Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New BIOS Exploiting Rootkit Discovered

Unknown Lamer posted about 3 years ago | from the the-90s-want-their-virus-back dept.

Security 205

First time accepted submitter mtemar writes with a Symantec analysis of an interesting new trojan/virus. From the article:"There are more and more known viruses that infect the MBR. Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them, the notorious CIH, appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR."

cancel ×

205 comments

Sorry! There are no comments related to the filter you selected.

This is some serious business (1)

Reverand Dave (1959652) | about 3 years ago | (#37400234)

Is it really a total surprise that it was discovered initially by a Chinese security firm? Their reaction should have been, " look at this virus we just found that we just made!"

Re:This is some serious business (1)

dintech (998802) | about 3 years ago | (#37400638)

Irrespective of where it came from or it's maliciousness, you've got to admire it for how cool and sophisticated it is. Hmm, sounds French.

Re:This is some serious business (0)

Anonymous Coward | about 3 years ago | (#37400696)

"Irrespective of where it came from or it's maliciousness, you've got to admire it for how cool and sophisticated it is."

One thing that isn't cool or sophisticated, is not knowing the difference between it's and its.

Re:This is some serious business (0)

Anonymous Coward | about 3 years ago | (#37400902)

Well the fix is relativley simple make the bios write protected by a mechanical switch and that the system cannot boot from the hdd of usb with the bios in write mode maybe hard drives should have a read only section to put the MBR on as well .

Re:This is some serious business (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 3 years ago | (#37401026)

Last week, I updated, and then applied desired settings to, several hundred systems across multiple sites without getting up from my desk, much less getting up from my desk, visiting each site, unlocking each chassis, toggling a jumper, completing the update, toggling the jumper back, relocking the chassis, and moving on to the next... Build update package, shove update package over network. Go, settings take effect on next boot(for newly purchased systems, just plug 'em in, PXE boot, and you get your system image and BIOS config automatically).

The option to hard-switch the BIOS into read-only would be handy; but I'm not seeing it become a default any time soon...

Re:This is some serious business (3, Informative)

lpp (115405) | about 3 years ago | (#37401204)

It's not just that it was first discovered by a Chinese security firm. It also appears to be targeted at Chinese PCs. From the original post [webroot.com] :

The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus.

Makes one wonder who developed it and what the intent was.

Well now. (1)

Snkbyt3d (2461390) | about 3 years ago | (#37400236)

Seems I need to drink my coffee a little faster as to write an anti-Trojan.Medromi fix to prevent it from getting in our systems. Lol

This is what easy over safe design gets ya (5, Insightful)

jmorris42 (1458) | about 3 years ago | (#37400238)

When flash BIOS first appeared you had to move a hardware jumper to enable writing it. Then we had systems where you could fix it so that once POST finished the possibility to write the BIOS was physically removed. But people wanted simple Windows based utilities to reflash the BIOS instead of booting from a special floppy or even using the flashers many BIOSes themselves offered, and nobody wanted end users to have to open the case and move a jumper. So the vital security functions were removed. Hilarity ensues.

Re:This is what easy over safe design gets ya (2)

fnj (64210) | about 3 years ago | (#37400342)

It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.

Re:This is what easy over safe design gets ya (1)

grimmjeeper (2301232) | about 3 years ago | (#37400388)

Do you have any idea how complex the BIOS code is these days? A lot of the fixes that go into BIOS releases are for the code that runs before you even hear the system beep. You really do need to be able to flash that as fixes come out.

Re:This is what easy over safe design gets ya (1)

Malties (1942112) | about 3 years ago | (#37400498)

But you do not need to do it from inside Windows. As complex as the BIOS code is, the intereface for flashing is not that unfriendly

Re:This is what easy over safe design gets ya (0)

grimmjeeper (2301232) | about 3 years ago | (#37400596)

How else are you going to allow the unwashed masses to do it? Sure, the average /.er can write their own BIOS and key it in by hand. But the average computer user doesn't understand anything more complex than "click on this picture to fix the broken computer thingy".

Granted, the BIOS should be designed to resist this sort of attack. Vulnerabilities in the system trace back to wide open doors that are easily exploited. And that needs to be changed. But with some effort, the system can be designed such that this kind of attack is made very obvious to the user or prevented entirely.

Re:This is what easy over safe design gets ya (1)

Errtu76 (776778) | about 3 years ago | (#37400712)

I think everyone has a USB disk/key nowadays. If not, you can buy one for a couple of bucks. Have them make a "click here to prepare a bootable USB disk which will flash your BIOS" application and be done with it.

