to do that since I'm running a BIOS version that's several rev's outdated.  I'm not experiencing any issues that I can detect with my Desktop PC but I'd like to get that done.

 

That's interesting info about Laptops and the cooling fan control.  I don't have my BIOS backed up on my Laptop yet.  I've been searching for a backup tool for that (Toshiba Laptop) in spare time.

 

 

Most aftermarket motherboard manufacturers these days often have dual BIOS/UEFI support just in case of corruption or other unexpected failure that can be used to prevent an accident that might make the system non bootable.  I've not seen that though on most of the Retail computers like Dell and HP.

 

I have an Asus Pro P7P55D-E  MoBo.  The PC was built at a local PC store in the Dallas area ("Microcenter").  Since this BIOS vulnerability topic revived my memory bank after reading the post at the Norton Forum, I looked at my MOBO specs and it's listed as "Dual BIOS" capable.  I'm guessing that this means I have that feature active or available on my MoBo.

[David H. Lipman]

I don't think a backup of the BIOS is at all needed.
 
If you are at BIOS version say A16 or 2312 you can have a copy of the BIOS image of A15 or A16 or 2312 or whatever the previous BIOS revision is at.  It is not like you have a BIOS image and you modify it. 

 

It is a case of the Basic Input Output Sysyem (BIOS) routines work symbiotically with a a volatile scratchpad of RAM that is based upon Complementary Metal–Oxide–Semiconductor (CMOS) technology and thus the scratchpad has come to be known simply as the CMOS.  When a user goes into the BIOS and changes parameters like the time & date, enable or disable embedded components, change the boot order, etc, those pieces of information are saved in the CMOS memory.  Since this is volatile memory a battery (such as the CR-2032) is used to keep a constant power to the CMOS memory.  Thus backing up the BIOS is not needed.  If you feel a "need", just have a copy of the actual BIOS updater at the current or last revision handy.

[Scoop]

I don't think a backup of the BIOS is at all needed.

 

If you are at BIOS version say A16 or 2312 you can have a copy of the BIOS image of A15 or A16 or 2312 or whatever the previous BIOS revision is at.  It is not like you have a BIOS image and you modify it. 

 

It is a case of the Basic Input Output Sysyem (BIOS) routines work symbiotically with a a volatile scratchpad of RAM that is based upon Complementary Metal–Oxide–Semiconductor (CMOS) technology and thus the scratchpad has come to be known simply as the CMOS.  When a user goes into the BIOS and changes parameters like the time & date, enable or disable embedded components, change the boot order, etc, those pieces of information are saved in the CMOS memory.  Since this is volatile memory a battery (such as the CR-2032) is used to keep a constant power to the CMOS memory.  Thus backing up the BIOS is not needed.  If you feel a "need", just have a copy of the actual BIOS updater at the current or last revision handy.

 

David, thanks. 

 

That's actually what I was referring to but I didn't state it right.  I don't routinely back up my BIOS but I do have a copy of my current BIOS version so that I can use that to flash my Mobo if I encounter an emergency scenario.  I doubt I'll use it before I'd upgrade or get another PC but it's one of those "feel-good" things that I did a few months ago after reading one of those "Mebromi" articles online somewhere.

 

Regarding the CMOS battery, if that battery dies on a Desktop PC that's always plugged into AC power, will it still boot up, POST, and start the OS?

 

Also, after replacing a dead battery, will the PC boot up as normal?  Does the BIOS remain unchanged?

[David H. Lipman]

Good questions.

 

There are two types of CMOS batteries.  Over The Counter (OTC) batteries like the CR-2032 and soldered rechargeable batteries. 

 

Within ¹5 ~ 8 years one can expect a CMOS battery failure.  If it happens there are two possibilities based upon how you use a PC.  If you use a PC 24x7 then you can encounter a CMOS failure and may not be aware of it as while the PC is on so is standard power and thus the volatile CMOS RAM keeps its data.  If the PC is not kept on all the time and is shutdown and the CMOS battery dies, when you boot the PC one will either get a "CMOS checksum error" (sign of a dying battery) or a "CMOS battery Failure" (dead battery) error.  The BIOS still works so the PC is still bootable.  However user define settings such as the Time & Date will be lost as well as enabling or disabling of embedded components, settings for over-clocking, etc.  If the battery is bad you can go into the BIOS, reset those settings and boot the OS.  However if you shutdown the PC for a period of time such as for 30 minutes or longer the CMOS settings will be lost again because the battery is dead.  If you don't replace the battery one will get the "CMOS battery Failure" error and have to reset the settings before loading the OS.  That will have to be repeated every time the PC is rebooted from a "cold" state.  Replace that CMOS battery, set the BIOS settings, and it will be good for another 5 ~ 8 years.

