Bios Virus

[blunuke420]

Hello everyone,

I just started this topic in a reply to a post I started but I also wanted to put it here so some people who have more knowledge of viruses can respond.


Here is the quesiton:

You can update bios through a program run from a floppy disk,
WHY can a virus not do the same.

If anyone could explain to me how a virus cannot change/alter/erase bios I would love to know, so I can put this nagging little question out of my head.

Thanx

[phishphreek]

That would be pretty tough...

A BIOS update has to be done by a program that flashes the BIOS.
This happens before any memory or hard disk is accessed.

Since the memory dumps everything after it looses power... there is no way for a virus to infect the BIOS.

Another thing would be... how would a virus writer know which BIOS version a user is running, and which program that they have to use to flash the BIOS and then how to get the user to put the virus on the disk, and infect theirselves.

So... I think the first place a virus writer would have an opportunity to infect would be the MBR (master boot record). Which can be easily fixed by a fdisk /MBR

[HTRegz]

I read this a few times... and thought about it for a minute, and a virus attacking the BIOS sounded really familiar.... Then I remembered why... Now this is a little dated but it proves it can happy...

I'm sure everyone remembers CIH. Well one of the points of that virus was that it could kill your BIOS if you had a Flashable BIOS on the original Pentiums..... It happened to a friend of mine and it wasn't pretty... ended up costing him a new motherboard....

This page doesn't give detailed information on how it works, but it gives you some details on CIH and what exactly it did.... I'm sure googling for CIH +BIOS or BIOS +Virus will give you more results and a little more detail. Anyways.. here's the page:
http://www.stiller.com/cih.htm

[phishphreek]

HTRegz:

Wow. I had no idea that that would be possible... crazy.

I'm going to have to do a little more research on this one... you've me pondering....

[blunuke420]

Im glad you responded to this Phish as you seem to be one of the bright bulbs around here,
Ok thats enough kissing your kilt, im gonna get to the point now,

All of your points are valid, but I have never heard disscussions (sp) over "bios Security" and that alone makes it in my mind an open playground for hackers. What I mean is that by everyone assumeing that bios is 99.9% secure, no one thinks to really dig into ways that it could be attacked. Knowing what I know about hackers (which is very little) I have to think that any hacker/virus writer would probe bios for every little exploit possiable. As you said before it would be really hard but is it Impossiable?

If someone was to write a virus for bios that could cause damage, how would you know its a virus? Are there virus scanners for bios? No. Is there an auto protect feature in NAV2003 for bios protection? No. Pretty much if a hacker nailed bios there would be no way to tell that it was hacked. If you destroyed bios there is no fingerprint left behind.

This may sound WAY outta left field but for the sake of keeping this post going tell me if this could happen...

A virus is written that alters windows power management. When you shut your computer down, the virus alters the closeing of windows to tell the power supply (yes i know power supplies are stupid boxes that do not accept commands from windows, but the motherboard is not) to maintain power to the RAM. Enough to keep what ever was last there, still there.

Now this is a COMPLETE theory but I would like to know if it holds any water At all. BTW sorry for the crummy spelling

[HTRegz]

blunuke420:

If you are concerned about a file (virus) affecting your bios.. the best thing to do is pull your case open and find the BIOS Write-Protect Jumper... As long as your BIOS is Write-Proected.. nothing is going to change it. It's like Write-Protecting a disk.. you can't put any files on it..


As for BIOS Security.. that's usually when someone has physical access to the machine. You don't want the users in your company accessing the BIOS and changing the boot order from C,A to A,C.. Then they could boot whatever they wanted off a floppy and go wild with it.

[blunuke420]

so if your bios is write protected at the jumper there is NO way for it to be altered, even with a flash program?

[HTRegz]

Nope... can't be done....

That's why the instructions when flashing your BIOS will say make sure the jumper is removed.... or on.. depending on your MoBo setup

[phishphreek]

Im glad you responded to this Phish as you seem to be one of the bright bulbs around here,
Ok thats enough kissing your kilt, im gonna get to the point now,

Thanks... but as HTRegz pointed out...

Well one of the points of that virus was that it could kill your BIOS if you had a Flashable BIOS on the original Pentiums..... It happened to a friend of mine and it wasn't pretty... ended up costing him a new motherboard.... http://www.stiller.com/cih.htm

We went over that in an OS class I took... and my professor said that it wasn't possible... but who said professors are always correct? They are human just like you and I...

[the_JinX]

I remember the CIH cost me a mobo (I had a PII 300 at that time)
Well I did like the fact that my new mobo DID have a jumper for flashing and also it had faster mem support..

I think for those MOBO's you could even flash the BIOS with your own stuff..
and even for some newer mobo's..

the only trouble is: evry mobo has different bios (for the biggest part they are the same but still)..
so the virus would be asus or msi only.. if you catch my drift here..