Re:This is what easy over safe design gets ya (1)

X0563511 (793323) | about 3 years ago | (#37400770)

Yea, instead you have vendors handing out floppy IMG files leaving you to scratch your head. I don't understand why more don't allow you to use USB Mass Storage.

Re:This is what easy over safe design gets ya (1)

grimmjeeper (2301232) | about 3 years ago | (#37400844)

That might work. But I'm not sure how much additional security that buys you. All it does is add an intermediate step.

Re:This is what easy over safe design gets ya (1)

NoNonAlphaCharsHere (2201864) | about 3 years ago | (#37400934)

The "intermediate step" is user intervention, which is the whole point. At least you wouldn't get your BIOS rooted "accidentally".

Re:This is what easy over safe design gets ya (1)

grimmjeeper (2301232) | about 3 years ago | (#37401104)

You're forgetting social engineering. How many people fall victim to that every day? Someone who doesn't know any better will do whatever their computer tells them to do if you word it correctly.

But I will agree that the user intervention part will significantly reduce the number of incidents.

Re:This is what easy over safe design gets ya (1)

ColdWetDog (752185) | about 3 years ago | (#37401122)

The "intermediate step" is user intervention, which is the whole point. At least you wouldn't get your BIOS rooted "accidentally".

Why does 'user intervention' in the context of computer security fill me with a vague sense of dread?

Re:This is what easy over safe design gets ya (2)

ifrag (984323) | about 3 years ago | (#37400784)

How else are you going to allow the unwashed masses to do it?

I'd expect them to NOT DO IT in the first place. I can't even recall having a flashable BIOS that was actually broken in some serious way that would make a fix mandatory. The majority of my BIOS upgrades have been to support some newer CPU that still fits the same socket, something I'd expect the unwashed masses are not going to change anyway.

Re:This is what easy over safe design gets ya (1)

calzakk (1455889) | about 3 years ago | (#37400918)

But how many of the "unwashed masses" do actually flash their BIOS?

Re:This is what easy over safe design gets ya (2)

gstoddart (321705) | about 3 years ago | (#37401198)

But how many of the "unwashed masses" do actually flash their BIOS?

And, in fairness to the "unwashed masses"... how many of the, er, "washed masses" actually do this?

In 16 years in the computer industry, plus university and high school ... I have never flashed a BIOS. It simply doesn't come up for me. Granted, I don't build systems, but I've simply never needed to do this.

How many home users will ever do this task?

Re:This is what easy over safe design gets ya (1)

hweimer (709734) | about 3 years ago | (#37400988)

In the past decade or so, the only situations in which I did BIOS updates was to get on-site support being dispatched to replace some faulty hardware (which the hardware vendor wouldn't do unless you ran the latest BIOS firmware). Hardly something what I would expect the unwashed masses to experience.

Re:This is what easy over safe design gets ya (0)

Anonymous Coward | about 3 years ago | (#37401096)

I've got it. Let's put out locked bootloaders like they have on phones. That seems to go over very well with phone users (not).

Re:This is what easy over safe design gets ya (1)

fnj (64210) | about 3 years ago | (#37400520)

Why? If it works during testing, but it turns out later to be not perfect, just put reinitialization code into the updates that change the code that comes AFTER that point. How the christ do you think we used to do it before they even used flash memory?

Re:This is what easy over safe design gets ya (1)

grimmjeeper (2301232) | about 3 years ago | (#37400620)

And how do you propose the units in the field get fixed? Or do they just need to pitch them and buy new ones?

BIOS on user-replaceable mask ROM (1)

tepples (727027) | about 3 years ago | (#37400716)

And how do you propose the units in the field get fixed?

Put the BIOS image on a microSD mask ROM. Then open the case, snap out the old BIOS card, insert new BIOS card, close the case.

Re:BIOS on user-replaceable mask ROM (1)

grimmjeeper (2301232) | about 3 years ago | (#37400786)

Yeah, let me know how well that sells to the general public.

"What do you mean I have to open up my computer?!? That's going to void the warranty!!!"

Re:BIOS on user-replaceable mask ROM (1)

maxwell demon (590494) | about 3 years ago | (#37400924)

Yeah, let me know how well that sells to the general public.

"What do you mean I have to open up my computer?!? That's going to void the warranty!!!"

And reflashing the BIOS doesn't?

Re:BIOS on user-replaceable mask ROM (1)

tepples (727027) | about 3 years ago | (#37401062)

Most people don't replace CPUs or do anything that would require adding features to the BIOS. And if the PC is still warranted, bring it into an authorized repair shop and a tech will snap in the new BIOS card for you.

