Solve : Malware in BOS Threats.?

1.	Solve : Malware in BOS Threats.?
Answer» Can a virus get into yhour BIOS? Yes. This is not new information. This is an abridged summary of a a Wekipeadia article. http://en.wikipedia.org/wiki/BIOS Quote Security EEPROM chips are advantageous because they can be easily updated by the user; hardware MANUFACTURERS frequently issue BIOS updates to upgrade their products, ... more recent BIOSes use a "boot block"; a portion of the BIOS which runs first and must be updated separately. This code verifies if the rest of the BIOS is intact (using hash checksums or other methods) before transferring control to it. If the boot block detects any corruption in the main BIOS, it will typically warn the user ... There are at least four known BIOS attack viruses, two of which were for demonstration purposes. The first one found in the wild was Mebromi, targeting Chinese users. The first BIOS virus was CIH, whose name matches the initials of its creator, Chen Ing Hau. ... It was able to erase flash ROM BIOS content. Often, infected computers could no longer boot, and people had to remove the flash ROM IC from the motherboard and reprogram it. ... Modern systems are not vulnerable to CIH because of a variety of chipsets being used which are incompatible with the Intel i430TX chipset, and also other flash ROM IC types. ... all modern operating systems such as FreeBSD, Linux, OS X, Windows NT-based Windows OS like Windows 2000, Windows XP and newer, do not allow user-mode programs to have direct hardware access. As a result, as of 2008, CIH has become essentially harmless, at worst causing annoyance by infecting executable files and from antivirus software. Other BIOS viruses remain possible, however;[22] since most Windows home users without Windows Vista/7's UAC run all applications with administrative privileges,...the Linux kernel also prevents this direct hardware access by default,... The second BIOS virus was a technique presented by John Heasman, principal security consultant for UK-based Next-Generation Security Software. In 2006, at the Black Hat Security Conference, he showed how to elevate privileges ... The third BIOS virus was a technique called "Persistent BIOS infection." It appeared in 2009 at the CanSecWest Security Conference in Vancouver, and at the SyScan Security Conference in Singapore. Researchers ... demonstrated how to insert malicious code into the decompression routines in the BIOS, allowing for nearly full control of the PC at start-up ..."We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus."[24] ... In a December 2013 interview with CBS 60 Minutes, Deborah Plunkett, Information Assurance Director for the US National Security Agency CLAIMED that NSA analysts had uncovered and thwarted a possible BIOS attack by a foreign nation state. ... The segment further cites anonymous cyber security experts briefed on the operation as alleging the plot was conceived in China.[28] ... There is an old saying, "If something can go wrong - it will." EDIT: Qustio0n. Which motherboards have detachable BIOS chips?They are all detachable with enough heat to get lead to flow! If your asking for socketed ones... I have seen some that come in sockets, but ever since they implemented rollback of BIOS on many motherboards, the need to remove a ROM chip that was flashed with a bad flash is not as much of a problem as in years past where you created that bootable floppy and booted your system up and it was Flash and Pray, and a bad flash would kill the functionality of your motherboard in which your options were to get a replacement ROM and swap chips, since if you flashed the system with a bad rom that didnt at least function to allow seeking of the floppy drive on boot, you were dead in the water. I have had friends who had this happen as a result of using worn 1.44MB floppy disks or dirty drives where the DATA read was corrupt, and there was no error checking of the ROM file before flashing. Back in those days this was an expensive mistake. I ran on whatever BIOS version came with the boards back then for fear that I would kill a Pentium 75mhz and have to then go backwards to a 486 DX 66 which was not quite enough for the games that ran ok on the Pentium 75. If you look at the motherboard before buying it you can see if it has a socketed ROM or not. But these days there is rarely ever a need to swap the BIOS ROM chip. Thanks. Some research shows new boards now have special EPROM. These chips have only eight legs and are easy to remove. Both ASUS and Gigabyte are using these. Maybe many pothers. You should hang out in our Malware Forums and see how many instances are listed in the last 10 years before sounding a sheep's call... Quote from: patio on September 28, 2014, 05:08:02 PM You should hang out in our Malware Forums and see how many instances are listed in the last 10 years before sounding a sheep's call... With due respect, are you saying that it never happens? Or is is so rare that it should not be considered? It is very, very hard to verify the pretense of malware in the BIOS. This was a topic in the 2013 Black Hat THING. http://www.blackhat.com/us-13/briefings.html Also, Info-world did a article. BadBIOS: Next-gen malware or digital myth? Thanks for looking. Yes...that's what i was saying... Quote from: Geek-9pm on September 28, 2014, 06:12:32 PM It is very, very hard to verify the pretense of malware in the BIOS. This was a topic in the 2013 Black Hat thing. it's relatively easy. The BIOS ROM is usually shadowed and while it is going to require Ring 0 to read that memory directly, anti-virus and anti-malware programs already implement kernel-mode components for their AV features. The same heuristics already present for standard executable files can be applied to the BIOS code, because that BIOS code can be acquired. The main problem in understanding BIOS infections is that people equivocate it with a rootkit. In reality, all BIOS interrupt vectors are replaced with the OS loads; so no BIOS code can run post-boot process. So once an OS is launched, that infected ROM will be fully visible by driver-level software that can read it. That could then be scanned. Additionally, because of the varied firmware/software present in a BIOS code, it cannot be infected in a way that is malicious; any malware that "infects" a BIOS will simply corrupt it. You might expect, "ah, but then the system won't boot" but that is incorrect. Aside from the BIOS checksum being wrong and preventing it from being used, almost all modern systems have two BIOS chips. Mine doesn. My old PC does as well; the second BIOS chip is inaccessible and is switched to via differing methods within the solid state of the motherboard and chipset, and typically is implemented with a ROM rather than an EEPROM (or, an EEPROM for which no software method is exposed to make it writable). Any problem in the main BIOS would cause an error and the backup BIOS to be used. The backup BIOS being essentially the factory default BIOS. Most of the time it will only use the backup BIOS to perform a Flash and essentially rewrite the primary BIOS with that backup, then reboot the machine. That is, a infectious design would need to be specifically coded to deal with the differences between various platforms; additionally, differing manufacturers and even models. For example a BIOS infector designed for my old PC (which has Dual BIOS) would not work on my current system because they are designed differently, and the checksums are stored in different locations and also use different calculations to come up with that checksum. Quote http://www.blackhat.com/us-13/briefings.html the article covers TPM, which is a SPECIFIED interface to provide a more secure system. TPM is supported on many systems however it bears mention that TPM requires a hardware dongle to be plugged into a TPM header on the motherboard of a system that supports it, and is never included with the motherboard (basically if TPM was required you would shop around for a module from different competitors).

