Malware burrows deep into computer BIOS to escape AV Researchers have discovered one of the first pieces of malware ever used in the wild that modifies the software on the motherboard of infected computers to ensure the infection can't be easily eradicated. Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add malicious instructions that are …
I thought NGSCB was supposed to protect this kind of thing, or making the BIOS readonly. How exactly does this malware get on a non-infected computer in the first place.
http://technet.microsoft.com/en-us/library/cc723472.aspx
-------
`We still have a while before it starts raining'
Root kits require root to be installed (the installer isn't typically considered part of the rootkit).
Once you have a rootkit installed all bets are off regards any antivirus or operating system protections.
The only protection against this sort of thing is a jumper setting on the motherboard to enable/disable flashing, which I believe many motherboards used to ship with.
The BIOS can be reflashed from within Windows though - it's how we (legitimately) update the BIOS. It's not hard to envisage a virus taking advantage of this.
To do it though, the OS has presumably already been compromised though. This is just deep-rooting it further in the system to stand a better chance of survival. It isn't normally seen however as virus writers tend to aim as far and wide as possible, which isn't usually compatible with specific BIOS versions/manufacturers.
quote from that microsoft page: "Much of the NGSCB architecture design is covered by patents, and there will be intellectual property issues to be resolved. "
this is why that thing is not used much, patents = either increased product costs for manufacturers or exposing themselves to lawsuits.
the only devices that i know to use it are the game consoles, XBOX, PlayStation and the like, but those are relatively closed and isolated ecosystems where competition in hardware is non-existent, e.g. the only way to get an xbox motherboard is from Microsoft. Same thing is for Sony and playstation motherboards.
Piece of piss then.
I've done a BIOS transplant in the past, but only because I'd accepted the board was dead following a failed flash upgrade. I'd not recommend it as it's very hairy, won't give you the full functionality of the board as it likely resets it to be a "reference" mobo (in the end I got it to the stage where it would boot, barely with massive errors, enough to get to a DOS flash utility, hotswapped the failed chip back in and reflashed the firmware - success rate of 1 in 3 so far)
With CIH this was the only way to repair an infected machine without having access to stand-alone EPROM flashing equipment, indeed, I repaired one such dead laptop for a client back in the late nineties by simply sourcing a replacement Phoenix BIOS chip from the manufacturers and dropping it in.
With this sort of infection though the prognosis is not so grim; as the BIOS re-write does not intentionally trash the EPROM like CIH did, it should still possible to simply re-flash your BIOS with an official firmware.
All computers with updateable bios should have a physical button connected to the write-enable pin of the chip that has to be pressed to allow flashing it, but I guess it would cost too much. Even with this feature, malware might be able to infect the bioses of really stupid users ("remember to press the bios flash button to view our fabulous p*** site"), but they surely would deserve it.
...a BIOS that required you to confirm a BIOS reprogramming by flashing up a text screen. I'm guessing this feature died because Joe User didn't want his Windows BIOS update utility crashing Win95 every time he updated the BIOS.
With most BIOS now able to update themselves from a USB drive directly from the configuration screen, I guess it should be possible to reinstate this feature.
I thought viruses that attacked the BIOS were all the rage back in the 90s so the BIOS implementations took steps to protect themselves. Like popping up a big message on the screen saying the BIOS was being modified and did you want to proceed. Don't say all those lessons have been forgotten.
As they say,
The one thing you can learn from history is that people who don't learn from history are doomed to repeat its mistakes.
Nice try, and one that I had at first thought would work, but, sadly these can be keylogged from the buffer and hence are not so secure. There are papers by e.g. Jonathan Brossard which demonstrate this.
IIRC many older Mainboards used to have a setting for a more complete block on bios rom write access.
You have valid point of the possibility, but actual likely hood is very low for common user, and very easy to work around in corporate environment.
How often do you need to get into the BIOS for changes, where you would need to type the password? For most machines this would only be during setup, and could certainly be done off-line before the machine is connected to the net and at risk for infection. Common user will never update their bios once PC is working, and corporate environments should already be doing most work on machines off-line.
