Rootkits headed for BIOS

Article from Black Hat Federal Conference in Virginia, January 26, 2006:
http://www.securityfocus.com/news/11372?ref=rss

-- Tom

 

Very interesting. Thanks for the link.

 

This is not so new news. If you look back on my posts, I warned of this a while back. I have flashed many different MOBO's over the years. I have not looked at the newest MOBO's but I can tell you most manufactures went away from the jumper years ago. It was inconvienent for the home user and their very own support people.

"The obstacles to deployment are numerous," Heasman said. "Almost all machines have a physical protection, such as a jumper on the motherboard, against flashing."

I could look at a few sites to confirm. I know Intel used to use a jumper but then drifted away from it. ASUS used to then stoped, not sure if they went back or not. Some MOBO's still have built in extra mem for things like onboard video cards ect. Would part of an extra 8 meg be enough for a rootkit?

The same old experts here always said oh heck this just can't happen

What do you think Devilsadvocate? LOL

con

 

Here is the Flash for the
Intel® Desktop Board D955XBK

Which I would say is a newer motherboard. The only time you would move a jumper is if your BIOS was corrupted during BIOS update, otherwise you only
stick a floppy in and reboot to flash the BIOS. They use a floppy because there isn't enough memory to use any graphics (GUI).

INTEL link to the actual BIOS update file & Recovery file.

http://downloadfinder.intel.com/scr...XP Professional&lang=eng&strOSs=44&submit=Go!

Directions for RECOVERY:

http://support.intel.com/design/motherboardd/standardbios.htm

And so if you dissemble the flash code to see how things are being done

con

 

My ASUS does not have a jumper, or if it is it's not on by default.. what ASUS does have, however, is a function to check the integrity of the BIOS at boot, if it's changed then it boots right into a flash utility and asks for a disk.. if you haven't made a disk with the latest flash image then you just put in the CD that comes with the mobo and it uses the original version Very handy

 

Notok

I wonder what integrity they check? I don't think a CRC. Reason I ask is because, even ASUS allows updated flash. OR does the updated flash come with a new checksum amount? I do not see any other way they could do an integrity check. The check would have to change with each new BIOS version.
I don't think it would be that tough to defeat the integrity check but will leave that up to the experst here

con

 

Notok

Here is the ASUS link i found. http://support.asus.com/technicaldocuments/technicaldocuments.aspx?SLanguage=en-us

I do not know wich method you use but I would not opt the update BIOS via internet or while booted into windows. Lets say a person already had a rootkit on their system and they went to update BIOS while booted to windows. the rootkit could do as it chose in this situation, not to mention losing a internet connection while downloading flash directly to mobo.

Big elproblemo today is not many PC makers include a floppy drive anylonger
DO you know if any mobo makers are utilizing flashing from say a USB stick?
If not they should

con

 

Probably depends on the USB support.. with ASUS you can just as easily (if not more easily) use a CD.

 

I do not think ASUS boots in DOS to the CD though.
The CD would only be used to recover an older BIOS version I believe.
I ment booting to a SUB stick not windows or a floppy.

con

 

Asus has in fact a system that controls the BIOS (newer MB's)
so far as i know is this the only brand that can do a
easy repair when the bios/cmos/nvram is corrupted or when a
bios/cmos/nvram flash update crashed by a power failure etc. or
if there is strange data in this.

The riscs of malware writing into the cmos/nvram/bios where
first mentioned in the late 80-es early 90-es

Not a very new problem ..

 

Hey guys, I can go into my Bios and turn on an anti-virus there. It says it protects the IDE hard disk boot sector. Would that help protect me against this sort of thing? Thx.

 

Hello TheGate

Nope that option would be for the MBR of the hard drive only not the BIOS.

con

 

Indeed, score another one for Controller. Really, I don't know why he isn't in high demand as a security consultant for forcasting trends.

Nah, I predicted that years ago. Back in Spywareinfo forum threads about undetectable trojans...

 

Hi DA

I think I joined Spwareinfo a while back but do not get there much anymore.
I guess this is my home

With the NSA requesting search Engine logs these days, I was just wondering if TOR keeps records or deletes them as users leave the servers.

con

 

Hi,

I have I few questions maybe that you might be able to help me with>

If you were infected how would you go about detecting a rootkit in your bios, if at all possible. For example is it the same as detecting a rootkit hidding in a windows operating system or completly different, if so what tools would I need to download and use? Also if your AV or AT dosnt pick anything up is that enough to know your Bios is not infected, even if you have your suspicions.

