Skip to main content

New BIOS Virus Withstands HDD Wipes

Computer viruses are nasty things. But the nasty just got nastier.

In many worst case scenarios, a hard drive wipe is the final solution to ridding a system of an infection. But the absolute worst case scenario is if a virus attacks the BIOS, making detection and cleaning an incredible challenge.

Viruses that target the BIOS aren’t new, but often they are specific to a type of hardware. Researchers have now demonstrated a new type of attack that could install a rootkit on the BIOS of common systems, making it very lethal and effective.

Anibal L. Sacco and Alfredo A. Ortego of Core Security Technologies released a presentation detailing the exploit of this “persistent BIOS infection.”
 Through the use of a 100-line piece of code written in Python, a rootkit could be flashed into the BIOS and be run completely independent of the operating system.

"We tested the system on the most common types of Bios," said Ortega in a vunet story. "There is the possibility that newer types of Extensible Firmware Interface Bios may be resistant to the attack, but more testing is needed."

Flashing a system’s BIOS requires administrative control, but that could first be obtained through a more ‘innocent’ virus that could reside on the hard disk drive. Once an attacker has admin rights, the rootkit could be flashed onto the BIOS and would remain effective even if the original virus on the hard disk were removed. Even a complete format wouldn’t rid the system of the virus.

"You would need to reflash the Bios with a system that you know has not been tampered with," he said. "But if the rootkit is sophisticated enough it may be necessary to physically remove and replace the Bios chip."

There is defense against such an attack, however, as the researchers say that a password or physical lock against BIOS flashes could block the install of the rootkit.

"The best approach is preventing the virus from flashing onto the Bios," said Sacco. "You need to prevent flashing of the bios, even if it means pulling out jumper on motherboard."

Check out the original slideshow presentation by the researchers here (PDF).

  • sacre
    Ok.. so this Virus literally destroys the Bios chip if advanced enough..

    EVERYONE! Quick! Buy stocks from the new company called "RYB (Replace your Bios) they will make Removable Bios chips from Mobo's, and they will be the Bios suppliers.. yup
    Reply
  • ...lol, guess what Conficker's April 1st update will bring. Bios flashing support :-\
    Reply
  • Shadow703793
    One thing I notice is that it's written in Python. Interesting choice for a virus language.
    Reply
  • Tekkamanraiden
    Guess it's time to switch to efi.
    Reply
  • pocketdrummer
    I wish it were easier to find virus makers. That's the one case I could justify the old law of cutting off peoples hands. Of course, then he'll probably buy Dragon Naturally Speaking and keep making them. I guess the tongue would be the 2nd offense, lol.
    Reply
  • eklipz330
    andertp...lol, guess what Conficker's April 1st update will bring. Bios flashing support :-\
    shh you might put ideas into their heads =
    Reply
  • judeh101
    I'll just take out my hard drive, and place it in another computer! Data saved.
    Reply
  • no.

    then it would just spread to the next one...

    the virus first is at the OS level and then flashes itself into the hardware/bios level... the original rootkit still is on the os level data... so you'd just spread it around if you did that

    do you not understand that? you'd have to reflash a completely new bios to it and in the newer dual bios chips get an entirely new chip... AND reformat the HDD... only way to get rid of a nasty thing like this once it gets inside your system
    Reply
  • wikiwikiwhat
    April Fool's early?
    Reply
  • mdillenbeck
    Hmmm, we all like the convenience of a flashable bios - but I wonder if this will encourage motherboard manufacturers to make some old-fashioned read-only bios models in the business class of motherboards. (Personally, I think I'd like that option as a home power user.)
    Reply