back to article Newfangled rootkits survive hard disk wiping

Researchers have demonstrated how to create rootkits that survive hard-disk reformatting by injecting malware into the low-level system instructions of a target computer. The researchers, from Core Security Technologies, used the techniques to inject rootkits into two computers, one running the OpenBSD operating system and the …

COMMENTS

This topic is closed for new posts.
  1. Eddie Johnson
    Happy

    This one is simple

    It really is time to bring back a hardware write protect switch. It shouldn't be a big deal because Average Joe doesn't ever have a reason to update his BIOS. The advanced users who do will figure it out.

    Oh, and code signing. BIOS images should be signed. Not just the package you download over the interweb but the actual image on the flash/EEPROM.

  2. Charles Manning

    No easier or harder than any rootkit

    Surely installing any rootkit requires physical or root access so reprogramming the bios is no more challenging than any other rootkit.

    Sure you have to program flash, rather than just accessing a disk, but that is hardly difficult if you have the correct info available.

  3. Steve Evans

    Except...

    Most motherboards have a link to prevent bios writes to stop stupid users screwing things up...

    So as long as you've got that set, you're safe.

  4. David

    Another reason to get a VM

    Virtualise the BIOS, then you can just can the infected machine image.

  5. Anonymous Coward
    Black Helicopters

    1985 Rang....

    ... it want's its story back.

  6. vincent himpe

    all you need is a gluegun

    find the ethernet port on your machine and squirt hot glue in there.

    if your machine has wifi : cut off the antenna too.

    voila you are now perfectly safe.

  7. Martin Edwards
    Paris Hilton

    Unfettered root access?

    Could anyone elaborate on "unfettered root access"? If it means running as administrator, then that's obviously (unfortunately) a very common situation, and surely doesn't belong in the same breath as physical access in terms of how difficult these attacks might be to pull off. Paris, because... wait, no.

  8. CodyT07

    How?

    Exactly how would this work? Didn't MSI mention a while back they are doing away with a BIOS anyway?

  9. Anonymous Coward
    Joke

    I see

    "Of course, injecting code into the BIOS is no easy feat. It requires physical access to the machine or an exploit that hands an attacker unfettered root access."

    My BIOS was late coming home the other night.

    I'd better check it for infections.

  10. Oisin McGuigan
    Pirate

    Antivirus!!....Whats the point?

    And the question here is, Why teh hell do we pay for Antivirus. It may be hard to inject the code and it may be even harder to read the code but at teh end of the day if Antivirus companies cannot clean our machines and OS manufacturers cannot remove the exploit then why in gods name to we pay them ridiculous amounts of money? Its quite like a scam in my opinion, they can cover you for 95% of scenarios but the other 5% you are always screwed. I understand it's a firefighting technology to which we protect ourselves in an array of ways but this kind of vuln is years and years old!!! Norton...pwah, but I'm surprised at trend and Eset. Tisk Tisk. Gimme back my money....

  11. Anonymous Bastard
    Stop

    Re: How? @ CodyT07

    You mean this story?

    http://www.reghardware.co.uk/2008/12/23/msi_uefi_run_through/

    It has nothing to do with getting rid of the vulnerable boot rom, it's only a prettification of the same old stuff. If anything all those extra graphics and third party drivers would be MORE vulnerable to bios type rootkits.

  12. Ross Fleming

    RE: 1985 rang...

    Assuming you mean the Chernobyl (CIH) virus? In fairness to the bods that came up with this one, CIH only every wiped the BIOS.

    Though I am surprised it took 20+ years to take it to the next level...

    Hardwired "read only" please mobo manufacturers, with jumpers to modify.

  13. Ru
    Thumb Down

    Re: you are now perfectly safe

    Right up to the point where you forgot to turn autorun off. Or ran a particular program with slightly too high a privilege level. Or let anyone else use your computer.

    The only secure computer is the one that is turned off and never used.

  14. Peter Ford
    Linux

    Re: Antivirus!!....Whats the point?

    So, why do you pay for Antivirus?