Re:This is what easy over safe design gets ya (1)

fnj (64210) | about 3 years ago | (#37400946)

Read the whole thread. The idea is to have the BIOS on day one good enough to be failsafe getting to a state where it has a working video and keyboard can at least boot a floppy, CD, or USB stick. Nothing else. It's even conceivable that you don't guarantee the video and keyboard work, but as long as you can boot a DOS media with autoexec.bat you can get the reflashing accomplished.

Do you really think that's not possible? Funny; the PC and the AT could do better than that.

Re:This is what easy over safe design gets ya (4, Informative)

grimmjeeper (2301232) | about 3 years ago | (#37401168)

Given that I've worked for a major CPU company and worked with the BIOS developers on more than one occasion as they debugged problems, I think I can say with some confidence that the modern BIOS is more complex by several orders of magnitude over the primitive BIOS you would find in a PC and AT machine. This explosion in complexity means that it's just not financially possible to fund the development to have a flawless BIOS right out of the gate. There are just too many permutations to consider when developing the system to test them all. And even if you did get a "perfect" BIOS out the door, the chips on the board are so much more complex that they never leave the factory without flaws. Ever. And sometimes you just don't find them until they're in the field and you need to supply a workaround.

Re:This is what easy over safe design gets ya (1)

Reverand Dave (1959652) | about 3 years ago | (#37401000)

That's how apple does it!

Re:This is what easy over safe design gets ya (1)

Sooner Boomer (96864) | about 3 years ago | (#37400890)

It's a complete lack of safety. A proper design would require at least a password entered while in the BIOS at a point before anything else could get its hooks into it, to temporarily allow updating. The only executable code that occurs before that point after power-on should be READ ONLY MEMORY with no programmability whatsoever.

This is exactly what IBM did with some of the Thinkpad models. There was a special chip that held the password. The problem was, that if this chip "glitched", or you forgot the password, you now have a brick. The chip was soldered onto the motherboard, and couldn't be reset by jumpers or disconnecting the battery. I've got two unit that are junk because of this.

Re:This is what easy over safe design gets ya (1)

fnj (64210) | about 3 years ago | (#37400966)

I think the solution to that design flaw is pretty clear and workable.

Re:This is what easy over safe design gets ya (4, Insightful)

Dunbal (464142) | about 3 years ago | (#37400476)

But people wanted simple Windows based utilities to reflash the BIOS

People wanted? Or the industry thought it would be a cool marketing gimmick? Most people have no idea what BIOS stands for, much less what it does and how dangerous it can be for them if it gets subverted. The rest of the people who know should not be too bothered to have to move a jumper to re-flash the BIOS - I mean honestly how often do you do this? - when compared to the security risk. So I don't buy the "people wanted" argument.

I wish marketing people thought a little more about the decisions they make and held themselves to higher standards. I can't believe that no engineer turned around and said "hang on, if we can flash it from the OS, anyone can flash it from the OS..."

Re:This is what easy over safe design gets ya (1)

fnj (64210) | about 3 years ago | (#37400562)

Yes, it was clearly market driven. One day nobody had it, and the next day somebody said "hey, look at this cool feature we have!" Nobody in the public even knew it was possible until the feature appeared.

Re:This is what easy over safe design gets ya (4, Informative)

Baloroth (2370816) | about 3 years ago | (#37400606)

I really, really like what Gigabyte does with their BIOSes. They quite often have 2 on each motherboard, only one of which can be written to. In case of corruption of the primary, you can always boot using the secondary. Wouldn't stop this virus, of course, but it does prevent a corruption based one from hosing your system. Editing BIOS settings from Windows can be pretty convenient, especially if you want to overclock, but it isn't really necessary and probably shouldn't be possible.

Re:This is what easy over safe design gets ya (1)

S.O.B. (136083) | about 3 years ago | (#37400822)

I'm sure manufacturers added the ability to flash the BIOS from a Windows based utility because they were tired of having to explain to non-technical people how to create a boot disk especially now that the floppy has more or less disappeared. Of course you could boot from a USB drive but a bootable USB drive is more problematic than a boot floppy for non-techies.

A safer solution might be to have the BIOS read only with a writable update area where the update utility could save a compressed copy of the new BIOS. On reboot the BIOS, recognizing the presence of the update, could display the appropriate warnings and then ask the user if they want to install the update.

Of course it would still require that the user understand the risks but at least it would eliminate stealth updates of the BIOS.

Re:This is what easy over safe design gets ya (1)

Anonymous Coward | about 3 years ago | (#37400840)

I never saw what was that hard about booting from a 3.5" diskette & flashing in a DOS-like environment or (by necessity, given the expanding size of BIOSes and obsolescence of the 3.5" FDD) later on, using a flash stick to do the same.

