Rootkits headed for BIOS

Discussion in 'malware problems & news' started by lotuseclat79, Jan 28, 2006.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    Last edited: Jan 29, 2006
  2. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Very interesting. Thanks for the link. ;)
     
  3. controler

    controler Guest

    This is not so new news. If you look back on my posts, I warned of this a while back. I have flashed many different MOBO's over the years. I have not looked at the newest MOBO's but I can tell you most manufactures went away from the jumper years ago. It was inconvienent for the home user and their very own support people.

    "The obstacles to deployment are numerous," Heasman said. "Almost all machines have a physical protection, such as a jumper on the motherboard, against flashing."

    I could look at a few sites to confirm. I know Intel used to use a jumper but then drifted away from it. ASUS used to then stoped, not sure if they went back or not. Some MOBO's still have built in extra mem for things like onboard video cards ect. Would part of an extra 8 meg be enough for a rootkit?

    The same old experts here always said oh heck this just can't happen;)

    What do you think Devilsadvocate? LOL

    con
     
  4. controler

    controler Guest

    Here is the Flash for the
    Intel® Desktop Board D955XBK

    Which I would say is a newer motherboard. The only time you would move a jumper is if your BIOS was corrupted during BIOS update, otherwise you only
    stick a floppy in and reboot to flash the BIOS. They use a floppy because there isn't enough memory to use any graphics (GUI).

    INTEL link to the actual BIOS update file & Recovery file.

    http://downloadfinder.intel.com/scr...XP Professional&lang=eng&strOSs=44&submit=Go!

    Directions for RECOVERY:

    http://support.intel.com/design/motherboardd/standardbios.htm

    And so if you dissemble the flash code to see how things are being done;)

    con
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    My ASUS does not have a jumper, or if it is it's not on by default.. what ASUS does have, however, is a function to check the integrity of the BIOS at boot, if it's changed then it boots right into a flash utility and asks for a disk.. if you haven't made a disk with the latest flash image then you just put in the CD that comes with the mobo and it uses the original version :) Very handy
     
  6. controler

    controler Guest

    Notok

    I wonder what integrity they check? I don't think a CRC. Reason I ask is because, even ASUS allows updated flash. OR does the updated flash come with a new checksum amount? I do not see any other way they could do an integrity check. The check would have to change with each new BIOS version.
    I don't think it would be that tough to defeat the integrity check but will leave that up to the experst here ;)

    con
     
  7. controler

    controler Guest

    Notok

    Here is the ASUS link i found. http://support.asus.com/technicaldocuments/technicaldocuments.aspx?SLanguage=en-us

    I do not know wich method you use but I would not opt the update BIOS via internet or while booted into windows. Lets say a person already had a rootkit on their system and they went to update BIOS while booted to windows. the rootkit could do as it chose in this situation, not to mention losing a internet connection while downloading flash directly to mobo.

    Big elproblemo today is not many PC makers include a floppy drive anylonger
    DO you know if any mobo makers are utilizing flashing from say a USB stick?
    If not they should;)

    con
     
  8. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Probably depends on the USB support.. with ASUS you can just as easily (if not more easily) use a CD.
     
  9. controler

    controler Guest

    I do not think ASUS boots in DOS to the CD though.
    The CD would only be used to recover an older BIOS version I believe.
    I ment booting to a SUB stick not windows or a floppy.

    con
     
  10. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Asus has in fact a system that controls the BIOS (newer MB's)
    so far as i know is this the only brand that can do a
    easy repair when the bios/cmos/nvram is corrupted or when a
    bios/cmos/nvram flash update crashed by a power failure etc. or
    if there is strange data in this.

    The riscs of malware writing into the cmos/nvram/bios where
    first mentioned in the late 80-es early 90-es

    Not a very new problem ..

    ;)
     
  11. TheGate

    TheGate Guest

    Hey guys, I can go into my Bios and turn on an anti-virus there. It says it protects the IDE hard disk boot sector. Would that help protect me against this sort of thing? Thx.
     
  12. controler

    controler Guest

    Hello TheGate

    Nope that option would be for the MBR of the hard drive only not the BIOS.

    con
     
  13. Indeed, score another one for Controller. Really, I don't know why he isn't in high demand as a security consultant for forcasting trends.

    Nah, I predicted that years ago. Back in Spywareinfo forum threads about undetectable trojans...
     
