On TechRepublic: FREE download: Social networking policy
BNET Business Network:
BNET
TechRepublic
ZDNet

March 23rd, 2009

Researchers demo BIOS attack that survives hard-disk wipe

Posted by Ryan Naraine @ 4:48 am

Categories: Anti Virus, Arbitrary Code Execution, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Malware, Pen testing, Research, Rootkits, Vulnerability research

Tags: Hard Drive, Researcher, Attack, BIOS, Rootkits, Security, Hardware, Components, Spyware, Adware & Malware, Ryan Naraine

A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe.

The researchers — Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week’s CanSecWest conference to demonstrate methods (see slides .pdf) for infecting the BIOS with persistent code that will survive reboots and reflashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player.

According to this Dennis Fisher report:

“It was very easy. We can put the code wherever we want,” said Ortega. “We’re not using a vulnerability in any way. I’m not sure if you understand the impact of this. We can reinfect the BIOS every time it reboots.”

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope. But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.

“We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable anti-virus,” Ortega said.

Rob Lemos at SecurityFocus explains that the attack method requires the use of a machine that’s already compromised but the scary part is that it completely prevents a defender from easily deleting an attacker’s program or rootkit.

“You can remove the hard drive, trash it, and even reinstall the operating system,” Sacco said. “This will still reinstall the rootkit.”

Back in 2006, NGSS researcher John Heasman found a way to use a PCI device to plant an offensive rootkit on Windows machines.  Here’s a link to Heasman’s paper: Implementing and Detecting a PCI Rootkit (.pdf).

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 73 Talkback(s)
Supports Windows & Mac OS
But not Linux - well not yet anyway. But it could someday. If it's in the BIOS and pulls the right strings then it could be used with any OS. However, my albeit limited research suggests they are tar... (Read the rest)
Posted by: mrgoose Posted on: 08/03/09  (Edited: 08/04/09 @ 03:43) You are currently: a Guest | | Terms of Use
I wonder if EFI can be infected?  zmud | 03/23/09
RE: Researchers demo BIOS attack that survives hard-disk wipe  andycher | 03/23/09
@andycher  Axsimulate | 03/23/09
Read the article, and not just the headline...  msalzberg | 03/23/09
Survive reflashing attempts?  Lerianis | 03/23/09
I think you forgot about memory...  duomenox | 03/23/09
I assume its possible  troubled241 | 03/24/09
Re; I DON'T THINK SO! ... Well I do !  hkommedal | 03/25/09
amen!  bluescreen_z | 03/28/09
hmmmmm  jdbukis@... | 03/26/09
Bios is the first to gain control  bluescreen_z | 03/28/09
but Linux is secure  Linux Geek | 03/23/09
Question:  rshores | 03/23/09
BSD and Linux have a copletely different code base  Michael Kelly | 03/23/09
Thanks:  rshores | 03/23/09
Supports Windows & Mac OS  mrgoose | 08/03/09
What part of "BIOS" don't you get?  superbus | 03/23/09
Not so sure about that...  masonwheeler | 03/23/09
re: Not so sure about that....  rtk | 03/23/09
No OS is secure  fcs@... | 03/24/09
You CAN be sure. The code in BIOS runs before any OS.  hkommedal | 03/25/09
What are you talking about?  msalzberg | 03/23/09
LOL.  James T. Kirk | 03/23/09
Earth To, oh just forget it.  Erroneous | 03/23/09
There's a few possibilities here...  betelgeuse68 | 03/23/09
He does not have to be an idiot (it may help), just  hkommedal | 03/25/09
Wrong again...  duomenox | 03/23/09
DOH!  SummermoonUK | 03/24/09
Nothing beats BIOS infection. The ONLY 2 ways to get  hkommedal | 03/25/09
This has NOTHING to do with operating systems.  hkommedal | 03/25/09
What if there is BIOS write password protection  Michael Kelly | 03/23/09
Imagine - having a dual-BIOS infection. OUCH!  Custard_over_2x_Pie | 03/23/09
Good question...  duomenox | 03/23/09
The safest way is the old way: You need to reposition a jumper  hkommedal | 03/25/09
Only if the password is there FIRST. It is too late afterwards. (nt)  hkommedal | 03/25/09
Couldn't this also be a stepping stone into a hypervisor?  Custard_over_2x_Pie | 03/23/09
No, it shouldn't be dropped  Lerianis | 03/23/09
What about the dedicated space for user binaries?  duomenox | 03/23/09
RE: Researchers demo BIOS attack that survives hard-disk wipe  Kungfoofighterx | 03/23/09
Be careful:  msalzberg | 03/23/09
I second that  tikigawd | 03/23/09
I third that  bluescreen_z | 03/28/09
Yes ! I am sure your attention will be diverted then ! (nt)  hkommedal | 03/28/09
"Flash Bios" - an unlockable back door to ANY computer!  kd5auq | 03/23/09
RE: Researchers demo BIOS attack that survives hard-disk wipe  morwen | 03/23/09
It's called research.  duomenox | 03/23/09
This IS Scary!!!!!  chaz15 | 03/23/09
Ahhh! But what if the HDD firmware is infected, too!?  fcs@... | 03/24/09
Or backplane firmware  seanferd | 03/24/09
There IS a way. It used to be quite common some years ago.  hkommedal | 03/25/09
RE: Researchers demo BIOS attack that survives hard-disk wipe  Not A Blind Sheep | 03/23/09
Correction  Greenknight_z | 03/24/09
And easy to do  chharris | 03/24/09
Re: and easy to do  leopards | 07/31/09
Brand new mainboards being infected by sellers?!  sue_cara | 03/24/09
Brand new Software being infected by sellers?!  fcs@... | 03/24/09
Chinese ethics.  Kyser Soze | 03/24/09
It's happened already  Custard_over_2x_Pie | 03/24/09
Or simply poor QC  seanferd | 03/24/09
why not just use dumbterminals?  mcdavis8784 | 03/24/09
How about vPro?  Kyser Soze | 03/24/09
VPro had it's own flaws  seanferd | 03/24/09
I assume it happend to me  troubled241 | 03/24/09
There are BIOS exploits already out there  seanferd | 03/24/09
RE: Researchers demo BIOS attack that survives hard-disk wipe  razumney@... | 03/24/09
You are absolutely correct, sir. A CD from the MB vendor,  hkommedal | 03/27/09
RE: Researchers demo BIOS attack that survives hard-disk wipe  littlepitcher | 03/25/09
RE: Researchers demo BIOS attack that survives hard-disk wipe  yrogg@... | 03/27/09
RE: Researchers demo BIOS attack that survives hard-disk wipe  leopards | 07/31/09
excellent read  pgit | 08/01/09
 Shadetree Engineer | 08/01/09
 Shadetree Engineer | 08/01/09
Lobotomies Wanted!  Shadetree Engineer | 08/01/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here