Flashing BIOS in a running Windows OS is just plain dangerous and stupid, not only for security reasons but because there is simply a lot going on, and things can go horribly wrong. Witness the many HP laptops that have been bricked by official, HP-provided BIOS updates (mandatory in-GUI flashing).

Why (4, Insightful)

fnj (64210) | about 3 years ago | (#37400246)

Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

Re:Why (2)

hedwards (940851) | about 3 years ago | (#37400338)

Uh, think of the children?

Clocks/corporotes/updates/crash dumps (1, Insightful)

Sits (117492) | about 3 years ago | (#37400418)

Well some points why the kernel may need to write area of the BIOS off the top of my head:

  • Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
  • Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines
  • The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)
  • Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown

Re:Clocks/corporotes/updates/crash dumps (3, Informative)

webnut77 (1326189) | about 3 years ago | (#37400622)

Sounds like you're confusing BIOS with CMOS.

Re:Clocks/corporotes/updates/crash dumps (3, Insightful)

maxwell demon (590494) | about 3 years ago | (#37400632)

Setting the real time clock (if not the clock itself then the area that allows the machine to wake itself on an alarm)
Setting the BIOS settings (e.g. BIOS password, boot devices) in a corporate environment across hundreds of machines

That's not in the BIOS Flash but on the CMOS RAM.

The ability to update the BIOS (e.g. to address a buggy video BIOS or support previously untested hardware)

Such an update can be done on the BIOS level. The operating system itself doesn't use the BIOS for this anyway (unless you are running DOS, of course).

Save a crash dump somewhere safe (don't want to trash the disk) across a shutdown

Do you know a system where dumps are stored in the BIOS Flash? If you want to provide dumping into on-board Flash, you better make that Flash separate (even without viruses, if your system is so fucked up that it might trash the disk on dumping, it might also trash the flash memory it writes to; you definitely do not want that to be your BIOS!)

Re:Clocks/corporotes/updates/crash dumps (2)

fnj (64210) | about 3 years ago | (#37400808)

Setting the real time clock just writes to data-only CMOS and maybe syncs the registers.

I strongly suspect changing the BIOS password, boot device settings, etc., work the same way or a very similar way - i.e., don't use program flash. If they don't, it's obvious they COULD.

Saving a crash dump to BIOS flash? Don't THINK so. Just say no. I doubt anybody does this, but again, if it's that important, it could be done to a hypothetical data-only flash or other storage. There is no excuse to save it to program flash.

The ability to update critical early parts of the BIOS is just a bit harder to work around. I think it's primarily a matter of coming up on day one of hardware release with always-safe defaults that will always allow you to reach a point with a working display and keyboard. I doubt it would be that big a deal. It might require cooperation with CPU and video card makers. If it's harder than I think, then for god's sake let's get some smart people working on it.

Re:Why (2)

grimmjeeper (2301232) | about 3 years ago | (#37400508)

I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field. Hell, there are flaws in BIOS code that don't get discovered until your product is shipped. You need to patch it just like you need to patch any other software. Another good reason is to allow you to upgrade some components in your system without having to buy a new motherboard. A new generation of processor can be dropped into many motherboards out there just by flashing the BIOS and plugging the chip in, assuming socket compatibility is maintained.

Computer systems are vastly more complex now than they were even just 10 years ago. All of the subcomponents on motherboards need a BIOS that tells the CPU where they are and how to run them. Every manufacturer ships processors that have a number of flaws that the BIOS works around. It's the nature of computer systems in the 21st century.

Sure, if we were back in the 90's and still running the pre-PCI architectures, you may have had a point about locking things down. They just didn't need the complexity we have now. But as complexity has been added on top of complexity, we absolutely cannot get by with a locked down BIOS. It just wouldn't work.

Re:Why (2)

X0563511 (793323) | about 3 years ago | (#37400826)

I can give you several reasons why you would want to field load the BIOS. Flaws in processor designs are often worked around by BIOS code and settings. Discovering a flaw in a chip after it is sold to the public is a great reason to be able to update the BIOS with the fix in the field.

Intel (at least) allows you to push microcode updates right into the processor at the OS level. This doesn't need to be done by the BIOS. In fact, it shouldn't - unless you simply cannot boot without doing so!

Re:Why (2)

grimmjeeper (2301232) | about 3 years ago | (#37401044)

Yeah, that's much more secure... ;)

Even though you can push fixes directly into the processor in that way, there is still a reason to have to patch the BIOS. The CPU microcode pretty much only affects the CPU. The BIOS is there to interface with the rest of the components on the motherboard. And when you need to get around a flaw in your north bridge by supplying different initialization settings, there's pretty much no way to fix that in a CPU microcode push. You have to do it with a BIOS flash.

