Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rootkits Head for Your BIOS

Zonk posted more than 8 years ago | from the get-me-off-of-the-internet-please dept.

Security 287

Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).

Sorry! There are no comments related to the filter you selected.

Really? (2, Funny)

TheRealMindChild (743925) | more than 8 years ago | (#14577979)

Where are such tools? If I knew such things existed, I would have experimented in "bricking" some of my machines YEARS ago

Re:Really? (0)

Anonymous Coward | more than 8 years ago | (#14578028)

I think you mean "brickifying", or maybe "bricktating"

Re:Really? (5, Informative)

Shanep (68243) | more than 8 years ago | (#14578065)

Where are such tools? If I knew such things existed, I would have experimented in "bricking" some of my machines YEARS ago

Well there is UNIFLASH [uniflash.org] with source code. Then there are the likes of CBROM and AMIBCP to modify BIOS images and remove and add/enable drivers, functionality and boot screen graphics. Here [goe.net] and here [dstyles.de] are good places for info and tools.

Re:Really? (4, Funny)

MadTinfoilHatter (940931) | more than 8 years ago | (#14578361)

I hear Sony is working on a version of their own, as well...

Bad for new PCs, Good for old ones! (0, Redundant)

marshallh (947020) | more than 8 years ago | (#14577981)

Good thing my Pentium machine is running on a motherboard so old you can't flash the BIOS... I, for one, welcome our new BIOS-munging rootkit overlords.

Re:Bad for new PCs, Good for old ones! (-1, Redundant)

smitty_one_each (243267) | more than 8 years ago | (#14578217)

Me, too.
In !(Soviet Russia) one hopes that these possibilities will drive home the need for FOSS at all levels of the computer to you!

Re:Bad for new PCs, Good for old ones! (1)

jacksonj04 (800021) | more than 8 years ago | (#14578414)

Minor point here, but surely making the BIOS FOSS won't exactly help matters? Admittedly it probably won't make them worse, but how is it supposed to make them better?

OMFG! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14577986)

WE ARE ALL GONNA DIE!

From TFA (0)

Anonymous Coward | more than 8 years ago | (#14577988)

"This is platform independent," Heasman said. "We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on Windows."

Perhaps he meant, "We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on... MacOsX."? :-)

Re:From TFA (1)

oakbox (414095) | more than 8 years ago | (#14578043)

I caught that too. I just assumed he was being humorous.

What about EFI? (2, Insightful)

Aqua OS X (458522) | more than 8 years ago | (#14577991)

What about EFI?

Re:What about EFI? (1)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#14578044)

What about EFI?

That would be an ecumenical matter.

Re:What about EFI? (3, Funny)

damieng (230610) | more than 8 years ago | (#14578438)

Seeing as EFI supports drivers and that the OS is to sit on top of EFI any rootkits there could hide whatever they wanted from your OS....

Unless of course your OS exposes the EFI configuration and drivers too...

[)

Re:What about EFI? (3, Funny)

Shanep (68243) | more than 8 years ago | (#14578104)

What about EFI?

What about OpenFirmware in my Sun machines with the PROM read-only jumper set ON?

; )

Re:What about EFI? (1)

lintux (125434) | more than 8 years ago | (#14578278)

I guess EFI machines have ACPI microcode somewhere too, should be just as easy to change it, unless for some reason they don't store it on flash. This is about changing ACPI code (that is probably not just active at boot-time only, like with most of the BIOS code, now that DOS is dead...), which is there in any recent (x86) machine AFAIK.

Re:What about EFI? (5, Insightful)

Burz (138833) | more than 8 years ago | (#14578448)

A new EFI system is what you're supposed to buy in response to BIOS-scare stories.

That's what about EFI.

Solution (5, Interesting)

CastrTroy (595695) | more than 8 years ago | (#14577994)

They should just make the motherboard have a physical switch on it that stops your bios from getting written to. For the number of times i've had to flash my bios, it'd be a small price to pay to have to open my computer , just to have the piece of mind that some virus wasn't overwriting my bios. If it was a software setting, then there would be a way around it, but if there was a physical switch, that disconnected the write lines, then it would probably be pretty hard for a hacker to get around that.

Re:Solution (4, Insightful)

Benanov (583592) | more than 8 years ago | (#14578009)

The problem is, think of Joe Sixpack updating his own...

Wait. Never mind. Joe Sixpack almost would never flashes a BIOS, because he still calls the tower "my hard drive."

Re:Solution (2, Funny)

elrous0 (869638) | more than 8 years ago | (#14578087)

he still calls the tower "my hard drive."

I still have to explain to my parents that the box beside the monitor is actually the computer. They think it's built into the monitor.

-Eric

Re:Solution (5, Funny)

cogg (864885) | more than 8 years ago | (#14578129)

I still have to explain to my parents that the box beside the monitor is actually the computer. They think it's built into the monitor.
You can blame apple on that.
*ducks*

Re:Solution (2, Informative)

Anonymous Coward | more than 8 years ago | (#14578518)

How 'bout adding BIOS backup to your system backup chores. Any board I've ever worked with has a flash utility that lets you save your current BIOS contents.
  1. make a bootable floppy
  2. put the MB's flash utility on it
  3. learn how to use the flash utility - particularly how to save and restore a bios to/from a file.
  4. use the flash utility to copy the current bios to disk.
  5. put the disk somewhere, and remember where it is when EVIL_BIOS_TRASHING_R00T_KIT comes knocking.

Re:Solution (1)

gEvil (beta) (945888) | more than 8 years ago | (#14578015)

Covered in the article: "However, the ability to flash the memory depends on whether the motherboard allows the BIOS to be changed by default or if a jumper or setting in the machine setup program has to be changed."

Granted, a lot of mobos don't require changing a jumper to flash the BIOS, but it seems that some do (none that I've encountered, though).

Re:Solution (1)

gEvil (beta) (945888) | more than 8 years ago | (#14578135)

Okay, this line from TFA got me wondering: "Almost all machines have a physical protection, such as a jumper on the motherboard, against flashing." I just downloaded a PDF of the owners manual for my mobo (Abit NF-7 S2), and there's no mention of a jumper to write-protect the BIOS. It looks like the only way to protect the BIOS is via the password, which wouldn't protect it from being overwritten by one of these nasties. I don't recall this jumper being present on any of my other Abit boards either. What manufacturers do include this jumper on their boards?

Re:Solution (1)

skyshock21 (764958) | more than 8 years ago | (#14578215)

I seem to recall seeing a jumper on the old Dell Optiplex boards that you had to move in order to flash/write over the BIOS. I thought it was a damn good idea and still wonder why more Mobo manufacturers don't do this.

Re:Solution (3, Informative)

NewToNix (668737) | more than 8 years ago | (#14578317)

Granted, a lot of mobos don't require changing a jumper to flash the BIOS, but it seems that some do (none that I've encountered, though).

Every ASUS board I own has a jumper (and I have a lot of different model ASUS boards in use - over twenty anyway).

I don't know if all ASUS boards have BIOS jumpers, but all of mine do.

So now I guess I'll be putting those jumpers in non flash mode.

One more annoyance - but at least I got lucky that they all have the jumper.

They are all AMD boards (I don't use Intel, no flame, just a personal choice), so maybe the mother board chip sets have something to do with them putting BIOS jumpers on board. I don't know if that would have anything to do with it or not.

But I can see where having the BIOS jumper is about to become a mother board selling point...

Re:Solution (2, Informative)

MBGMorden (803437) | more than 8 years ago | (#14578430)

I've seen some Biostar motherboards that do this. My guess (and it's just a guess) is that Biostar is more often used by the "screwdriver shops" in the computer they build for customers, so they include features like this to help the shop keep the customer from messing a system up (ie, flip the switch to disable BIOS writes - If they aren't smart enough to figure out that you need to turn the switch back off, then you probably don't need to flash a BIOS).

Other brands more common in hobbyist PC's (Abit, Asus, Gigabyte, etc) focus on a different type of feature-set.

Re:Solution (0)

Anonymous Coward | more than 8 years ago | (#14578018)

The only thing is, going in to swtich something on the motherboard is what flash-bios' were all about. I think a bios setting that you have to configure in the bios first could do the same thing. That way you would have to reboot, go to the bios, flip on the setting, then boot into your OS to flash the thing. Password protecting the bios would also help in that case.

Re:Solution (0)

Anonymous Coward | more than 8 years ago | (#14578019)

For the number of times i've had to flash my bios, it'd be a small price to pay to have to open my computer , just to have the piece of mind that some virus wasn't overwriting my bios.

Or even better, have that switch be on the outside.

Re:Solution (5, Insightful)

CastrTroy (595695) | more than 8 years ago | (#14578095)

No, on the inside would stop it from being tripped by accident, or by users who have no idea what it does and decide to start playing with it. Also, all updates to the BIOS should just be stored on a secondary chip, and have to be confirmed when the user boots up the next time before it is copied to the actual bios. And there should be a third read only chip containing the original bios, which could somehow be loaded in the case of an emergency/mistake. BIOS chips can't really be that expensive, so putting extra security measures in place to not get your system hosed are important.