    I don't:

    1. Install Linux

    2. Install clamav (www.clamav.org)

    If you don't want to (or can't) do step 1, at least try ClamWin (www.clamwin.org)

  15. Doug Glass
    Go

    BIOS Update

    A BIOS update with embedded malware. That idea is low hanging fruit for a disgruntled employee or dedicated hacker. And we download it and do it ourselves. Neat !!

  16. Mark
    Flame

    Ahhh.,

    Nothing like a bit of scaremongering in a quiet market to get your security products selling again...

  17. Anonymous Coward
    Paris Hilton

    RE: all you need is a gluegun

    "if your machine has wifi : cut off the antenna too."

    Well that won't work if you're close to the access point!!

  18. Anonymous Coward
    Anonymous Coward

    @vincent himpe, and other comments

    I agree - sensible precautions to protect sensitive data aren't that hard to figure out.

    Dual BIOS with one being read-only and a BIOS comparison on boot would detect infection. As others have said, a hardware write-protect switch would still allow safe BIOS updates, providing you use the BIOS' built-in update mechanism and a signed update package.

  19. Psymon
    Paris Hilton

    brings back memories

    Anyone here remember the Chernobyl virus?

    vicious little thing! It had a date triggered (26th of April, anniversery of it's name-sake) payload that would first begin writing random garbage over your hdd, then do the same on your BIOS.

    Hard to believe it was 11 years ago when my poor little P200 succumbed to that one.

    As for the people who are up in arms over the "lack of security", I'm quite suprised at the general lack of understanding of complex systems.

    To put it bluntly, the more complex something is, the more things there are to go wrong with it, or in this case, the more surfaces are opened to attack.

    Quite like the points raised in the Galactica article, just as they retro-fitted the ship to avoid infection, we could all go back to non-networked casio calculators. Also, the quote "let a complex system repeat itself enough times, and it may do something suprising" rings true in this situation.

    Absolutes only exsist in theory, and we don't live in a theoretical universe. Though the constant strive for improvement is an honerable one, we must never lose sight of this fact.

    No system is invulnerable to attack. If it can be used, it can be abused.

    Paris, cause she could use and ab...

  20. Anonymous Coward
    Paris Hilton

    Time to go back to

    manually setting registers and pulling paper tape though reader to boot computer

  21. Dale Richards
    Paris Hilton

    @vincent himpe

    How can you make a comment about squirting hot glue and not include the Paris icon??

  22. DR

    maybe I just don't understand

    Another reason to get a VM

    By David Posted Tuesday 24th March 2009 23:47 GMT

    Virtualise the BIOS, then you can just can the infected machine image.

    surely in order to use the virtualised bios, which needs to run on the hardware, you'd still need some way of accessing basic input and output systems to actually access the hardware?

  23. regadpellagru
    Pirate

    No physical access needed

    "Of course, injecting code into the BIOS is no easy feat. It requires physical access to the machine or an exploit that hands an attacker unfettered root access."

    No, it doesn't always require physical access to the machine, unfortunately, nor any exploit, only the SDK from the mobo vendor (admitedly the sources are not public, but easily reverse engineered, since is in their public exe).

    Nowadays, Gigabyte for sure (with @BIOS) and probably others have moved towards SW updated BIOS.

    My Gigabyte card (http://www.gigabyte.com.tw/Products/Motherboard/Products_Overview.aspx?ProductID=2695) is best updated this way, via this Windows app, and there's NO physical or BIOS switch to disallow this ! And it doesn't ask for the BIOS password !

    What is even worse, is, as much as I would have liked to do it "the old way", I had to go this way, since the last PC I assembled was floppy-less.

    As everyone said, bring back the old days of jumper to allow BIOS update !

  24. D. M
    Linux

    Re: Martin Edwards

    How about no. It was talking about all OSes, not just stupid M$ crap.

    At least for us Linux users, we don't run as root. We use sudo, and you will need to enter password to give a program "root access". It is hell a lot harder for any malwarel to deal with.

    And it is fact that we normally know what we are doing, not like average clueless lusers.