Re:Why (0)

Anonymous Coward | about 3 years ago | (#37400858)

CPU fixes are usually handled by updating the CPU microcode and not in the bios.

Re:Why (4, Insightful)

fnj (64210) | about 3 years ago | (#37401006)

Er, the issue is not that you don't allow BIOS updates; it's that you protect them with a "big red switch," so they just can't happen like the dog ate my homework. I understand that the BIOS does at times have to be updated, but I don't want some prick on the other end of the internet doing it for me when it doesn't need to be done.

Re:Why (1)

grimmjeeper (2301232) | about 3 years ago | (#37401202)

I can agree with that concept.

Re:Why (2)

Malties (1942112) | about 3 years ago | (#37401124)

I don't think anyone is saying there is not a reason to flash a BIOS. But what is in question is whether to allow this to be done through WIndows. Yes it is more work to flash a BIOS from the setup screen, it is much more secure in the light of viruses that attack it.

Re:Why (0)

Anonymous Coward | about 3 years ago | (#37400898)

With the manufacturer's files only? No thank you. I want my CoreBoot.

Re:Why (2)

lazyforker (957705) | about 3 years ago | (#37401008)

Name one reason why it is a good idea that application programs or the kernel or ANYTHING ELSE should even be ABLE to screw with the BIOS. There should be a big red PHYSICAL switch which makes the BIOS read-only, and it should only be temporarily turned off to allow updating with the manufacturer's files and NOTHING ELSE.

I'll bite: bulk BIOS updates on thousands of PCs. My company has an enormous number of PCs - paying someone to manually flick a switch, stand by while a BIOS update is performed, then unflick it afterwards would represent an enormous cost in time and labor. We buy large numbers of identical machines every year - so when a BIOS update is needed it needs to be applied to a lot of machines, globally.

Secondly: we set BIOS passwords to prevent (or make it harder for) the machine to be booted from USB thumb drive, DVD, external hard drive etc.

How about making the PC detect signed BIOS packages?

Whose idiotic idea was it to make BIOSes writable? (0)

Anonymous Coward | about 3 years ago | (#37400254)

The only real reason a computer needs a BIOS is to run a bootloader, and if that functionality works, then it's probably going to continue to work. All other hardware drivers belong in the OS, where they can be updated without the risk of bricking your goddamn motherboard.

Re:Whose idiotic idea was it to make BIOSes writab (1)

0123456 (636235) | about 3 years ago | (#37400430)

The only real reason a computer needs a BIOS is to run a bootloader, and if that functionality works, then it's probably going to continue to work.

You're obviously nostalgic for the days when software was debugged as thoroughly as possible before shipping because it couldn't be upgraded later, rather than released with known major bugs because 'we can always fix it with a flash upgrade'.

Re:Whose idiotic idea was it to make BIOSes writab (2)

jmorris42 (1458) | about 3 years ago | (#37400438)

> The only real reason a computer needs a BIOS is to run a bootloader...

Oh how I wish that were still true. Got one word for ya, ACPI.

Re:Whose idiotic idea was it to make BIOSes writab (1)

networkBoy (774728) | about 3 years ago | (#37400692)

And DDR2/3/4
And PCIe/16 Graphics
All timings & lane skews handled by BIOS
-nB

Re:Whose idiotic idea was it to make BIOSes writab (1)

grimmjeeper (2301232) | about 3 years ago | (#37400772)

And HT/QPI. Hell, you have to get the PCIe buses walked enough to even see the BIOS boot ROM on the south bridge. Not a full initialization but enough to read the contents of the boot ROM into cache and/or RAM.

Re:Whose idiotic idea was it to make BIOSes writab (1)

X0563511 (793323) | about 3 years ago | (#37400846)

... in other words, ACPI?

Re:Whose idiotic idea was it to make BIOSes writab (1)

networkBoy (774728) | about 3 years ago | (#37400884)

no, DMI training (AFAIK that is not part of ACPI)

Re:Whose idiotic idea was it to make BIOSes writab (1)

fnj (64210) | about 3 years ago | (#37400842)

ACPI is a cluster fuck, but do you have any ready reason why it could not all be done in the OS, perhaps a unique module particular to the individual motherboard, rather than the BIOS?

Re:Whose idiotic idea was it to make BIOSes writab (1)

Anonymous Coward | about 3 years ago | (#37400448)

The real question is why are BIOSes not verified for a digital signature by a hardware component.

Yes, you want to be able to upgrade a BIOS by sending a file to a client. That's an important feature. I just don't get why the file should not, as a requirement, be digitally signed.

