Persistent BIOS malware with hypervisor and SDR found

Discussion in 'malware problems & news' started by BoerenkoolMetWorst, Oct 11, 2013.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    My experience with a BIOS is limited to flashing/undervolting so I'm lightyears away from proper knowledge.
    I get the gist of the article though, the impossibility of cramping all code for all combinations of boards, versions, revisions in 4/8MB,impossibilties of hiding code from analysis etc.
    The writer of the article The badBIOS Analysis Is Wrong doesn't exclude a very limited BIOS malware either though (and then he does seemingly) link;
    A pity he didn't address Ruiu's point on the limited number of flash controllers used in all hardware. My layman brain tells me, those are thus also used in all UEFI flash controllers.
    If those are reprogrammable, as Ruiu mentions, wouldn't you need only little code instead of some herculean 'UEFI malware to flash them all"?
    And wouldn't you need to read out the flash controller instead of the UEFI image itself for detection/analyzing purposes?
    Perhaps that's all nonsense, I'm pretty much a layman/average user tbh.
    Maybe Cansecwest will shed light. Or not and it's just drama.
     
    Last edited: Nov 4, 2013
  2. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina

    Hello

    my bios para-virtualization claim is not the same.
     
  3. chimpsgotagun

    chimpsgotagun Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    55
    Couple of ideas that came to mind:

    Not BIOS, but other hardware chips commonly used in Intel based machines could contain code that is executed in certain conditions. Perhaps code that could be used as a backdoor. Would that need to be Intel's (that would mean the source would be NSA), or are there widely used chips of Chinese or Taiwanese origin also, that could contain code that inserts itself between BIOS/UEFI and OS? (Yes, this would be different to the claimed BadBios malware, because it would require the code to be in the hardware chips - still, USB infection could activate or modify the code that was already present in the hardware)

    But even that way, totally OS independent... would that be possible? Perhaps it wouldn't need to be, e.g. if the USB infection would do the trick of adding the needed layer between OS and the hardware based malware code. Then the OS depended code would be hidden to somewhere unused area of the hard disk, or even flashable area of the malware containing chip perhaps, and the hardware would relocate that if needed, e.g. during repartitioning. If the hardware would also protect the hidden code from finding showing just zeros in that area - if the code was located in the hard disk. Using flashable area inside the chip would certainly be better, because moving the disk to another computer might reveal it if it would be searched.

    Communicating via speakers would not necessarily require ultra high frequencies, if it happened only when it's been silent for a while, and stopped immediately when some noise other than humming or HD sounds are heard. Maybe we should start to record our PC's while away, and perhaps catch them off-guard chatting each other... :ninja:
     
    Last edited: Nov 6, 2013
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  5. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I got a good laugh from reading the article. I can't believe people fell for it.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From My Armchair Prognostications on BIOS Malware:

     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.