  25. Anonymous Coward
    Paris Hilton

    Oh right

    It's OK then, they have to get access to your PC first. Anyone want a made in China BIOS chip?

    http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines/

    Paris, we've all seen her BIOS being accessed

  26. Tom Chiverton Silver badge

    Signed BIOS

    Requiring BIOS updates to be signed by the vendor sounds good, but it stops you mucking about with kit you own - RMS will be upset, as will you be when you can't turn the (broken, of course) DRM off.

  27. Anonymous Coward
    Thumb Up

    Well!

    Well I'm on Linux so ner-ne...oh wait! Well I have an Apple...oh wait! Damn!

  28. Stu
    Pirate

    Hmmmm

    I too remember hearing stories about this sort of thing years ago.

    Surely though the task is made somewhat more difficult, and indeed will impact less people, simply because each mobo manufacturer uses a different firmware model and writes completely different base code, and the same manufacturer would introduce differences between all their different models too.

    Intel and AMD, introduce major changes in basic chipset architecture for their reference motherboards/chipsets from the get go, simply because they're leveraging the new mobo feature sets and overall changes to the hardware.

    Writing a BIRUS (cool new name???) that would sit alongside and account for the massively wide variety of different microcode architectures out there would be nigh on impossible. And if you do, it'll only run on the poor sods who bought, say, ASUSs G245R8346 motherboard?

    .

    Scaremongering if you ask me.

  29. Anonymous Coward
    Boffin

    What about the HD's firmware?

    That's flash too. Only a matter of time...

  30. Anonymous Coward
    Black Helicopters

    Hammers are the new hacker tool

    I've just come up with a technique to render your computer inopperable with my only tool being a hammer. It does of course require physical access to the machine in question.

  31. Jerren
    Paris Hilton

    No big deal...

    This is not that big of a deal, just flash the bios before you reload the OS on the box, problem solved, unless they prevent flashing in some way, then in that case just replace the chip. If this becomes a real problem someone will have a standard service (mail us your BIOS chip and we'll overnight you a new one) or some kit to make this easy even for consumers.

    Paris well she's now crying because she doesn't know how to flash the BIOS and now has to wait an extra 5-10 minutes more for me to fix her computer.

  32. Dr. Vesselin Bontchev
    Boffin

    Lots of incompetent journalistic nonsense, as usual

    OK, let's start by debunking the nonsense in the original report from ElReg.

    "It requires physical access to the machine". Nonsense. Physical access is one of the things such an attack does *not* require. All you have to do is run a program on the machine - which can be done in the same way as you get any other malicious program (virus or Trojan) run on the machine. There are many other requirements, though, which make the attack far more difficult than the article implies.

    "work on virtually all types of systems". Nonsense. In order for this attack to work on a particular system, you need:

    1) The system must have a user-programmable (FLASH-able) BIOS. While many systems are like that nowadays (especially laptops), it is by far not true for all of them.

    2) The BIOS should be FLASH-able by any random program - i.e., it shouldn't require the user to move a jumper or anything like that.

    3) The precise way to FLASH the BIOS should be known to the malicious program. There is no standard API to FLASH any random BIOS - the different BIOS producers use different ways. While it is possible to cover "the most popular types of BIOS", it is by far not easy and it is not possible to cover them all.

    4) The program must be able to find a large enough unused (or not used for anything critical) area in the BIOS, which to overwrite with the rootkit - otherwise it will destroy something important and the computer will stop working at all. Again, finding such an area is not easy and they are not at the same places in the BIOSes of all producers.

    So, while it is a legitimate attack, do not expect to start seeing to tomorrow on the wide scope the article implies.

    OK, now let's move to the nonsense posted in the comments - and I won't even bother with the silly and/or sarcastic remarks.

    Oisin McGuigan, you can't be serious. 95% protection is precisely what you're paying for. Do the doctors cure 100% of all diseases? Does the police catch 100% of all criminals? Does any lock deter 100% of all lock-pickers? The point is that it is better to pay and have 95% protection than have no protection at all.