Re:Solution (2, Informative)

Dave_M_26 (773236) | more than 8 years ago | (#14578357)

And there should be a third read only chip containing the original bios, which could somehow be loaded in the case of an emergency/mistake. BIOS chips can't really be that expensive, so putting extra security measures in place to not get your system hosed are important.

Gigabyte have had this for a few years now. They call it Dual Bios.

Dave

Re:Solution (1)

Peeteriz (821290) | more than 8 years ago | (#14578407)

Electronics component manufacturing is so low-margin that if you can save 25 cents per unit by not putting a chip there, that might easily double your profit. And spending 25 cents more per unit can turn it from a profit making item into a loss.

These small things do add up to real money, and margins are so low that nobody will add anything unless it's a feature that makes sales (and no, "slightly better security measures for motherboard " are not something that Joe Sixpack will notice on the feature list).

Re:Solution (1)

trparky (846769) | more than 8 years ago | (#14578514)

Yeah, but Joe Sixpack doesn't build his own computers like we do. Joe Sixpack is more likely to go out and buy some slow POS Dell.

Re:Solution (1)

Peeteriz (821290) | more than 8 years ago | (#14578568)

Well, that's the point.

    For everyone that builds his own computer, there are a hundred Dell's, so in any discussion of potential rootkit spreads and security situation of the whole networked population, you can just disregard anyone with self-built computers and premium motherboards (which could have the backup BIOS'es proposed in the post above), since their impact on the total situation is completely insignificant.

Re:Solution (2, Insightful)

bondsbw (888959) | more than 8 years ago | (#14578022)

They should just make the motherboard have a physical switch on it that stops your bios from getting written to.

Also, the BIOS-flashing process should have a user confirmation screen on the next boot. I don't only want to stop potential malicious writes to my BIOS, but to know when they happen.

Re:Solution (1)

VikingThunder (924574) | more than 8 years ago | (#14578032)

Well that should exist since an old eMachines I have lying around (4 years?) had a jumper on by default that disabled BIOS flashing.

Simple Solution (1, Interesting)

squoozer (730327) | more than 8 years ago | (#14578096)

Just make damn sure that there are no (huge) bugs in the bios and burn it to a chip that can't be flashed. I admit that this is perfect for _everyone_ but I'd bet that 99% of computers never have the BIOS flashed so why make it writeable at all. The people that might want to flash their BIOS are probably also the sort of people that would pay a little more for an flashable version. Assuming you want a fairly generic BIOS that will work for a number of machine configurations make one with a tiny bit of writable memory that _just_ stores settings (e.g. non-executable). I imagine this sort of arrangement would be cost effective for tier one manufacturers.

Re:Simple Solution (4, Informative)

SilverspurG (844751) | more than 8 years ago | (#14578181)

One of the reasons why BIOS is flashable is to help the manufacturers. Oftentimes they have the hardware but they don't have the code written yet. Take the Dell D800 laptops for example. When they first shipped the external audio and S-video ports were nonfunctional because they hadn't written the software to put the wires together internally yet. It wasn't until rev. A13, maybe A14, of their BIOS that these ports were enabled. The D800 that I was privy to shipped with BIOS rev. A11.

Re:Simple Solution (1)

Professor_UNIX (867045) | more than 8 years ago | (#14578582)

It wasn't until rev. A13, maybe A14, of their BIOS that these ports were enabled. The D800 that I was privy to shipped with BIOS rev. A11.

So, wouldn't the better solution be for manufacturers to not ship broken hardware as production units? This has become a bad situation in the software industry, but when it extends to the hardware industry to rely on consumers installing patches to get functionality then it makes me wonder where the Q&A process failed.

Re:Simple Solution (1)

gEvil (beta) (945888) | more than 8 years ago | (#14578230)

I believe this ties in with the article from a few days ago about the 34 bug found in the Intel Core Duo. [slashdot.org] In the comments, it was mentioned that a lot of these flaws are corrected in microcode rather than redesigning and refabbing the chip. Correct me if I'm wrong, but aren't these microcode updates contained in the BIOS updates? If so, then the need for BIOS updates goes beyond just having the motherboard hardware bugfree.

Simple Solution-Simple Answer. (0)

Anonymous Coward | more than 8 years ago | (#14578597)

"Just make damn sure that there are no (huge) bugs in the bios and burn it to a chip that can't be flashed."

There are some MB's that come with a back-up BIOS for such an occasion.

"Assuming you want a fairly generic BIOS that will work for a number of machine configurations make one with a tiny bit of writable memory that _just_ stores settings (e.g. non-executable)."

Most BIOS'es have default settings already.

Re:Solution (2, Informative)

Jeff DeMaagd (2015) | more than 8 years ago | (#14578162)

The old Matrox video cards had a "write protect" DIP switch that would prevent or allow video BIOS flashing. It might have been something to prevent errant code from messing things up, I don't know.