  14. controler

    controler Guest

    Hi DA

    I think I joined Spwareinfo a while back but do not get there much anymore.
    I guess this is my home;)

    With the NSA requesting search Engine logs these days, I was just wondering if TOR keeps records or deletes them as users leave the servers.

    con
     
  15. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    Hi,

    I have I few questions maybe that you might be able to help me with>

    If you were infected how would you go about detecting a rootkit in your bios, if at all possible. For example is it the same as detecting a rootkit hidding in a windows operating system or completly different, if so what tools would I need to download and use? Also if your AV or AT dosnt pick anything up is that enough to know your Bios is not infected, even if you have your suspicions.

    Thanks guys,

    DreamCatcher
     
  16. <DreamCatcher>

    <DreamCatcher> Registered Member

    Joined:
    Jan 6, 2006
    Posts:
    154
    MSI updating bios links>

    For Award BIOS, refer to http://www.msi.com.tw/html/support/bios/note/award.htm
    For AMI BIOS, refer to http://www.msi.com.tw/html/support/bios/note/ami.htm
    For user using non-FAT system, refer to http://www.msi.com.tw/html/support/bios/note/ntfs.htm


    A new BIOS is usually released due to the following reasons:
    1. New function is supported
    2. New BIOS source code
    3. Bugs are found
    4. Customer-specific request
    When we release a new BIOS, there's usually a release note attached which lists the reason for the release. Refer to this release note and decide for yourself if upgrading to the new BIOS will be worth it. A word of advice, though, do not upgrade to the new BIOS, unless you really have to.
     
  17. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    Hi DreamCatcher,

    When I first saw your question - I thought - hmmm, good question - how to know in the first place. Time to make some assumptions - hopefully good ones.

    First, an AV or AT would not be able to pick up any hints that the BIOS might be infected from a normal scan of memory/file system. Since the BIOS controls the system immediately after power up (POST), checks the DMI database against the hardware, and prior to passing control to the OS, the question comes to mind - What rootkit function would be small enough to fit into a BIOS and besides hide there and be undetected until scanned (as below) what would/could it do?

    Well, for starters, it could modify the address that passes control to the OS, and instead, pass control to a hidden partner to modify the OS kernel data structure framework to insert/embed itself to control the system. The difficulty would be to do this while making the system appear normal (i.e. pass system scrutiny tests) and unaware that any intrusion has occured.

    What appears to be needed is a utility from the MB mfgr that can verify the BIOS by say uploading it to memory and comparing it with a verified file on power up - not under the control of your normal OS, but under the control of a loadable one like FreeDOS.

    Perhaps hardware detection and verification needs to be built into the MB to avoid/prevent this kind of attack.

    -- Tom
     
  18. Dreamcatcher

    Dreamcatcher Guest

  19. Dreamcatcher

    Dreamcatcher Guest

  20. controler

    controler Guest

    I can think of two devices that could detect a rootkit in BIOS.

    The first one is called a Kobatron which is used by the gamming commision at Casino's around the world as a way to verify IC's which are installed in their slot machines. A Kobatron will display the internal sig of the IC. This device can also compare bit by bit.

    The second devive is also used in the same industry. This is a comparator.
    With this device you need a spare IC (known Good). the spare goes in one socket and the
    one you are checking foes in the other socket and the two are BIT compared.

    The latest technology uses a CD just for each BIOS which verifies the integrety of the IC. User options are
    verify CRC,MD5 or SHA-1. MAchine is booted with CD, never sees the OS.

    This could very easly be incorporated into the mobo by manufacturer if they thought there was a need or fear for it.:D


    hum maybe one even the great DA didn't know about?

    con
     
    Last edited by a moderator: Feb 2, 2006
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    But I assume that a rootkit can only infect a BIOS if it´s installed via a driver? There are no other methods of infection, right? :rolleyes:
     
  22. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    As said previously Tuatara, this is not new: anyone has heard or hardware virus for instance.
    Then we can logically expect that rootkit technologies will colonise BIOS and hardwares peripherals.
    An example and Proof-of-Concept rootkit backdoor which targets boot sector to patch the kernel has been shown by Eeye.

    An interesting evolution of rootkit detection is provided by hardwares solutions:
    Intel for instance plans for 2008/2009 the release of "LaGrande", a processor with anti-malwares features.

    A summarize of this technology here:
    http://massis.lcs.mit.edu/telecom-archives/TELECOM_Digest_Online2005-2/3158.html

    For more technical information:
    http://www.intel.com/technology/magazine/research/runtime-integrity-1205.htm

    regards
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hmmm disable ACPI :D
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    ^^^^^

    So blocking a driver from loading is not enough? o_O
     
  25. Snowie

    Snowie Guest

Loading...
Thread Status:
Not open for further replies.