 

--

1.  That is not fixed period.  it is relative and can vary from system to system and could be as low as 3 ~ 4 years or last 8 or 9 years.  The p;oint is after 5 years one can expect to possibly need to replace the CMOS battery.  when the PC is one the battery that holds the memory of the CMOS is really used, the PC power supply is.  If the PC duty cycle is "off" more than it is kept "on", then CMOS battery life will be shorter.

[Scoop]

↑  David, thanks again.

 

My CMOS battery is the CR2032 type and is about 3 years old, give or take.  That's when I bought the MoBo.

 

My Desktop is rarely powered down (front-panel) and is almost never disconnected from AC.

 

When it's not in use, I place it in Standby mode.  I believe it's "S3" Sleep mode, RAM power but environment not saved to HDD. 

 

I disabled "hibernate" in my Powercfg since I don't need to save the environment to the HDD (I  always close windows, apps, before putting the PC to sleep).

 

[David H. Lipman]

Under the scenario you have described, the lifespan of your CMOS battery will be extended and longer than average.

[CWB]

and as that 2032 cell (a battery is comprised of two or more cells) is low cost , it is cheap insurance to replace them .

a "tester" designed specifically for the service they are in is not worth it to the average user ...

i use a DMM with a 5K load resistor .,, this gives me plenty of headroom on the remaining life (subject to interpretation of voltage readings) .

the cell does not have to be "flat" for the cmos to become corrupted ... i have measured 2 volts (in circuit with no load resistor) and the cmos was corrupted .

a cell can discharge due to internal leakage current (aka : self discharge) ... this will shorten the over all life of the cell in a given circuit .

 

yeah , at three years of age ... spend a couple of bucks and call it done ... just for GP .

 

four years ago i built the machine i am currently (pun intended) changing over to W8.1 ...

i am going to change the 2032 before i return it to the owner .

[Scoop]

and as that 2032 cell (a battery is comprised of two or more cells) is low cost , it is cheap insurance to replace them .

a "tester" designed specifically for the service they are in is not worth it to the average user ...

i use a DMM with a 5K load resistor .,, this gives me plenty of headroom on the remaining life (subject to interpretation of voltage readings) .

the cell does not have to be "flat" for the cmos to become corrupted ... i have measured 2 volts (in circuit with no load resistor) and the cmos was corrupted .

a cell can discharge due to internal leakage current (aka : self discharge) ... this will shorten the over all life of the cell in a given circuit .

 

yeah , at three years of age ... spend a couple of bucks and call it done ... just for GP .

 

four years ago i built the machine i am currently (pun intended) changing over to W8.1 ...

i am going to change the 2032 before i return it to the owner .

 

Thanks for the info.  I'll probably replace it when I do my next "compressed-air" thing inside the tower chassis.

 

I have an old "Fluke" DVM somewhere and some resistors in an old hobby drawer.  I'll have to google that old "color code" stuff though      5K ... green, black, red  ....  My DeVry Tech days were too long ago....

[David H. Lipman]

 

 

Memorization prompter

Edited October 27, 2013 by AdvancedSetup
Language not appropriate for the board was removed

[daledoc1]

Ack!

I realize it's not your scheme, DHL.

But one would hope some clever person in the computing/electronics world could devise a better mnemonic.

 

<just sayin'>

 

 

Perhaps we should run a contest?

[CWB]

heh ... yeppers that is one that i heard quite a while after i had memorized the color code (i was the ripe old age of 8 when i learned it) .

there was a slight difference ... substitute "violet gives willingly" ... quite amusing when you are a 13 year old male .

the object is for it to stick in ones memory ... and as the industry was (and still is for the most part) domiated by males ... weeelll ...

i also learned the capacitor code as well ... pretty much the same idea but the tolerance colors and a couple of other items were different .

the "precision" resistors use a 5 to 9 band code (i consider a normal resistor to use 4 colors ... the fourth band being tolerance ... 20% if there is no fourth band) .

 

yes , 5K would be green/black/red with a gold band for a 5% tolerance .

 

oh yeah ... i don't like that "5K1" crap for coding ... and i didn't like it when the term "pico farad/pF" took the place of "micro-micro farad/mmF/uuF" ...

i grew up hearing the old boys use the term "mickey mouses" ... of course when the term "pF" took over there was a transition to using the term "puff" .

 

i learned to read electronic schematics and "electricians/industrial electrical" schematics at the same time i learned the resistor color code ...

i learned the european version of both when i was 15 .

[hoople]

Does the UEFI make things more or less secure? Does turning off the CSM break any rootkits?

[David H. Lipman]

Does the UEFI make things more or less secure? Does turning off the CSM break any rootkits?

 

More secure based upon the complexities it entails.