Agreed that simple jumper to allow BIOS flash should be common feature as it used to be. Never liked being able to flash bios from windows specifically because of issues like this.
The thing you know as a ROM (EEPROM, strictly speaking, but generally known as a ROM) that is to say - a large discreet component in a socket on the edge of the motherboard, is no longer there. However, there is a surface mount jobbie that does the same thing. Often the surface mount jobbie has a shadow that can be swapped in, less often and usually in higher end servers there is also a read only fallback as well, just in case everything goes badly wrong.
Granted, CIH did modify the BIOS, but rather than replacing the BIOS with a hacked-on version so as to be able to reinfect easily, CIH erased the 'boot block', so the machine would not boot.
To add insult to injury, it also overwrote the first 200MB of the first disk.
In effect, CIH's modifications to the BIOS were the destructive payload, not the infection mechanism.
The privilege escalation was moderately clever, and relied on a combination of a security failure in the x86 instruction set - user-mode code can trivially retrieve the base address of the interrupt descriptor table - and a security failure in Win9x - that table is writeable from user-mode code. CIH used this combination to gain access to kernel mode.
Nothing beats a computer virus like a mechanical obstacle - bringing back a jumper on the BIOS chip's write-enable line would probably be a good idea. (It is not like flashing the BIOS is a frequent event or something generally done by the type of user who never opens their case, and if it was, you could replace the jumper with a rear-panel mini-switch, I guess).
BIOS write-protect jumper or switch, seconded. Best design would be like the reset switch on desktops - you'd have to hold it down while you powered on the system to enable BIOS flashing, and you couldn't accidentally leave it enabled.
Another insanity is trying to run anti-virus software within a potentially infected and subverted operating system. The right approach would be to boot off a DVD-ROM, download up-to-date virus signatures from the vendor and then scan the disks. Since the on-disk operating system is not active, there is nowhere for a rootkit to hide (except maybe in the BIOS, hence the need for mechanical protection).
"The right approach would be to boot off a DVD-ROM, download up-to-date virus signatures from the vendor and then scan the disks"
I have a fair rate of students bringing their infected machines in (policy says they must have AV but without admin access to their personal PCs can't enforce...), so my solution to this was to create a Windows PE boot image which can be booted via TFTP (or written to CD) and connects to a read-only network share that has SAV32CLI, updated overnight with the virus definitions that our enterprise console has downloaded. Just network-boot the machine and run a disinfect or remove scan with no worries about what is being run. or what the virus is preventing from being accessed.
Steve.
that trying to make computing user friendly only makes it virus friendly.
People are going to have to play in sandboxes AND learn simple security procedures. This may sound onerous to some but when I've managed to explain it to management the response has been 'that's just what we want in the organisation'.
Getting them to sign exemption forms so they take responsibility when that security is removed from their PC's can 'do something operationally sensitive' is another matter.
Just to be clear, CIH didn't attempt to "infect" a computer's BIOS, just trash it.
This might sound like "much the same thing" to some people, but in reality its very difficult. Being able to infect the computer firmware with code that will execute and infect files on the hard disk at each boot has always been one of the virus "holy grails".
Hit me once. Bugger to get rid of. Boot a workable machine, hotswap in buggered bios chip, reflash. What a pain in the ass. The thought occurred to me at the time that machines should be shipping with 2 BIOS ROMs. One of which would be unwritable and used purely to reflash the main BIOS back to factory specs in case of failure.
There are Gigabyte had this as a common feature on most MB for many years now.
However the problem is that one is not read/write and the other read only. Both are read write, and though this virus may not hit both, it would be a minimal task for the virus once booted to update BOTH BIOS to the infected state.
Again two having backup BIOS helps in this area, but doesn't solve the problem in general. The second BIOS either has to be READ only or protected by a write enable jumper (that would normally NOT be connected).
