Newfangled rootkits survive hard disk wiping, infects BIOS

Status
Not open for further replies.
Osiris

Osiris

Golden Master
Messages
36,817
Location
Kentucky
Researchers have demonstrated how to create rootkits that survive hard-disk reformatting by injecting malware into the low-level system instructions of a target computer.
The researchers, from Core Security Technologies, used the techniques to inject rootkits into two computers, one running the OpenBSD operating system and the other Windows. Because the infection lives in the computer's BIOS, or basic input/output system, it persists even after the operating system is reinstalled or a computer's hard drive is replaced.


While researchers have focused on BIOS-based rootkits for at least three years, earlier techniques generally attacked specific types of BIOSes, such as those that used ACPI, or Advanced Configuration and Power Interface. The techniques demonstrated by the Core researchers work on virtually all types of systems, they said.

Of course, injecting code into the BIOS is no easy feat. It requires physical access to the machine or an exploit that hands an attacker unfettered root access. But the research, presented at last week's CanSecWest security conference by Anibal L. Sacco and Alfredo A. Ortega, does demonstrate that infections will only become harder to spot and remove over time


Newfangled rootkits survive hard disk wiping ? The Register
 
lyecdevf said:
What if you are using linux? Does that affect you too?:)
Click to expand...

See this paragraph:
The researchers, from Core Security Technologies, used the techniques to inject rootkits into two computers, one running the OpenBSD operating system and the other Windows. Because the infection lives in the computer's BIOS, or basic input/output system, it persists even after the operating system is reinstalled or a computer's hard drive is replaced.
Click to expand...

;).


Anyway, I wonder if this type of attack would be able to be wiped if you were to update/flash the system's BIOS? If that were the case, then it'd be more of an inconvenience than anything, considering a BIOS flash takes about 30 seconds...
 
carnageX said:
See this paragraph:


;).


Anyway, I wonder if this type of attack would be able to be wiped if you were to update/flash the system's BIOS? If that were the case, then it'd be more of an inconvenience than anything, considering a BIOS flash takes about 30 seconds...
Click to expand...

Good point, If it is curable by a simple flash that would make it easier to fix then if it were in the sys32 folder reeking havoc. and would this effect the systems that have "dual bios" designed specifically for such a nasty. and would conventional AV not detect and eliminate sayed nasty.
 
Who said that a flash of the BIOS would cure it? Plus it is not so simple for everyone to do it as not every mother board has a Windows Utility to do it.
 
Mak213 said:
Who said that a flash of the BIOS would cure it? Plus it is not so simple for everyone to do it as not every mother board has a Windows Utility to do it.
Click to expand...

Nobody said that a flash of the BIOS would cure it ;). We were both just wondering if it would work or not.

And you're right, not all board has a utility to upgrade the BIOS. Most (if not all) OEM PC's have a utility to do it however. A lot of boards you're able to put the BIOS file on a flash drive and upgrade that way as well, however (this is the way I do it as my board has a built-in flash utility).

and would this effect the systems that have "dual bios" designed specifically for such a nasty.
Click to expand...
Good question... I know my board has a dual BIOS, so I wonder if in theory that the worm would infect just the primary BIOS? Or would it infect both BIOS's?
 
yes, that would be good to know if it would work, not the flash for update, but manually flashing the MB with the jumper back to the factory firmware settings.

would this not kill said nasty.?
 
We dont know. This is a concept. As stated in the article:

injecting code into the BIOS is no easy feat. It requires physical access to the machine or an exploit that hands an attacker unfettered root access.
Click to expand...

So just makes you wonder about taking your machine to a service tech...
 
Status
Not open for further replies.

Similar threads

O
hello & mostly clueless & would appreciate mac security help after trojan attack!
Replies
0
Views
943
once2023
O
R
gigabyte GA-H170M-D3H boot loop power issues , and no display
Replies
5
Views
1K
ripo66
R
R
Destroyed Hard Disk
Replies
1
Views
1K
tehnokraat
T
W
Covert Communication via modulated Ultrasonic Acoustic Pressure Waves
Replies
0
Views
1K
WhiteHatX74
W
H
Critical vulnerability remained hidden for 12 years, make sure to apply patches now.
Replies
1
Views
1K
PP Mguire
PP Mguire
Back
Top Bottom