Re:Solution (1)

SatanicPuppy (611928) | more than 8 years ago | (#14578290)

Most motherboards have a jumper setting that prohibits BIOS flashing. I always set mine, just to make me think a few times before I go ahead and update my bios.

Really, there is no reason why that can't default to "on"...Anyone who's going to need to flash a bios ought to be savvy enough to pull a jumper off a motherboard.

Re:Solution (1)

darkmeridian (119044) | more than 8 years ago | (#14578483)

iMacs require the user to hold down a button on the case in order to flash their ROM.

Re:Solution (0)

Anonymous Coward | more than 8 years ago | (#14578591)

How 'bout adding BIOS backup to your system backup chores. Any board I've ever worked with has a flash utility that lets you save your current BIOS contents.

      1. make a bootable floppy
      2. put the MB's flash utility on it
      3. learn how to use the flash utility - particularly how to save and restore a bios to/from a file.
      4. use the flash utility to copy the current bios to disk.
      5. put the disk somewhere, and remember where it is when EVIL_BIOS_TRASHING_R00T_KIT comes knocking.

write protect swith (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14577998)

it worked for floppy disk.. I want a little hardware switch that cuts the write lines @ the bios

Disable writing to the BIOS? (1)

raygundan (16760) | more than 8 years ago | (#14577999)

Is there an easy way to disable BIOS writes? A jumper or some such? The sort of person who would be upgrading their BIOS could reasonably be expected to move one jumper.

I have always wondered why viruses didn't do this before-- virus rewriting tools are all over the place waiting to be bundled up with a worm for internet delivery.

Re:Disable writing to the BIOS? (1, Informative)

Anonymous Coward | more than 8 years ago | (#14578099)

Not currently. I've looked at LinuxBIOS, at http://www.linuxbios.org/ [linuxbios.org] , and the way they seem to be protected right now is through massive fragementation and extremely poor documentation of the BIOS editing facilities. There really is no fundamental defense in place against editing the BIOS, since Microsoft's operating systems sometimes do it as part of their normal system manipulations. The result is amazing contortions that software vendors do to get things set just the right way for their particular requirements.

Microsoft and their friends are actually looking at this with their "Trusted Computing" tool, formerly called "Palladium". The danger of Palladium is that it can be used to lock out non-Microsoft-signed boot loaders or hardware drivers that the user may actually want to use, especially the master-boot-record or MBR. That can directly prevent the use of non-Microsoft-signed operating systems by any means whatsoever on PC hardware.

Re:Disable writing to the BIOS? (1)

JLennox (942693) | more than 8 years ago | (#14578429)

since Microsoft's operating systems sometimes do it as part of their normal system manipulations.

I'd greatly like to see these instances where Microsoft's software does modify the BIOS.

Re:Disable writing to the BIOS? (0)

Anonymous Coward | more than 8 years ago | (#14578195)

>>I have always wondered why viruses didn't do this before

They do. The article mentions two, if I'm not mistaken, and I know that some major anti virus programs look to find virus signatures in the bios.

Hoglund? (5, Interesting)

IamTheRealMike (537420) | more than 8 years ago | (#14578001)

Though this does not and should not reflect upon his findings or the articles, it should be noted that Hoglund is not only a rootkit "expert" but also a blackhat who enjoys developing cheats for World of Warcraft. When the Warden came out and put a stop to this little business [interesting-people.org] his Wow!Sharp software got nailed and (presumably) he began losing money.

In other words, anything this guy says or does is in my mind suspect .... he writes rootkits and other forms of "attacking software", so for all we know this asshole is getting ready to post example code to the net. It wouldn't be the first time.

Re:Hoglund? (0)

Anonymous Coward | more than 8 years ago | (#14578051)

Not to mention his company is selling training at 900 to 1500 bucks per day per person.

Don't you just love when "IT Professionals" scream SECURITY and want you to pay them for something...

Re:Hoglund? (5, Informative)

SilverspurG (844751) | more than 8 years ago | (#14578066)

He's also the author of a well-known book on rootkits. It's a pretty good read. Maybe you should revise your ill-informed personal opinion.

He doesn't just write rootkits. He teaches seminars on how to write them. He's not a blackhat any more than the this guy [slashdot.org] . I guess that puts you on par with Oracle.

Re:Hoglund? (1)

operagost (62405) | more than 8 years ago | (#14578297)

If he writes cheats, I'd say that makes him a black hat.