Shachar
posting anonymously to not revert moderation

Virus (-1)

Anonymous Coward | about 3 years ago | (#37400278)

Don't run this program, it has a virus:

10 i = i + 1
15 IF i > 99999 THEN PRINT ".";: i = 0
20 IF INKEY$ = "" THEN 10
30 PRINT "King James Bible, Line:", i

Line: 97737
world, but was manifest in these last times for you, 1:21 Who by him
do believe in God, that raised him up from the dead, and gave him
glory; that your faith and hope might be in God.

1:22 Seeing ye have purified your souls in obeying the truth through
the Spirit unto unfeigned love of the brethren, see that ye love one
another with a pure heart fervently: 1:23 Being born again, not of
corruptible seed, but of incorruptible, by the word of God, which
liveth and abideth for ever.

Coreboot (0)

Anonymous Coward | about 3 years ago | (#37400298)

BIOS malware is not new. TFA even mentions malware from 2007 that did the same thing. Some motherboards have actually shipped with rootkits accidentally installed. Proprietary BIOSes can have rootkits in them, and can't be detected.

If you can compile the binary yourself, you can mitigate BIOS viruses. That's why we need Coreboot support on motherboards.

Re:Coreboot (1)

nschubach (922175) | about 3 years ago | (#37400524)

I kind of forgot about coreboot/OpenBIOS. Looking at their motherboard support page, apparently I'm not alone. It's a neat concept, but the BIOS is generally just configured and ignored for most people, including geeks.

Coreboot is a joke (0)

Anonymous Coward | about 3 years ago | (#37400896)

I just looked at the supported boards page. Everything on there is a least a decade old. Oh great someone hacked together a bios that lets my Celeron 533 box boot up 3 seconds faster.

IT'S BIOS-EXPLOITING ROOTKIT (0)

Anonymous Coward | about 3 years ago | (#37400318)

Not bios exploting rootkit, which implies the bios is doing the exploiting, sort of like that french guy and his chambermaid !!

CIH NEVER Infected BIOS (2)

meerling (1487879) | about 3 years ago | (#37400326)

It tried to overwrite it with garbage, thus corrupting it. Kind of like blowing up your car with dynamite isn't the same thing as stealing it.
Most of the time all CIH succeeded at was trashing the BIOS settings stored in CMOS. Clean the infector, reset the BIOS, save the changes and you were done.

It's amazing how low the understanding of what malware is and does has fallen. By the way, the antivirus industry has been aware that it would be possible to write a bios infector the moment software the update-able bios became available. Fortunately most writers of malware are pretty incompetent as far as programming goes, though this did take about 6 years longer than I expected.

Re:CIH NEVER Infected BIOS (1)

fnj (64210) | about 3 years ago | (#37400876)

Most of the time, yes, that's reassuring, but you're implying there is some of the time when it succeeded in actually infecting the BIOS in a non-bricking way.

Welcome to the bios infestation (0)

Anonymous Coward | about 3 years ago | (#37400350)

I for one welcome our new Chinese metal oxide semiconductor (CMOS) overlord.

Re:Welcome to the bios infestation (1)

cyberchondriac (456626) | about 3 years ago | (#37400824)

"In Russia, BIOS rootkit exploits YOU!"
"Al Gore invented the rootkit"
"It's Bush's fault"
"All your BIOS are belong to us!" (Okay, haven't heard this one for a while)

There.. now we're done with all the /. memes and can move on, right? ;)

As long as you can update from Windows... (0)

Anonymous Coward | about 3 years ago | (#37400352)

Motherboard vendors (think ASUS in particular) _always_ provide tools to update the BIOS firmware from Windows. I kind of understand this, because they want to be able to ship something dummy-proof so it's not a support nightmare. Of course, as long as this feature exists, it will be exploitable. The only solution is to have a more complex BIOS updating procedure, as several posters have mentioned. I suspect motherboard vendors would be rather resistant to this.

Re:As long as you can update from Windows... (1)

Dunbal (464142) | about 3 years ago | (#37400542)

Another solution is to make sure your BIOS is bug free when you ship. That involves paying your coders slightly more than minimum Chinese wage.

Re:As long as you can update from Windows... (1)

0123456 (636235) | about 3 years ago | (#37400750)

Another solution is to make sure your BIOS is bug free when you ship. That involves paying your coders slightly more than minimum Chinese wage.

Which is great until a new CPU is released and you don't support it and can't upgrade the BIOS to do so. I've seen a number of AMD users complaining because they'd been told that if they bought an AMD motherboard today they would still be able to use it for future generations of AMD CPUs, only to find that the motherboard manufacturer couldn't be bothered to issue a new BIOS two years later to support the new chips even though the hardware would work with them.