Answer»

Can a virus get into yhour BIOS?
Yes.
This is not new information. This is an abridged summary of a a Wekipeadia article.
http://en.wikipedia.org/wiki/BIOS
Quote

Security
EEPROM chips are advantageous because they can be easily updated by the user; hardware MANUFACTURERS frequently issue BIOS updates to upgrade their products, ... more recent BIOSes use a "boot block"; a portion of the BIOS which runs first and must be updated separately. This code verifies if the rest of the BIOS is intact (using hash checksums or other methods) before transferring control to it. If the boot block detects any corruption in the main BIOS, it will typically warn the user ...

There are at least four known BIOS attack viruses, two of which were for demonstration purposes. The first one found in the wild was Mebromi, targeting Chinese users.

The first BIOS virus was CIH, whose name matches the initials of its creator, Chen Ing Hau. ... It was able to erase flash ROM BIOS content. Often, infected computers could no longer boot, and people had to remove the flash ROM IC from the motherboard and reprogram it. ...

Modern systems are not vulnerable to CIH because of a variety of chipsets being used which are incompatible with the Intel i430TX chipset, and also other flash ROM IC types. ... all modern operating systems such as FreeBSD, Linux, OS X, Windows NT-based Windows OS like Windows 2000, Windows XP and newer, do not allow user-mode programs to have direct hardware access.

As a result, as of 2008, CIH has become essentially harmless, at worst causing annoyance by infecting executable files and from antivirus software. Other BIOS viruses remain possible, however;[22] since most Windows home users without Windows Vista/7's UAC run all applications with administrative privileges,...the Linux kernel also prevents this direct hardware access by default,...

The second BIOS virus was a technique presented by John Heasman, principal security consultant for UK-based Next-Generation Security Software. In 2006, at the Black Hat Security Conference, he showed how to elevate privileges ...

The third BIOS virus was a technique called "Persistent BIOS infection." It appeared in 2009 at the CanSecWest Security Conference in Vancouver, and at the SyScan Security Conference in Singapore. Researchers ... demonstrated how to insert malicious code into the decompression routines in the BIOS, allowing for nearly full control of the PC at start-up ..."We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus."[24]
...
In a December 2013 interview with CBS 60 Minutes, Deborah Plunkett, Information Assurance Director for the US National Security Agency CLAIMED that NSA analysts had uncovered and thwarted a possible BIOS attack by a foreign nation state. ... The segment further cites anonymous cyber security experts briefed on the operation as alleging the plot was conceived in China.[28] ...