Re:Hoglund? (2, Interesting)

7-Vodka (195504) | more than 8 years ago | (#14578193)

I see, let's evaluate the situation:

1. He wrote a program that helped people cheat in a game (Oh noes, what a evil black hatter) -3 brownie points

2. He helped uncover a commercial company's SPYING program to catch you cheating at said game which can also spy on you in all sorts of law-breaking ways (let's see blizzard try to pull this shit in england where they have REAL privacy laws) +300 points

Giving him a total of 297 brownie points. This actually makes him the equivalent of a girl scout.

Re:Hoglund? (1)

F_Scentura (250214) | more than 8 years ago | (#14578573)

"2. He helped uncover a commercial company's SPYING program to catch you cheating"

Blizzard makes this program known through the licensing agreement. While that's not quite an obvious admission, this guy's not some valiant knight. He's an obnoxious twat that can't sell his cheat software anymore. Oh nos!

"at said game which can also spy on you in all sorts of law-breaking ways (let's see blizzard try to pull this shit in england where they have REAL privacy laws) +300 points"

It doesn't though, and Blizzard has Euro servers where I assume the same exact anticheat software is run.

Long live security by obscurity. (1)

jotaeleemeese (303437) | more than 8 years ago | (#14578239)

And long live to the assholes that keep proposing it as a sane method to keep things secure.

Obligatory smug Mac user comment (3, Funny)

Hieronymus Howard (215725) | more than 8 years ago | (#14578002)

I've just switched to Macs after 17 years of PC ownership* (Dos, then Windows, then Linux). Boy, am I feeling smug right at this moment.

* I first typed 'ownershit' by mistake - Thinking about it, this might actually be a more accurate word to describe the joys of being a PC user.

Re:Obligatory smug Mac user comment (0)

Anonymous Coward | more than 8 years ago | (#14578048)

Yeh, thank god Mac's don't have a flashable bios.

Re:Obligatory smug Mac user comment (1)

Timberwolf0122 (872207) | more than 8 years ago | (#14578061)

Seriously I recon you got 9 maybe 10 months before karma comes back to kick your ass.....

Re:Obligatory smug Mac user comment (1)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#14578073)

I've just switched to Macs after 17 years of PC ownership* (Dos, then Windows, then Linux). Boy, am I feeling smug right at this moment.

There are layers or irony here [slashdot.org] I just can't begin to elucidate on.

Re:Obligatory smug Mac user comment (1)

tpgp (48001) | more than 8 years ago | (#14578257)

Obligatory smug Mac user comment

You mean Obligatory offtopic pro-mac (and doesn't understand the issues invloved) troll?

I've just switched to Macs after 17 years of PC ownership* (Dos, then Windows, then Linux). Boy, am I feeling smug right at this moment.

1) PC stands for 'Personal Computer' this is what your mac is.
2) Mac Bioses are flashable.
3) You were just as safe under linux (if not safer) then you are under a Mac.

* I first typed 'ownershit' by mistake - Thinking about it, this might actually be a more accurate word to describe the joys of being a PC user.

You get what you pay for - buy a decent PC with physical bios protection (ie a jumper you need to switch before flashing the bios) and run linux on it. You will be safer then you are now.

Why do (some) mac people feel the need to but into any discussion with their pro-mac trolls?

At least understand the facts before you do this again...

Re:Obligatory smug Mac user comment (0, Funny)

Anonymous Coward | more than 8 years ago | (#14578437)

Yer just jealous he got modded funny...

Re:Obligatory smug Mac user comment (1)

ceeam (39911) | more than 8 years ago | (#14578475)

Why do (some) mac people feel the need to but into any discussion with their pro-mac trolls?

Why do (some) linux people feel the need to but(t) into any discussion with their pro-linux trolls? ;) /ducks

Hard switch or external tool (3, Interesting)

digitaldc (879047) | more than 8 years ago | (#14578035)

"It is going to be about one month before malware comes out to take advantage of this," said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. "This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in."

Maybe add a physical unit that you need to move by hand in order to change the BIOS or Flash memory.
Or, if you suspect your computer has already been compromised, use an online/flash drive/external detection tool (independent from the O/S and all software) can be run to find out if you computer has been infected. (It works for the Microsoft Security guys)
The tool would have to check the computer's flash, BIOS, and currently running programs and notify you if it is being blocked/disabled/changed...and then fix the problem or tell you what to do to fix it.

What will be interesting (5, Interesting)

HangingChad (677530) | more than 8 years ago | (#14578053)

Is when security companies start checking for BIOS rootkits is if they find something there already staring back at them.

I'm wondering at the possibility this has been done before and not detected because no one looks there?

Re:What will be interesting (2, Interesting)

SilverspurG (844751) | more than 8 years ago | (#14578142)

You've really hit the nail on the head. Consider the state of consumer level security. Cookies? Does anyone really believe that cookies adhere to their "personally identifiable information" policy? Why is there no option to save your list of cookie sites? With respect to malware and viruses: Does everyone truly believe that the worst viruses do nothing more than propagate as proof of concept?

Consumer level security is a game of pointing the people to the right while stealing their wallet from the left. I saw proof of concept BIOS trojans as early as '99. You can't tell me that no one has been using them.

Re:What will be interesting (3, Interesting)

ehrichweiss (706417) | more than 8 years ago | (#14578301)

I was at a 2600 Magazine [2600.com] meeting back in 1993 and was talking with some FBI agents, who were actually semi-knowledgeable suprisingly, about how they had found some holes in BIOS code that was big enough to fit a virus into and how it had already been accomplished. I checked into it a bit and the BIOS they described had like 120 bytes of writeable memory which was more than enough for the foundations of a virus.

Awfully specific (5, Funny)

truthsearch (249536) | more than 8 years ago | (#14578057)

It is going to be about one month before malware comes out to take advantage of this.

That's an extremely specific prediction. I think we know who they should look at first when these rootkits show up...

Dual Bios (0)

Anonymous Coward | more than 8 years ago | (#14578064)

I played around with BIOS programming awhile in college, after I successfully bricked a computer I got a new motherboard with dual BIOS. This may need to be something incorporated more so your computer can recover when some malware bricks it. We all know that virus code does exactly what they want it to do, I bet more problems occur from inept virus writers than actually virus in the BIOS.

one-button functionality is to blame (4, Insightful)

AndyST (910890) | more than 8 years ago | (#14578076)

There are two contradicting principles here.

  1. a hardware jumper on the motherboard, the BIOS flashing procedure with a floppy disk, done by some tech-savvy user.
  2. the average non-technical home user wants one-button simplicity

Many home users want that second kind of functionality. Partly because they don't want to bother with the details, partly because they are mentally challenged. They really like to be able to update the Computer's BIOS as easy as visiting a web site or running any kind of program. Unfortunately, this is what they get. And so do we.

Re:one-button functionality is to blame (1)

lxs (131946) | more than 8 years ago | (#14578132)

The average non-technical home user shouldn't be messing around with the BIOS in the first place.

Re:one-button functionality is to blame (0)

Anonymous Coward | more than 8 years ago | (#14578176)

The "average non-technical home user" has no idea what flashing BIOS is and won't need to do it in the lifetime of their computer. I've only seen recommendations to upgrade BIOS in a few places, usually related to improper hardware detection.. also something that the "average non-technical home user" pays someone else to do.

Two new ideas on the subject:
  - What about those dual BIOS motherboards with backups to protect against bad flashes?
  - What about that "virus protection" setting that some BIOS used to have?

Re:one-button functionality is to blame (1)

Zaiff Urgulbunger (591514) | more than 8 years ago | (#14578549)

One specific time I had to upgrade my BIOS was on a Packard Bell iGo 4450 laptop (aka NEC Vesa something or other) because when using a Netgear WG511T PCMCIA wireless card, it would just lock up after a minute or three of use. Updating the BIOS to a newer version fixed this.

My point is that all this kit is totally consumer grade stuff... although I agree that likely the "average" user would need to get someone "professional" (in quotes, because I need to include PC World employees!) to do this, not least because the laptop in question has no floppy and only a DVD-ROM but the update requires read/write bootable media.

Two new ideas on the subject:
- What about those dual BIOS motherboards with backups to protect against bad flashes?
- What about that "virus protection" setting that some BIOS used to have?

Dual BIOS mobos -- well, I have an old Packard Bell desktop (466MHz Celeron) circa year 2000, that has a Gigabyte mobo. This motherboard does feature dual bios, but in Packard Bell confgiuration, anything that would increase cost has been removed..... so it features 1 BIOS and 1 solder point! I guess it all comes down to cost in the end, so maybe consumer kit is doomed!!

As for "virus protection" in the BIOS, isn't that just to prevent anything writting to the boot sector of the HD?

Re:one-button functionality is to blame (1)

Ashinberry (622188) | more than 8 years ago | (#14578187)

Does you average home user flash his own BIOS? Does your average home user know what a BIOS is, much less that it can be flashed? Judging by the number of BIOS write protect jumpers and software switches that have been in use practically forever and that fact that many average, non-technical users don't know the BIOS from the floppy drive, I think it's not really a problem of simplifying things too much.

