Researchers unveil persistent BIOS attack methods

Final8y

Final8y

Final8y

Soldato
Joined
7 May 2006
Posts
12,183
Location
London, Ealing
Apply all of the browser, application and OS patches you want, your machine still can be completely and silently compromised at the lowest level--without the use of any vulnerability.

That was the rather sobering message delivered by a pair of security researchers from Core Security Technologies in a talk at the CanSecWest conference on methods for infecting the BIOS with persistent code that will survive reboots and reflashing attempts. Anibal Sacco and Alfredo Ortega (above) demonstrated a method for patching the BIOS with a small bit of code that gave them conplete control of the machine. And the best part is, the method worked on a Windows machine, a PC running OpenBSD and another running VMware Player.

"It was very easy. We can put the code wherever we want," said Ortega. "We're not using a vulnerability in any way. I'm not sure if you understand the impact of this. We can reinfect the BIOS every time it reboots."

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope. But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.

"We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus," Ortega said.

The work by the Core team follows on to research done on persistent rootkits by John Heasman of NGSS, who was able to devise a method for placing rootkits on PCs using the memory space on PCI cards. In a presentation at Black Hat DC in 2007, Heasman showed a completely working method for loading the malware on to a PCI card by using the flashable ROM on the device. He also had a way to bypass the Windows NT kernel and create fake stack pointers.

In an interview at the time, he told me: "At that point it's game over. We're executing 32-bit code in ring zero."

As application and operating system protection mechanisms continue to become more sophisticated and more difficult to evade, expect to see more and more attacks targeting the hardware and low-level software, where there are still opportunities for success.
Click to expand...
http://threatpost.com/blogs/researchers-unveil-persistent-bios-attack-methods
 
"We're executing 32-bit code in ring zero"

So it doesn't work for Vista x64 then?

Still and as always... a vulnerability/exploit without a viable delivery mechanism is not really a vulnerability, yet.
 
NathanE said:
"We're executing 32-bit code in ring zero"

So it doesn't work for Vista x64 then?

Still and as always... a vulnerability/exploit without a viable delivery mechanism is not really a vulnerability, yet.
Click to expand...

If someone download an infected file it could get in that way, which is a viable delivery system & the most commonly used for nasties.
"We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus," Ortega said.
Click to expand...
 
Last edited:
Final8y said:
If someone download an infected file it could get in that way, which is a viable delivery system & the most commonly used for nasties.
Click to expand...

Sure but until that file is executed AND the user clicks authorises the UAC dialog to let it execute with administrator rights... then it's not going anywhere.

This is not a viable delivery mechanism. Any malware that rely on this aren't really going to make it into the big time.
 
So basically you need to trick the target into installing a driver which dumps the rootkit onto the BIOS. If you manage to trick someone into installing something you practically own the machine anyway.

I was interested to know how it could "survive a re-flash" which just sounded wrong so I thought about it and I think they mean if you re-flash the BIOS and then boot the infected operating system again it would re-infect the machine. This doesn't sound as scary as the article makes out.

Anyway as always, downloading from trusted sources and not routinely running as admin will be enough to keep safe. Interesting read though.
 
You must log in or register to reply here.
Back
Top Bottom