There is an old saying, "If something can go wrong - it will."
EDIT: Qustio0n. Which motherboards have detachable BIOS chips?They are all detachable with enough heat to get lead to flow!

If your asking for socketed ones... I have seen some that come in sockets, but ever since they implemented rollback of BIOS on many motherboards, the need to remove a ROM chip that was flashed with a bad flash is not as much of a problem as in years past where you created that bootable floppy and booted your system up and it was Flash and Pray, and a bad flash would kill the functionality of your motherboard in which your options were to get a replacement ROM and swap chips, since if you flashed the system with a bad rom that didnt at least function to allow seeking of the floppy drive on boot, you were dead in the water. I have had friends who had this happen as a result of using worn 1.44MB floppy disks or dirty drives where the DATA read was corrupt, and there was no error checking of the ROM file before flashing. Back in those days this was an expensive mistake. I ran on whatever BIOS version came with the boards back then for fear that I would kill a Pentium 75mhz and have to then go backwards to a 486 DX 66 which was not quite enough for the games that ran ok on the Pentium 75. If you look at the motherboard before buying it you can see if it has a socketed ROM or not. But these days there is rarely ever a need to swap the BIOS ROM chip.

Thanks. Some research shows new boards now have special EPROM. These chips have only eight legs and are easy to remove. Both ASUS and Gigabyte are using these. Maybe many pothers.
You should hang out in our Malware Forums and see how many instances are listed in the last 10 years before sounding a sheep's call... Quote from: patio on September 28, 2014, 05:08:02 PM

You should hang out in our Malware Forums and see how many instances are listed in the last 10 years before sounding a sheep's call...

With due respect, are you saying that it never happens? Or is is so rare that it should not be considered?
It is very, very hard to verify the pretense of malware in the BIOS. This was a topic in the 2013 Black Hat THING.
http://www.blackhat.com/us-13/briefings.html
Also, Info-world did a article.
BadBIOS: Next-gen malware or digital myth?
Thanks for looking.

Yes...that's what i was saying... Quote from: Geek-9pm on September 28, 2014, 06:12:32 PM

It is very, very hard to verify the pretense of malware in the BIOS. This was a topic in the 2013 Black Hat thing.

it's relatively easy. The BIOS ROM is usually shadowed and while it is going to require Ring 0 to read that memory directly, anti-virus and anti-malware programs already implement kernel-mode components for their AV features. The same heuristics already present for standard executable files can be applied to the BIOS code, because that BIOS code can be acquired.

The main problem in understanding BIOS infections is that people equivocate it with a rootkit. In reality, all BIOS interrupt vectors are replaced with the OS loads; so no BIOS code can run post-boot process. So once an OS is launched, that infected ROM will be fully visible by driver-level software that can read it. That could then be scanned. Additionally, because of the varied firmware/software present in a BIOS code, it cannot be infected in a way that is malicious; any malware that "infects" a BIOS will simply corrupt it.

You might expect, "ah, but then the system won't boot" but that is incorrect. Aside from the BIOS checksum being wrong and preventing it from being used, almost all modern systems have two BIOS chips. Mine doesn. My old PC does as well; the second BIOS chip is inaccessible and is switched to via differing methods within the solid state of the motherboard and chipset, and typically is implemented with a ROM rather than an EEPROM (or, an EEPROM for which no software method is exposed to make it writable). Any problem in the main BIOS would cause an error and the backup BIOS to be used. The backup BIOS being essentially the factory default BIOS. Most of the time it will only use the backup BIOS to perform a Flash and essentially rewrite the primary BIOS with that backup, then reboot the machine.

That is, a infectious design would need to be specifically coded to deal with the differences between various platforms; additionally, differing manufacturers and even models. For example a BIOS infector designed for my old PC (which has Dual BIOS) would not work on my current system because they are designed differently, and the checksums are stored in different locations and also use different calculations to come up with that checksum.

Quote

http://www.blackhat.com/us-13/briefings.html

the article covers TPM, which is a SPECIFIED interface to provide a more secure system. TPM is supported on many systems however it bears mention that TPM requires a hardware dongle to be plugged into a TPM header on the motherboard of a system that supports it, and is never included with the motherboard (basically if TPM was required you would shop around for a module from different competitors).

Solve : Malware in BOS Threats.?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment