Sign in with
Sign up | Sign in

New BIOS Virus Withstands HDD Wipes

By - Source: Tom's Hardware US | B 56 comments

Computer viruses are nasty things. But the nasty just got nastier.

In many worst case scenarios, a hard drive wipe is the final solution to ridding a system of an infection. But the absolute worst case scenario is if a virus attacks the BIOS, making detection and cleaning an incredible challenge.

Viruses that target the BIOS aren’t new, but often they are specific to a type of hardware. Researchers have now demonstrated a new type of attack that could install a rootkit on the BIOS of common systems, making it very lethal and effective.

Anibal L. Sacco and Alfredo A. Ortego of Core Security Technologies released a presentation detailing the exploit of this “persistent BIOS infection.”
 Through the use of a 100-line piece of code written in Python, a rootkit could be flashed into the BIOS and be run completely independent of the operating system.

"We tested the system on the most common types of Bios," said Ortega in a vunet story. "There is the possibility that newer types of Extensible Firmware Interface Bios may be resistant to the attack, but more testing is needed."

Flashing a system’s BIOS requires administrative control, but that could first be obtained through a more ‘innocent’ virus that could reside on the hard disk drive. Once an attacker has admin rights, the rootkit could be flashed onto the BIOS and would remain effective even if the original virus on the hard disk were removed. Even a complete format wouldn’t rid the system of the virus.

"You would need to reflash the Bios with a system that you know has not been tampered with," he said. "But if the rootkit is sophisticated enough it may be necessary to physically remove and replace the Bios chip."

There is defense against such an attack, however, as the researchers say that a password or physical lock against BIOS flashes could block the install of the rootkit.

"The best approach is preventing the virus from flashing onto the Bios," said Sacco. "You need to prevent flashing of the bios, even if it means pulling out jumper on motherboard."

Check out the original slideshow presentation by the researchers here (PDF).

Display 56 Comments.
This thread is closed for comments
  • -4 Hide
    sacre , March 27, 2009 8:02 PM
    Ok.. so this Virus literally destroys the Bios chip if advanced enough..

    EVERYONE! Quick! Buy stocks from the new company called "RYB (Replace your Bios) they will make Removable Bios chips from Mobo's, and they will be the Bios suppliers.. yup
  • 7 Hide
    Anonymous , March 27, 2009 8:04 PM
    ...lol, guess what Conficker's April 1st update will bring. Bios flashing support :-\
  • 5 Hide
    Shadow703793 , March 27, 2009 8:19 PM
    One thing I notice is that it's written in Python. Interesting choice for a virus language.
  • 1 Hide
    Tekkamanraiden , March 27, 2009 8:24 PM
    Guess it's time to switch to efi.
  • 5 Hide
    pocketdrummer , March 27, 2009 8:53 PM
    I wish it were easier to find virus makers. That's the one case I could justify the old law of cutting off peoples hands. Of course, then he'll probably buy Dragon Naturally Speaking and keep making them. I guess the tongue would be the 2nd offense, lol.
  • 0 Hide
    eklipz330 , March 27, 2009 9:12 PM
    andertp...lol, guess what Conficker's April 1st update will bring. Bios flashing support :-\


    shh you might put ideas into their heads =[
  • -5 Hide
    judeh101 , March 27, 2009 9:36 PM
    I'll just take out my hard drive, and place it in another computer! Data saved.
  • 5 Hide
    Anonymous , March 27, 2009 9:55 PM
    no.

    then it would just spread to the next one...

    the virus first is at the OS level and then flashes itself into the hardware/bios level... the original rootkit still is on the os level data... so you'd just spread it around if you did that

    do you not understand that? you'd have to reflash a completely new bios to it and in the newer dual bios chips get an entirely new chip... AND reformat the HDD... only way to get rid of a nasty thing like this once it gets inside your system
  • 0 Hide
    wikiwikiwhat , March 27, 2009 10:02 PM
    April Fool's early?
  • 1 Hide
    mdillenbeck , March 27, 2009 10:04 PM
    Hmmm, we all like the convenience of a flashable bios - but I wonder if this will encourage motherboard manufacturers to make some old-fashioned read-only bios models in the business class of motherboards. (Personally, I think I'd like that option as a home power user.)
  • -3 Hide
    judeh101 , March 27, 2009 10:13 PM
    thogromno. then it would just spread to the next one...the virus first is at the OS level and then flashes itself into the hardware/bios level... the original rootkit still is on the os level data... so you'd just spread it around if you did thatdo you not understand that? you'd have to reflash a completely new bios to it and in the newer dual bios chips get an entirely new chip... AND reformat the HDD... only way to get rid of a nasty thing like this once it gets inside your system


    I didn't make it clear enough, sorry :p 
    you can put the hdd into another computer, then boot into dos with another hard drive, then retrieve data that way :) 
  • 3 Hide
    spuddyt , March 27, 2009 10:41 PM
    is it not possible to set a password, entirely seperate from anything on the operating system to disallow any bios access? That would seem the simplest solution.
  • 7 Hide
    mrubermonkey , March 28, 2009 12:38 AM
    The virus is Skynet!
  • 2 Hide
    fazers_on_stun , March 28, 2009 1:08 AM
    Some older mobos actually required a switch or jumper to be set before you could flash the BIOS. Clearly we have sacrificed security for convenience here..
  • 2 Hide
    Anonymous , March 28, 2009 2:08 AM
    Jumpers and DIP switches are your friends.
  • 0 Hide
    terror112 , March 28, 2009 2:15 AM
    I foresee the end of the world...
  • 0 Hide
    pirateboy , March 28, 2009 2:50 AM
    bios viruses aren't new, they have existed for years.
  • 0 Hide
    rtfm , March 28, 2009 7:20 AM
    I'm with spuddy, just have the bios require a password (not in the os) to allow it to be flashed. So, you go to your BIOS, enter the password (or set the option) which allows flashing for this boot time only and away you go (easy really)......
  • 0 Hide
    evade57 , March 28, 2009 11:19 AM
    I'm pulling out my old Tandy 1000HX on April 1st.....
    BIOS can't be reflashed....
    OS can't be reflashed.....(on chip)
    Internet access WILL be difficult tho.....
    I like the Skynet comment....not far from the truth on many levels....
  • 1 Hide
    christop , March 28, 2009 12:54 PM
    I hope this is just hype.. I don't want to replace my bios again...
Display more comments