Re:one-button functionality is to blame (1)

Arimus (198136) | more than 8 years ago | (#14578262)

Mention flasing your bios to the average home user and you'll get typically one of two responses:

One an offer of much more interesting time than you planned for, or more likely,
a threat of arrest for obscene behaviour :)

Took long enough (4, Interesting)

SilverspurG (844751) | more than 8 years ago | (#14578093)

I'm glad people in the mainstream are beginning to notice this. I saw proof of concept BIOS trojan code as early as '99. It honestly changed my view of the internet, law enforcement, and all of society. While everyone else is busy labelling each other,"Paranoid conspiracy theorist" I've been sitting back thinking,"You dumbass. He's probably right." In all reality the NSA doesn't need wiretaps. If they really wanted you they'd have MS serve up a specially crafted banner ad when you check your Hotmail.

Real malware doesn't let itself be known. It sits in the background to aid the people watching you.

Re:Took long enough (0)

Anonymous Coward | more than 8 years ago | (#14578188)

Could someone explain how this is gonna work? I'm not an ACPI expert, but I don't quite understand what such a rootkit could do. Is it possible for AML programs to access and modify your physical memory?
If yes, well, kernel or userland code could be modified to e. g. send data to a server, but I think this is pretty difficult given how much (or few) memory there is available for AML programs, executable pages being set to non-writable and the overall complexity and diversity of AML interpreters, kernel versions etc. etc.

Re:Took long enough (0)

Anonymous Coward | more than 8 years ago | (#14578410)

the BIOS has access to your hardware at its lowest level; Imagine if you will a rootkit on the harddrive that is automatically restored from the BIOS upon bootup. It doesnt have to stop there; in times past, any BIOS was flashed from DOS. Now there are win32 flash utilities that will flash your BIOS when the computer is "LIVE". Adding more insult to injury, most modern peripherals can be flashed in this way. The win32 utilites can flash: cd/dvd-rom/rws, hard drives, NICs (perish the thought about bootp!), video cards etc. Every last bit of flash you can think of in your computer that has been designed for easy access from the running OS.

trolls (0)

Anonymous Coward | more than 8 years ago | (#14578098)

and you people thought trolls were 3vi1...using any variety of sun boxen running debian is a sick combination...doubt these rootkits will be manipulating openboot image ...even so, sun motherboards have a write enable/disable for the obp....

You Young Whippersnappers! (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14578122)

Way way back in the summer of 1994 we use to have viruses that would write themselves to the boot sector of our hard drives and some of them would even overwrite our Bios. I wouldn't expect you to know about it, since it happened so long ago but, those were tough times. Some PC manufacturers would even put antivirus detection software in their Bios to detect and prevent these Bios viruses. Sometimes it worked. Other times your system was hosed!

Grandad Admin.

In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.

Re:You Young Whippersnappers! (0)

Anonymous Coward | more than 8 years ago | (#14578337)

I'm sure the change that has occured has done so for various reasons. IANAE, nor have I been in computers as long as you have.

However, I think that (on the larger scale) the malware community of today lies in stark contrast to that of the past. From what I gather, it used to be somewhat of an excercise, an intellectual challenge. These days, it is seen as a money generating operation. There simply isn't the impetus to write malware that might brick a motherboard, erase allocation tables and/or wipe out data because having it run as part of a botnet (as well as having access to the data, rather than destroying it) is more profitable than leaving the PC unusable.

The above should be seen as more of a question than anything else. Your thoughts (and those of other experts/elders) on the subject would be appreciated.

Re:You Young Whippersnappers! (3, Insightful)

lintux (125434) | more than 8 years ago | (#14578356)

Problem with today's malware is that the authors don't want their stuff to be noticed. Not by the owner of the infected machine, at least. They want to continue spreading spam, viruses and credit card numbers for as long as they can. Breaking things on purpose is not the way to go then.

Computer viruses today are hardly an annoyance to their "victims", only to the rest of the world. :-(

Re:You Young Whippersnappers! (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14578390)

In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.

Malware is big business now, and there's nothing to be gained from taking out the bios. The less obvious damage your software does, the longer the machine you've infected stays '0wn3d'.

Re:You Young Whippersnappers! (0)

Anonymous Coward | more than 8 years ago | (#14578584)

Virus writers have found that malignance is not nearly as profitable as domination. Why destroy a million machines when you can compromise them and rent them out for $0.01/hr each?

You don't say! (0)

Anonymous Coward | more than 8 years ago | (#14578125)

"This is platform independent," Heasman said. "We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on Windows."

password protect (1)

TheRealBurKaZoiD (920500) | more than 8 years ago | (#14578154)

Can't you password protect your bios from being accessed? Or does that have nothing to do with overwriting it? Someone more knowledgeable give me clue.

Re:password protect (1)

polaughlin (92146) | more than 8 years ago | (#14578216)

You are thinking about the BIOS _settings_. The article is talking about modifying the actual BIOS.

