BIOS Rootkits - Detection / Prevention?

Discussion in 'other security issues & news' started by xeda, Jul 12, 2006.

Thread Status:
Not open for further replies.
  1. xeda

    xeda Registered Member


    I was reading an older yet interesting article over at:

    How do I determine if my motherboard allows the BIOS to be changed by default?

    Secondly, how would one go about detecting a rootkit that uses this method?

    What are your thoughts concerning this?

  2. lotuseclat79

    lotuseclat79 Registered Member

  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Here look what I found:

    ACPI Rootkit example from China

    scary isn´t it?

    You should investigate this registry entry HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT

    Actually the mainboard creators don´t give a penny on this hidden danger.
    Last edited: Jul 12, 2006
  4. xeda

    xeda Registered Member

    Thanks Tom, that's an excellent thread. I found a lot of useful info and links.

    Yes, it IS scary...but I love a new challenge. How about you? :)

    Hmmm, would you recommend disabling ACPI?

    I've been researching this topic a lot recently (I spent the last 7 hours reading material surrounding this).

    I especially found this discussion interesting:,13853178

    Pay attention to the posts made by stefaanE, tcp1, and ZOverLord.
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Science fiction.
  6. xeda

    xeda Registered Member

    So, you think it's purely theoretical?

    I myself am on the fence about the whole subject.

    I mean there seems to be a lot of proof of concept examples floating around.
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Relax and enjoy.
    Atomic bomb - proofed conceptually twice.
    Does it happen every day - no.
    Besides, there has been lots of talk about how this and that. In short, this is very highly unlikely.
  8. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    very rare does not mean no danger. It may always be possible that hardware with flash memory is contaminated

    How right he is! True, true!

    But what if it is located in bad sectors... ;-)

    no, this may be the future standard attack method, if mainboard manufacturers still will sleep deep.

    Xeda, this won´t really help too much, in my opinion, because Windows installs acpi.sys and this file is essential and don´t underestimate hal.sys. You can use external hal and acpi, modifying the boot.ini, but if bios is infected I still doubt that this will solve the problem totally and what about file infection, some viruses adds a few bytes to an exe file and you start these exes and your new system may be reinfected very fast. Stealth by design.

    I recommend to read black hat federal 2006. Rootkit hunting vs Compromise detection.
    Last edited: Jul 15, 2006
  9. Genady Prishnikov

    Genady Prishnikov Registered Member

    To take the view that "if it can happen," then it's a real threat, you need to reconsider walking out the door each morning. A threat assessment is only as good as its realism. The chances of a bios virus/root-kit is so ridiculously small as to be insignificant. If you're prone to worry, worry about a 757 falling out of the sky and destroying your house. (Just make sure you have a computer backup offsite!) Seriously, relax.
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    haha.. good idea.. I relax a little bit. But to step a bit further in this discussion. People who were hit by a lightning,
    do you think they ever thought that they ´d be hit`? Even if the probability may be small, some people always will be hit.
  11. f3x

    f3x Registered Member

    Then if you talk about probability, you migth as well consider the danger than the processor can do things other than what you want it to do as electron are by nature quantic object. You migth also consider that the flow of "bad" electron by luck form a meaningfull command to the rest of the computer and something very bad happens.

    There is also a chance that the sun explode, crushing whatever remains of your computer.

    When you take EVERYHITNG in consideration, then you realize you are never safe. I really think you have more chance of getting your comp stolen or damaged by a power outage than being infected by a superior-being-like bios rootkit.

    if you fear bios then switch motehrboard .. or buy one of the hardware bios backup / restore solution.


    @ Mrkvonic (off topic)
    Talking of science fiction...
    Nice reading about physic (im)possibility of going back thrue time
  12. securityx

    securityx Registered Member

    I have to agree with the others who are saying there are other things to worry about.
    Bios virus? Bios root-kit? As Gerard said, "relax."

  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Not easy to find a mobo with switch.
  14. Rasheed187

    Rasheed187 Registered Member

  15. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    No I think you would need a dual bios or a jumper to block write access..
  16. Rasheed187

    Rasheed187 Registered Member

    Have you looked at the specifications? There is also a bit info about jumpers in it, but I could not figure it out. :ninja:
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Even the latest boards from MSI (2007) have absolutely no bios protection. Seems that no one in this industry believes in a real danger concerning this.

    Interesting link concerning: firmware rootkits
    Last edited: Apr 18, 2007
  18. SSK

    SSK Registered Member

    Bios rootkits are not a real danger right now. Companies should think about real threats, not highly unlikely ones. There are so many easy ways to infect a machine, why use the difficult and potential disastrous method of using bios / firmware infections?

    (Why disastrous? Bios / firmware is critical in the machine's operation. Crashing the machine will 1) rob you of your means to achieve your goal and 2) make your presence that more obvious.)

    BTW: the idea of a bios / firmware rootkit for espionage has been used in a Tom clancy novel some years ago, to spy on the Chines government ;-)
  19. aigle

    aigle Registered Member

    Thats, too bad.
    BTW anyone knows which motherboard vendors are using physical BIOS protection( jumper etc)?
  20. Mrkvonic

    Mrkvonic Linux Systems Expert


    BIOS rootkits are a nice concept. And that's all.

    Implementing rootkits in BIOS is akin to planting a new kidney in a person. Will work successfully only in 0.00000000005% of cases. Writing code that will perfectly fit the target (including 1E13 combinations of hardware), not break BIOS and actually do something effective via installed OS - which might be just about anything - has the same chances of succeeding as waking Disney from his cryo chamber back to life.

    To the best of my knowledge, some of my mobos have BIOS write protection.

    That article is pure ... random opinion.

    Giant meteors can strike Earth. So? I don't see people preparing for the doomsday. Possible. Yes. Likely. No.

  21. EP_X0FF

    EP_X0FF Registered Member

    As for malware,

    BIOS rootkits, motherboard rootkits, rootkits in DVD flash memory, pills, hardware hypervisors = bad science fiction and nothing more.
  22. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    :D :cool: :D except for those chinese fanatics who posts codes for acpi rootkits,
    remember this link ? Actually the author made anything black to prevent view, just scroll over with mouse button to see the source code.

  23. AJohn

    AJohn Registered Member

    Maybe I am one of the few, but I take this issue seriously. How long ago was it that no one took leaktests seriously?
  24. aigle

    aigle Registered Member

    Fiction becomes true sometimes rapidly in the modern world.
  25. AJohn

    AJohn Registered Member

    Sometimes our minds try to make things fiction when in actuality they are closer to us then we can conceive. I doubt anyone person knows of all of technology people have these days.
Thread Status:
Not open for further replies.