Thanks guys,

DreamCatcher

 

MSI updating bios links>

For Award BIOS, refer to http://www.msi.com.tw/html/support/bios/note/award.htm
For AMI BIOS, refer to http://www.msi.com.tw/html/support/bios/note/ami.htm
For user using non-FAT system, refer to http://www.msi.com.tw/html/support/bios/note/ntfs.htm


A new BIOS is usually released due to the following reasons:
1. New function is supported
2. New BIOS source code
3. Bugs are found
4. Customer-specific request
When we release a new BIOS, there's usually a release note attached which lists the reason for the release. Refer to this release note and decide for yourself if upgrading to the new BIOS will be worth it. A word of advice, though, do not upgrade to the new BIOS, unless you really have to.

 

Hi DreamCatcher,

When I first saw your question - I thought - hmmm, good question - how to know in the first place. Time to make some assumptions - hopefully good ones.

First, an AV or AT would not be able to pick up any hints that the BIOS might be infected from a normal scan of memory/file system. Since the BIOS controls the system immediately after power up (POST), checks the DMI database against the hardware, and prior to passing control to the OS, the question comes to mind - What rootkit function would be small enough to fit into a BIOS and besides hide there and be undetected until scanned (as below) what would/could it do?

Well, for starters, it could modify the address that passes control to the OS, and instead, pass control to a hidden partner to modify the OS kernel data structure framework to insert/embed itself to control the system. The difficulty would be to do this while making the system appear normal (i.e. pass system scrutiny tests) and unaware that any intrusion has occured.

What appears to be needed is a utility from the MB mfgr that can verify the BIOS by say uploading it to memory and comparing it with a verified file on power up - not under the control of your normal OS, but under the control of a loadable one like FreeDOS.

Perhaps hardware detection and verification needs to be built into the MB to avoid/prevent this kind of attack.

-- Tom

 

http://forum.kaspersky.com/index.php?showtopic=9118

 

Another link on this subject>

http://www.dslreports.com/forum/remark,15337709~start=0

http://taosecurity.blogspot.com/2006/01/black-hat-federal-2006-wrap-up-part-2.html

 

I can think of two devices that could detect a rootkit in BIOS.

The first one is called a Kobatron which is used by the gamming commision at Casino's around the world as a way to verify IC's which are installed in their slot machines. A Kobatron will display the internal sig of the IC. This device can also compare bit by bit.

The second devive is also used in the same industry. This is a comparator.
With this device you need a spare IC (known Good). the spare goes in one socket and the
one you are checking foes in the other socket and the two are BIT compared.

The latest technology uses a CD just for each BIOS which verifies the integrety of the IC. User options are
verify CRC,MD5 or SHA-1. MAchine is booted with CD, never sees the OS.

This could very easly be incorporated into the mobo by manufacturer if they thought there was a need or fear for it.


hum maybe one even the great DA didn't know about?

con

 

But I assume that a rootkit can only infect a BIOS if it´s installed via a driver? There are no other methods of infection, right?

 

Hi,

As said previously Tuatara, this is not new: anyone has heard or hardware virus for instance.
Then we can logically expect that rootkit technologies will colonise BIOS and hardwares peripherals.
An example and Proof-of-Concept rootkit backdoor which targets boot sector to patch the kernel has been shown by Eeye.

An interesting evolution of rootkit detection is provided by hardwares solutions:
Intel for instance plans for 2008/2009 the release of "LaGrande", a processor with anti-malwares features.

A summarize of this technology here:
http://massis.lcs.mit.edu/telecom-archives/TELECOM_Digest_Online2005-2/3158.html

For more technical information:
http://www.intel.com/technology/magazine/research/runtime-integrity-1205.htm

regards

 

Hmmm disable ACPI

 

^^^^^

So blocking a driver from loading is not enough?

 

Disable ACPI inf




Maybe the "CODE" on this Link will give someone some ideas......who knows......could be.......just maybe......huh? (for info only)



http://www.911cd.net/forums/lofiversion/index.php/t7568.html