"Because the BIOS is stored on a ROM, or read-only-memory chip, modifications have the potential to render a computer largely inoperable."
Thanks, but I know what ROM stands for. I also know what EEPROM stands for. I even know the difference between the two.
What I fail to understand is the connection between the type of memory used and rendering the computer largely inoperable. How would a BIOS stored in SRAM fare any better?
They should bring back the physical flash enable jumper...
But there's not just the BIOS to worry about, virtually all of your hardware has a small upgradeable firmware attached to it, video bios, hard drive firmware, even keyboards have firmware... Plenty of places for malicious code to embed themselves.
Yep - IIRC viruses have already been found and written on these kind of peripherals. It won't be too long before the (GP)GPU that modern gfx cards sport start to get hit in a main stream manner, and it'll be down to idiot operating systems and "developers" forgetting security entirely and adding features that can be used in an insecure way or can escalate their access across a system.
in the case of consumer purchases, MIGHT provide a remedy AND an incentive/kick up the bum for the MOBO or system suppliers/mfrs to get their acts together.
In the USA the contract is all, I gather, although even there they've brought in federal "lemon laws" where stuff just doesn't work - whereas in the UK a clause attempting to absolve the supplier for liability for anything related to virus infections might well be struck out for being unfair/unbalanced/an attempt to avoid responsibilies under SOGA etc.
It's hardly the responsibillity of the manufacturer if you've installed dodgy software which compromises your system.
That would be like a safe manufacturer being held responsible for your allowing a man in a stripy jumper with a sack saying "swag" into the room with your safe and leaving him there to do what he wants.
.. having flashbacks to the good old BBC Model B with sideways RAM? Putting 'borrowed' ROM images in and then having to wire in a write-protect switch because the sneaky ROM authors started doing write tests in case someone had 'borrowed' their ROM and loaded it into sideways RAM..
This may be specific to a particular BIOS, but the virus writers don't need me to suggest to them that uploading every additional BIOS found to their evil servers, and downloading a cracked version of any compatible one on file, will let them have lots more fun.
And once an evil BIOS is running, is there anything that it can't do? Such as hiding itself as well as the virus on disk from anti-virus software?
As for EFI - yeah, they can probably get us that way, too. Beware of insertable media carrying EFI routines.
According to the article, the code is loaded onto a ROM -READ ONLY memory. It is, in fact, an EEPROM, Electrically Eraseable Programmable Read Only Memory. If it was actually READ ONLY, how would the code write to it?
Since it's primarity attacking computers in China, will the three-letter agencies claim it is the Chinese Government attempting to monitor it's people or will China claim it is an attack by the US and it's allies?
If the "victims" tend to be scientists, military and government officials, heads of corporations and like I would look more towards the US (or EU, or Russia, or even more likely... Israel)
If on the other hand the "victims" are authors, newpaper writers, heads of religious or social groups etc etc, then one would safely assume its coming from the Chinese hack state
that nWP pin is going to get a wire strap to ground...
(notWriteProtect : a pin on the bios chips that, if pulled low physically blocks the flash chip to be rewritten) Most motherboards these days use SPI flash chips like 25M90's and alike. These all have such a pin. Some motherboards already have a jumper to tie this pin down.
Also parallel flash has this.
that that "who needs computers, anyway" idea fits in awfully well with the know-nothing-or-even-less attitude being pushed as a replacement for intelligent discourse and debate these days in what used to be the United States? Wouldn't surprise me at all to read some future historian in a few decades paint a convincing case that the Kochs or other corporate minders of the "Tea Party" useful idiots were heavily invested in this sort of thing.
what's more worrying is the realisation that a suitably virulent strain of malware could destroy millions of PCs by flashing junk to the BIOS. And even if the victim identifies faulty BIOS firmware as the problem, they're unlikely to go to the expense of fixing it. They'd probably go to the far greater expense of buying a new machine. Especially if they use the increasingly popular laptop form factor.
Time to buy a Mac? LOL.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
