BIOS rootkits- reality or fiction?

The topic has been discussed many times and I am realy much interested in it. I have read many posts on sysinternals forums that look like fiction. The story even goes far to other harware components like network card, CD rom etc.

Here I have two Qs? Has anyone proof that they are really in the wild? if so, what is that proof?
Has anyone a working sample of such a malware?

I just need answers to these Qs rather than a long discussion( don,t mind a short one though ) with no result. If some bady has any evidence, please let us know. It,s the best, quick and easiest way to decide.

Please join the discussion!

Thanks

 

Here is a thread over at DSLreports which says about what everybody else has said.
I have not seen a hardware rootkit in the wild yet but have a suspicion they could be there, used to target certain people.

http://www.dslreports.com/forum/r18950374-Rootkit-On-the-motherboard-Rom-Chip

 

Thanks for the response. I will read it later.
That,s why I asked specifically if any body has a working sample? Or even seen it?

 

I don't have neither a proof nor a sample, but ...

I am just joining the discussion.
The only proof of concept I know of, was the ACPI rootkit.

 

Thanks. Welcome to the discussion.

 

The CIH virus targeted the BIOS also

 

Yes I have got a copy of it . I wish to try it against HIPS and Sandboxes but I know I can,t.

I Think it was not a BIOS rootkit, just damaging the CMOS etc if I remember well.

 

I don't think CIH had any rootkit capacilities.

I did finaly watch John's Black Hat video.

Interesting young lad.

http://video.google.com/videoplay?docid=2266957057236846371

Bruce

 

I have a slow DSL, difficult to watch it ATM atleast.

 

Have not see the movie yet but I found this information.

http://www.bit-tech.net/news/2007/04/17/uefi_will_kill_the_bios/

I have got a feeling that if writing a good BIOS is difficult, then writing a good BIOS rootkit will be difficult too. If writing UEFI is easier, writing a UEFI rootkit might be easier too unless there is some fool proof method to protect it.

 

ACPI RK is proven otherwise the guys wouldn´t have written papers about how to implement, once I showed a link to source code from a chinese webside, use search function on board, maybe it is still there.

http://www.ngssoftware.com/research/papers/BH-VEGAS-07-Heasman.pdf

 

No fiction:

It is a disaster, why pci cards are not designed by default to block any unsigned firmware update, the same with dvd burners.

 

All this is not a proof to be in the wild.

 

I got my prove when once partition D was erased in raw mode
I could follow this action live. But maybe it was Rustock.C or D,
they claim to be in the wild and totally undetectable, according EP
or a supernatural hardware error that only killed partition D.

 

Hello

From above:

totally undetectable < live CD (Linux, Windows take your pick).

Cheers,
Mrk

 

Do you think your dvd burner firmware is secure?
I once owned a plextor dvd writer he crashed due to unknown reasons, not often in use, normally this shouldn´t happen.

 

Hello,
Yes I do.
BTW, my DVD burner died yesterday ... so?
Does that mean something is fishy in the Kingdom of Abhazia? No.
Just bad hardware - it pisses me off all right, but I'm gonna replace it.
Mrk

 

In maybe 90% yes, but we surely don't want to know the remaining 10%...
Beside I wrote Plextor, because they are the most expensive.. so what?

 

i dont know much about this stuff but rootkit.com had an article on
this stuff...
said cd/dvd was vulnerable, bios, and a few other things also...

at this point i just assume that something is on my computer, so i wont
bank online anymore...i had an older computer 7-8 months ago on DSL line
and knew even less then, but my free AVG found about 50 "zlob unloaders"
and other stuff, when i finally got around to scanning...i use firefox now on my laptop, but all the security stuff grinds it down to a halt, so i think i may just
give up on doing anything securely online....

 

Is it possible, sure. Is it likely ITW, today or in the near future, probably not - considering all the different drives, firmware, BIOSs, etc., out there. A stalker/hacker targeting your specific computer might be able to make use of such devices. But seriously, how likely is that?

You could try running under limited accounts (no slowdown). They prevent the installation of rootkits, as no driver can load unless you're running as admin. Do all your online banking in a separate limited account. Browse in another. I find this to be the safest, easiest way to setup up a system. Start out clean, and use the admin account only when you must. Add security software if you need it, or just delete the one limited account and its files if it were to become infected.

The point is, I think there are ways to prevent most any kind of rootkit installation, BIOS or otherwise.

 

In my case it was likely I could show you plenty of stalker emails from a total psychopathic mind, kind of schizoid individual living in his self created world-war.

Not really, restricted account exploits will kill your dreams of online security, as well a test showed that keyloggers work also in this mode.

 

This really is OT, but thanks for sharing.

You've pointed out an assumption that might not have been clear. Yes, some malware does function while running in a limited account, as this developer pointed out in another forum thread:

However, I did not assume that using a limited account prevented malware (e.g., keyloggers) from functioning within that limited account. But that under an LUA, rootkits would need admin rights to install their driver(s), thus preventing nearly all attempts to critically impair the rest of your system.

 

I guess OT stands for open theory.

Make the test yourself... most keyloggers work with ease in restricted mode.. LoL. NO assumption, you can test it anytime, anywhere.. and the prove will follow.. LooL

Do you think modern rootkits need driver? Ask EP he may explain that there shall exist a phantom that even doesn´t need a file. I can´t hardly believe that too but I don´t exclude any idea and consider it as real threat.

Here is original quotation from one of the most funny thread-battles ever @ wilders:

 

These types of questions always seem to bring out the paranoids and trolls.

Aigle, have you ever questioned any AV professionals, or developers here if they've ever come across anything even like a BIOS rootkit?

 

Hello,
Junkie, I explained this to you. Anything running on the computer is a file.
Even your phantom has little bits wrapped into something. Please don't turn this into sci-fi.
Mrk