    For instance, a program installing the kind of rootkit the article is talking about has to *run* on your computer before it can install anything. IF you have anti-virus installed and running properly and IF it knows the program, then it will prevent the program from running in the first place, so your machine will be protected.

    "This kind of vuln"?? What kind of "vuln"?! Viruses require no vulnerabilities whatsoever. They rely on the fact that all von Neumann-type computers (which is all kinds of general-purpose computers in use today) cannot distinguish between code and data.

  33. Michael Habel
    Thumb Down

    Re: all you need is a gluegunall you need is a gluegun

    Ok assuming that most People are that stupid, tp begin with?

    What would you do, when you got hit w/the next RK that S0NY decided to infect it's users with??

    I agree ASUS, Giga-Byte, MSI (...and all the rest on Gilligains' Isle), should bring back the HW Switch to protect the BIOS

  34. A J Stiles
    Linux

    @ Oisin McGuigan

    "And the question here is, Why teh hell do we pay for Antivirus"

    Some people don't. :)

    BTW, if you want a more sensationalist headline: This one would survive even physical destruction of the hard disk, since it's stored somewhere else altogether.

  35. Edwin
    Boffin

    Stupid users vs. clever hackers

    @Eddie:

    the kiddies (who frequently also maintain mummy's PC for her) will no doubt find it an inconvenience to open the case and leave the switch open.

    I once had a BIOS that "included" virus protection, e.g. it threw a warning on the screen if something tried to write to the BIOS or to the boot sector. Problem was that this completely hosed any Windows instance that was running. Maybe that should be brought back.

    Alternatively, how about a momentary write-enable pushbutton on the mobo that enables writes for e.g. 1 hour?

  36. The Jon
    Stop

    shurely...

    wipe the disk, flash the bios, re-install the OS?

  37. wulff heiss
    Go

    hmm... EFI

    that sounds like fun with EFI :)

    looking forward to the first full-graphical virus with sound and automatic updates that hasn't MS slapped on it and lives in the (U)EFI space

  38. A.A.Hamilton
    Paris Hilton

    @No big deal... by Jerren

    Paris "...doesn't know how to flash the BIOS..."? You must be kidding.

  39. Damien Thorn

    Kaspersky SOLVED.

    If you have a decent AV - that simply isnt going to work.

    And that stupid UK law means i cant give a brilliant answer to this :(

    So this will have to do - the way antivirus products work, especially kaspersky mean such an attempt would be noticed, and therefore even a brand new user would stop it.

    Having av and knowing how to use them of course - well thats a completely different story.

    Scientists - the modern answer to criminal warfare.

  40. Stephen Bungay
    Joke

    Misleading headline...Boffins make books that survive fire.

    They chisel them onto stone tablets.

  41. david

    Dear fanbois...

    ...if your bios can be flashed it can be fscked.

  42. Anonymous Coward
    Paris Hilton

    Re: Hammers are the new hacker tool

    I was under the impression it was (and always has been) an axe!

  43. Bob Gateaux
    Thumb Up

    No need to fear

    Where I worked on the Jav before we had to have the unix and much feared the root kit.

    But solution is simple in new modern times. Now we use the Windows where it has no root user in the accounts so we must fear the root kit no further. It is most happy to make us all fear the security issues a little less so I commend the windows if you suffer root worry in your enterprises.

  44. Mike Hocker
    Pirate

    All those PCI cards

    Some of which have BIOS extensions on flash, and some are writable. Cheap used mobo's, PCI cards, PCs themselves refurb'd by Johnny Botmaster....think about that the next time you buy used kit on the world's tat bazaar!

  45. Anonymous Coward
    Anonymous Coward

    PC BIOS == Cheap Primitive Hardware

    BIOS is cheap. Nice hardware loads new firmware into a 2nd bank, compares the checksum and then enables the new firmware if it passes.

  46. Anonymous Coward
    Paris Hilton

    BIOS? Oh well.

    I guess this is yet another reason for us Apple users to feel smug.

    No BIOS, no problem :)

    Paris, because I bet she has a well used Basic Input Output System.

    Mine's the one with the EFI on the motherboard.

This topic is closed for new posts.

Other stories you might like