Re:As long as you can update from Windows... (1)

Dunbal (464142) | about 3 years ago | (#37400852)

Your example is the exception because usually a new CPU means a new socket, which means a new motherboard. Besides last minute patches are usually to fix bugs that get discovered through having a large number of users, not to support new hardware. And your argument is irrelevant in the context of being able to update your BIOS through moving a jumper or even changing the physical chip like in the old days. What happens is that if you allow a company a path of least resistance, then management and employees will make sure to do the minimum effort required. Just like software patches were a rare thing before the prevalence of the internet. Now multi-hundred gigabyte release day patches are the norm. Why? Because companies are fucking lazy and sloppy and if you give them an inch they take a mile. I'm in favor of not giving them that inch.

Re:As long as you can update from Windows... (1)

maxwell demon (590494) | about 3 years ago | (#37401030)

If you change the CPU, you must open your case and manipulate the hardware anyway. Changing a jumper to allow BIOS update wouldn't be a big deal in that case.

Re:As long as you can update from Windows... (1)

0123456 (636235) | about 3 years ago | (#37401144)

If you change the CPU, you must open your case and manipulate the hardware anyway. Changing a jumper to allow BIOS update wouldn't be a big deal in that case.

In case you didn't notice, the post I was replying to was suggesting that you make the BIOS bug-free and not upgradeable at all rather than making the BIOS upgrade more complex.

Re:As long as you can update from Windows... (1)

tepples (727027) | about 3 years ago | (#37400990)

I guess conventional wisdom is that formal verification to ensure that a BIOS is bug free is too expensive for this market segment.

encrypted hard drive (1)

Ectospheno (724239) | about 3 years ago | (#37400422)

So if you use full disk encryption such as truecrypt do you just get a trashed drive?

Re:encrypted hard drive (1)

X0563511 (793323) | about 3 years ago | (#37400894)

How does that have anything to do with the BIOS at all?

next, routers (0)

Anonymous Coward | about 3 years ago | (#37400440)

since many wlan and asdl routers are actually small linux boxes with http flashing and known default root passwords, i'd be surprised if there wasn't some worms infectim them as well..

Bad? Nope (0)

Anonymous Coward | about 3 years ago | (#37400442)

Oh, this is ba-
>Windows PE
Ahahahahahahahahahahahahahahahahaha.

Ahahahahaha.

How complex can it possibly be ? (2)

billcopc (196330) | about 3 years ago | (#37400552)

Preface: I know a thing or two about BIOS hacking.

Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ? Many of them only have 2MB, already close to capacity with just the stock BIOS. This doesn't leave a whole lot of space for adding an attack module, and it would have to do some fancy footwork to survive past the protected-mode switch. Modern operating systems don't use the BIOS at all past the bootloader, once the native device drivers take over. It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.

CIH was a very trivial virus. All it did was blindly clobber things with zeroes. It had no way of "rooting" a box. It would simply toast your OS, and if your BIOS chip supported the one flash command CIH knew, it would blank that out as well, rendering your machine unbootable. That's what we get for outsourcing even our virus writing ot China :P

Re:How complex can it possibly be ? (1)

bWareiWare.co.uk (660144) | about 3 years ago | (#37400650)

The only payload they need is to load the MBR from somewhere unexpected (i.e. probably one address change). This ensures all the current AntiVirus code will be scanning the wrong MBR and given a false negative.

Re:How complex can it possibly be ? (0)

Anonymous Coward | about 3 years ago | (#37400704)

You're a serious BIOS hacker huh? An MBR is only 446 bytes of code.

Re:How complex can it possibly be ? (1)

X0563511 (793323) | about 3 years ago | (#37400972)

You apparently can't read. The MBR is not the BIOS, and the BIOS is not the MBR.

Re:How complex can it possibly be ? (0)

Anonymous Coward | about 3 years ago | (#37400748)

The average bios, being say 1MByte , has lots of room.

The average bios now has to have room for: Custom Logos, Option ROMS [ RAID, Ethernet, Video, etc].

Now if we get a SKILLED programmer [ie: not a java programmer], but someone who knows C/ASM, you can squeeze of lot of malicious code in say 19,200 Bytes, which covers the size of a BIOS full-screen custom logo @ 640x480x16 colors, which most BIOS have provisions for.

Re:How complex can it possibly be ? (0)

Anonymous Coward | about 3 years ago | (#37400900)

Some java programmers also know C/ASM you insensitive clod. In fact, knowing all 3 (plus several more) doesn't hurt you any.

Re:How complex can it possibly be ? (0)

Anonymous Coward | about 3 years ago | (#37401078)

There is no such thing as an average bios, they are not interchangeable and what you wrote for one would work on that one only. Your Award virus would not work on my Phoenix bios.