Re:password protect (1)

mslinux (570958) | more than 8 years ago | (#14578259)

Yes, in general, any BIOS can be password protected. On newer Dell systems their flashBIOS utility (which runs from the OS) stops and prompts for a password during the flash process.

Temporary workaround? (3, Interesting)

murderlegendre (776042) | more than 8 years ago | (#14578204)

If the board uses one of the larger DIP style EEPROM BIOS chips, wouldn't it be simple to identify the write lines (from the manufacturer's data sheet)? You could then pull the chip, and 'flag' the associated pins (bend them out, so they no longer enter the socket) and re-insert the chip.

A little tricky maybe, but better than nothing for now..

New Vista Feature (1)

JFlex (763276) | more than 8 years ago | (#14578237)

Sounds like something MS should implement into Vista. It sure wouldn't make it any worse!

ACPI-less Linux kernel (1)

Stephen Williams (23750) | more than 8 years ago | (#14578241)

I gave up compiling ACPI support into my kernel a while ago. On a machine that doesn't get suspended/hibernated, it seemed to provide no appreciable benefit other than automatically shutting the system down when I pressed the power button, and I can live without that. Now it looks as if my ACPI-less kernel also has the happy side-effect of protecting me from a potential exploit. Nice.

-Stephen

Re:ACPI-less Linux kernel (0)

Anonymous Coward | more than 8 years ago | (#14578459)

And you can enable APM to do the same thing, turning the system off automatically.
APM seems to be less of a pain in the ass for some motherboards.

build in protection (1)

Timberwolf0122 (872207) | more than 8 years ago | (#14578270)

I'm sure my bios has some built in protection to stop it's self being over-written by a virus. I'll ave to double check now when I get home.

Watch Out!! (2, Insightful)

mslinux (570958) | more than 8 years ago | (#14578293)

I can't wait until one of these is widespread AND badly written. Once several thousand computers stop booting and are potential ruined (umm... you need a new motherboard... this is not covered under warranty). God help whoever wrote and distributed it. He will hang.

Re:Watch Out!! (0)

Anonymous Coward | more than 8 years ago | (#14578424)

How many computers, again, were infected with Sony's rootkit for MS Windows? Now imagine a similar company doing the same to your BIOS, claiming that it needed to be done to implement Trusted Path computing, required for DRM.

Old News (1)

spitek (942062) | more than 8 years ago | (#14578330)

Watched my good friend do this about two years ago. Don't forget your network attached Axis camera's can be used as staging places too.

Good thing I don't use the BIOS's code anyway (1)

quantum bit (225091) | more than 8 years ago | (#14578380)

Since my BIOS sucks and is broken anyway (horribly wrong IRQ routing table, references to nonexistent variables in the battery status), I override the whole DSDT with my own AML code and just ignore what the BIOS says.

Of course this is on FreeBSD. Linux has the capability to override the BIOS's ACPI code as well. Unfortunately Windows doesn't -- or more accurately only the checked (debug) builds of Windows do. I can change the annoying S4 behavior of my laptop, but my friend who runs Windows on the same model is stuck with it...

FUD and beware of UFOs (2, Interesting)

cyberbian (897119) | more than 8 years ago | (#14578392)

This posting is clearly spreading it. This is part of a calculated attempt to fear computer users into accepting Trusted Platform Modules which currently exist as UFOs on the new Intel iMacs. When I say UFOs I mean Undocumented Functioning Object. It's installed on my motherboard. It's true that the TCG has made much of the documentation about their modus operandi and even Apple has some OLD documentation about this, the real agenda here is spreading Fear, Uncertainty, and Doubt about their platforms in their current implementations and ease our transition into the TPM future.

It's not difficult to see that these mechanisms could potentially be part of an much larger agenda. You see it happening all around you, RFID, Ubiquitous Surveillance, Presidentially Endorsed Wiretapping, etc. The controls on your movements are getting tighter and tighter. It's not paranoia, it's paying attention. Connect the dots is an easy game, even children can do it.

The most damning aspect of this technology is the lack of transparency required by the implementor, in that they can (at their discretion) use closed source to track users, enforce DRM restrictions where previous 'fair use' and other uses were traditionally allowed. The real question is, even for shareholders, how much is too much? Is the quest for maximizing profit hobbling our society?

Don't look to the skies for UFOs, look on your motherboard, and demand answers for undocumented ICs

root access needed? (1)

mango9 (159959) | more than 8 years ago | (#14578466)

Let me ask an obvious question - on a Linux box is root access required in order to write to the BIOS? If so that is some protection.

No comment re windows boxes.

The Sony BIOS (2, Funny)

doublem (118724) | more than 8 years ago | (#14578552)

On the bright side, Sony Vio owners don't need to worry. Their BIOS comes pre-hacked, so there's no room for more malware!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?