BIOS Rootkits - Detection / Prevention?

Hi,

I was reading an older yet interesting article over at: http://www.securityfocus.com/news/11372

How do I determine if my motherboard allows the BIOS to be changed by default?

Secondly, how would one go about detecting a rootkit that uses this method?

What are your thoughts concerning this?

Thanks!

 

Hi xeda,

We had a Thread back in April, 2006: Rootkits headed for BIOS which you can read for more information:
https://www.wilderssecurity.com/showthread.php?t=117896

-- Tom

 

Here look what I found:

ACPI Rootkit example from China

scary isn´t it?

You should investigate this registry entry HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT

Actually the mainboard creators don´t give a penny on this hidden danger.

 

Thanks Tom, that's an excellent thread. I found a lot of useful info and links.

Yes, it IS scary...but I love a new challenge. How about you?

Hmmm, would you recommend disabling ACPI?


I've been researching this topic a lot recently (I spent the last 7 hours reading material surrounding this).

I especially found this discussion interesting: http://www.broadbandreports.com/forum/remark,13853178

Pay attention to the posts made by stefaanE, tcp1, and ZOverLord.

 

Hello,
Science fiction.
Mrk

 

So, you think it's purely theoretical?

I myself am on the fence about the whole subject.

I mean there seems to be a lot of proof of concept examples floating around.

 

Hello,
Relax and enjoy.
Atomic bomb - proofed conceptually twice.
Does it happen every day - no.
Besides, there has been lots of talk about how this and that. In short, this is very highly unlikely.
Mrk

 

very rare does not mean no danger. It may always be possible that hardware with flash memory is contaminated

How right he is! True, true!

But what if it is located in bad sectors... ;-)

no, this may be the future standard attack method, if mainboard manufacturers still will sleep deep.

Xeda, this won´t really help too much, in my opinion, because Windows installs acpi.sys and this file is essential and don´t underestimate hal.sys. You can use external hal and acpi, modifying the boot.ini, but if bios is infected I still doubt that this will solve the problem totally and what about file infection, some viruses adds a few bytes to an exe file and you start these exes and your new system may be reinfected very fast. Stealth by design.

I recommend to read black hat federal 2006. Rootkit hunting vs Compromise detection.

 

To take the view that "if it can happen," then it's a real threat, you need to reconsider walking out the door each morning. A threat assessment is only as good as its realism. The chances of a bios virus/root-kit is so ridiculously small as to be insignificant. If you're prone to worry, worry about a 757 falling out of the sky and destroying your house. (Just make sure you have a computer backup offsite!) Seriously, relax.

 

haha.. good idea.. I relax a little bit. But to step a bit further in this discussion. People who were hit by a lightning,
do you think they ever thought that they ´d be hit`? Even if the probability may be small, some people always will be hit.

 

Then if you talk about probability, you migth as well consider the danger than the processor can do things other than what you want it to do as electron are by nature quantic object. You migth also consider that the flow of "bad" electron by luck form a meaningfull command to the rest of the computer and something very bad happens.

There is also a chance that the sun explode, crushing whatever remains of your computer.

When you take EVERYHITNG in consideration, then you realize you are never safe. I really think you have more chance of getting your comp stolen or damaged by a power outage than being infected by a superior-being-like bios rootkit.

if you fear bios then switch motehrboard .. or buy one of the hardware bios backup / restore solution.

-------------------

@ Mrkvonic (off topic)
Talking of science fiction...
Nice reading about physic (im)possibility of going back thrue time

 

I have to agree with the others who are saying there are other things to worry about.
Bios virus? Bios root-kit? As Gerard said, "relax."

----securityx----

 

Not easy to find a mobo with switch.

 

Hi,

I have managed to figure out that I have a MSI MS-7184 motherboard with a Phoenix Award BIOS, can anyone tell me if I´m protected against BIOS modification/flashing and thus against BIOS rootkits?

http://h10025.www1.hp.com/ewfrf/wc/...c=us&product=1127350&dlc=en&docname=c00378480

 

No I think you would need a dual bios or a jumper to block write access..

 

Have you looked at the specifications? There is also a bit info about jumpers in it, but I could not figure it out.

 

Even the latest boards from MSI (2007) have absolutely no bios protection. Seems that no one in this industry believes in a real danger concerning this.

Interesting link concerning: firmware rootkits

 

Bios rootkits are not a real danger right now. Companies should think about real threats, not highly unlikely ones. There are so many easy ways to infect a machine, why use the difficult and potential disastrous method of using bios / firmware infections?

(Why disastrous? Bios / firmware is critical in the machine's operation. Crashing the machine will 1) rob you of your means to achieve your goal and 2) make your presence that more obvious.)

BTW: the idea of a bios / firmware rootkit for espionage has been used in a Tom clancy novel some years ago, to spy on the Chines government ;-)

 

Thats, too bad.
BTW anyone knows which motherboard vendors are using physical BIOS protection( jumper etc)?

 

Hello,

BIOS rootkits are a nice concept. And that's all.

Implementing rootkits in BIOS is akin to planting a new kidney in a person. Will work successfully only in 0.00000000005% of cases. Writing code that will perfectly fit the target (including 1E13 combinations of hardware), not break BIOS and actually do something effective via installed OS - which might be just about anything - has the same chances of succeeding as waking Disney from his cryo chamber back to life.

To the best of my knowledge, some of my mobos have BIOS write protection.

That article is pure ... random opinion.

Giant meteors can strike Earth. So? I don't see people preparing for the doomsday. Possible. Yes. Likely. No.

Mrk

 

As for malware,

BIOS rootkits, motherboard rootkits, rootkits in DVD flash memory, pills, hardware hypervisors = bad science fiction and nothing more.

 

except for those chinese fanatics who posts codes for acpi rootkits,
remember this link ? Actually the author made anything black to prevent view, just scroll over with mouse button to see the source code.

 

Maybe I am one of the few, but I take this issue seriously. How long ago was it that no one took leaktests seriously?

 

Fiction becomes true sometimes rapidly in the modern world.

 

Sometimes our minds try to make things fiction when in actuality they are closer to us then we can conceive. I doubt anyone person knows of all of technology people have these days.