Re:How complex can it possibly be ? (0)

Anonymous Coward | about 3 years ago | (#37400800)

SMM [wikipedia.org]

Re:How complex can it possibly be ? (1)

networkBoy (774728) | about 3 years ago | (#37400866)

I would imagine it loads some item as an option ROM, reads more code from disk at a fixed offset location, loads into a modified bootloader that loads the actual payload then steps back to the real MBR to bring up the host OS. The BIOS code can be fairly trivial at that point, but hides that the MBR has been compromised by leaving the original MBR intact.
-nB

Re:How complex can it possibly be ? (2)

maxwell demon (590494) | about 3 years ago | (#37400874)

Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?

Just loading a different sector than the standard MBR sector on startup (maybe after a check that the virus code is there, e.g. by CRC) would probably already defeat a lot of tools protecting against MBR infections. Your "MBR" disk virus would no longer reside on the MBR, and thus not be detected/protected against by the standard antivirus code. Doing so should in the simplest case (no check) require to change no more than one number in the BIOS (the sector to read and execute when booting). The new "MBR" could then load and execute an arbitrary amount of extra code before handing over to the real (unchanged) MBR. Maybe even start a virtual machine to run the OS in.

Re:How complex can it possibly be ? (5, Informative)

cachimaster (127194) | about 3 years ago | (#37400914)

Preface: I know a thing or two about BIOS hacking.

Me too, I did it several times. Not too hard if you have several motherboards to waste :)

Given the very limited space available in the average PC Flash BIOS chip, how fancy can this possibly be, ?

Well apparently this was found on the wild, working.

This doesn't leave a whole lot of space for adding an attack module.

You don't need very much if you know assembly. 512 bytes (yes, bytes) is enough for a very good win32 shellcode with network access. I have found anything from 1KB to 30 KB free memory, and you always can trash unused ROM extensions or bitmaps.

Modern operating systems don't use the BIOS at all past the bootloader

This is incorrect. Most operative system uses the BIOS well past the bootloader to get the memory map, VGA mode setting and other stuff like setting up BIOS32 structures, even if the are not used later.

It might be possible to punt out some other chunk of the BIOS to make room, but that's playing with fire. If the machine becomes unbootable, the rootkit won't get very far.

True, but BIOS persistence is only an additional vector. If it detects an incompatible BIOS, it simple don't use that way to persist on the system.

Re:How complex can it possibly be ? (0)

Anonymous Coward | about 3 years ago | (#37401014)

I don't know. Wouldn't be overly difficult to write your own int 13h handler, intercept when NTLDR loads it's "minifile" system drivers, and uncompress/substitute an infected minifile system driver that could surrepititiously install some boot-time kernel drivers. Slightly more difficult when dealing with winload and it's cryptographic verification of certain code. These boot-time kernel drivers could do some very interesting things if you were completely familiar with the internals of the Windows kernel.

Re:How complex can it possibly be ? (1)

aix tom (902140) | about 3 years ago | (#37401040)

Well, 2MB is 32 times the memory the C64 needed to do A LOT of "fancy" stuff, including it's own viruses.

Same question every time (1)

ThatsNotPudding (1045640) | about 3 years ago | (#37400658)

Can we really trust sky-falling advisories from companies such as Symantec? #ProfitMotive

when uefi becomes more widely adopted. (2)

Truekaiser (724672) | about 3 years ago | (#37400860)

Expect more of this. a full command environment with access to all the hardware on the system before the os boots? it's almost as if it was written 'for' virus and malware makers.

UEFI, anyone? (1)

ttong (2459466) | about 3 years ago | (#37400920)

So what about UEFI, will it make this type of threat more difficult or (much) easier? Also, it seems all my servers are safe from this even if they'd be running MS-Windows, because they use a cheap RAID card to detect the hard drives and then boots from one of them. Another mitigation is an encrypted root filesystem because hook.com won't be able to find a login program. Until they modify it to infect the encryption software, of course. Best way to defend against this would be to use TPM with a signed kernel, which is virtually non-existent today.

BIOS - Lots of Space for the Skilled (0)

Anonymous Coward | about 3 years ago | (#37400948)

BIOS contains lots of free/unused space for the skilled programmer.

The BIOS Logo, which most BIOS have provision for is 640x480x16 colors. Now thats 19,200 Bytes! One can fit a LOT of malware in 18.75k IF they are skilled in C/ASM.

Another way, is to make an add-on "OPTION ROM". BIOS have provision for these too [ RAID, Video, Ethernet]. Option ROMS can hook various bios functions, interrupts, etc and override them.

The average BIOS now has ballooned to over 2Mbytes. Probably leaving 200k or so free. That is a LOT of space for code.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>