Results 1 to 3 of 3
  1. #1
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003



    Spotted this article during my morning reading session.

    For the security-conscious, the idea that malware, viruses, and Trojans could be lurking around every digital corner is frightening enough. Now, a duo of Argentinian researchers has demonstrated how code can be embedded and flashed into a system's BIOS. We've been down this road before, but it's definitely much harder to detect and root out such attacks.
    A pair of Argentinean researchers has demonstrated a BIOS-level exploit that allowed the duo to potentially run a great deal of invisible code—which could remain installed even if the hard drive was wiped. Much has been made of this last bit, but malware attacks against the Basic Input Output System are anything but new.

    The CIH (Chernobyl) virus that first appeared in 1998 was capable of bricking a system by rewriting critical boot information in the computer's BIOS with garbage output. Even if you dodged this bullet, CIH's primary payload rewrote the first 1MB of the hard drive. If Chernoybl successfully activated on D-day, the best outcome a user could hope for was an apparently wiped hard drive. At worst, system repair involved physically pulling the BIOS chip and installing another.
    The advent of write-protected BIOSes, partly in response to CIH, put a damper on firmware-munching malware, but the inherent attractiveness of the BIOS as an attack vector has never vanished. The exploit demonstrated by Anibal L. Sacco and Alfredo A. Ortega, both of Core Security Technologies, is noteworthy and important, but it's not the game-changer some have made it out to be.
    The duo presented the details of their BIOS incursion at ConSecWest last week; their presentation is available here (PDF). I haven't seen the full text of their presentation, but the attack as laid out within the document is quite straightforward and relies on the simple fact that a system BIOS can be flashed (upgraded) with a new version. These new versions are installed through several methods—some motherboard companies have utilities that will flash a BIOS within Windows now—but one commonality is that the BIOS must be switched to write-allow mode before the attack can be executed. The aforementioned attack consists of dumping the new BIOS into flashrom (a BIOS read/write/modify utility), making the necessary changes, adjusting all of the checksums to ensure the hacked BIOS will verify as authentic (the two credit Pinczakko here), and flashing. Voila! One evil BIOS.
    Establishing one's secret evil layer in BIOS, as previously mentioned, is a darned good idea. From here, the attacker can theoretically install rootkits, infect any virtual machines running on the main rig, and perform any number of dastardly deeds—all below the OS kernel level. As dangerous of a problem as an attack of this nature presents, however, there's one overriding factor that makes it unlikely that we'll ever see an attack of this sort in the wild. The duo's BIOS hack isn't a bug you can catch by opening the wrong e-mail—it must be installed, either by someone with physical access to the system, or remotely by a person with root-level access.
    This is not the sort of exploit that anyone bothers with on a grand scale. Not only is it highly impractical, it's also pointless—why go to so much trouble to infect a PC running at a Ma and Pa store if you can spend a hundredth of a cent and send them an infected e-mail they'll open and run? If an organization is genuinely vulnerable to this type of attack, it means one of two things: Either the business's IT security is absolutely horrible and has failed on multiple levels, or it's an inside job. Either way, a number of gates have been left open to leave a system vulnerable to a BIOS-level assault.
    Original source

  2. #2
    Join Date
    Nov 2002
    What do you think "MOD" chips for every game console on the market does? If you want to know how a hero can become a villain, read this pdf file. Tells you how to make one.

    Last edited by Linen0ise; March 28th, 2009 at 03:55 PM.

  3. #3
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Swamps of Jersey
    Certainly an issue, but not a new one. I've never come across one of these potentially nasty varmints. Anyone here have any hands on experience?

    I suspect the reason why BIOS malware isn't widely distributed (yet?) is because you cant use a single virus/trojan to affect a wide range of machines. You have to write chipset specific code. Some interrupts as well as functions/features to update BIOS differ from one mainboard vendor to other.

    Windoze is a great honeypot. Let's hope it continues to attract the most attention.
    Last edited by Cheap Scotch Ron; March 28th, 2009 at 04:35 PM. Reason: typo
    In God We Trust....Everything else we backup.

Similar Threads

  1. Terrorism
    By Tedob1 in forum Cosmos
    Replies: 9
    Last Post: May 7th, 2006, 05:06 AM
  2. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 02:03 AM
  3. Understanding DoS
    By NullDevice in forum The Security Tutorials Forum
    Replies: 21
    Last Post: December 17th, 2003, 09:03 PM
  4. Classic Social Engineering Attacks
    By Striek in forum The Security Tutorials Forum
    Replies: 10
    Last Post: December 16th, 2003, 08:30 PM
  5. 50 Java Attack
    By VLaD tHEiMpALeR in forum Programming Security
    Replies: 0
    Last Post: July 18th, 2002, 03:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts