When BIOS updates become malware attacks

What's worse, researchers recently demonstrated that BIOS malware can attack multiple platforms and infect motherboards of many different manufacturers. BIOS-based malware has the potential to spread not only across various operating systems, but also through many different types of hardware-- and these attacks are difficult, but not impossible, to detect and prevent.

The latest BIOS malware attack
In March at the CanSecWest security conference, held in Vancouver, researchers Alfredo Ortega and Anibal Sacco of Core Security Technologies Inc. demonstrated a generic BIOS attack that can inject malicious code into many different BIOS types. An attacker that compromised the BIOS in this way would have full control of the underlying firmware, regardless of the operating system.

Until now, common wisdom has been that the large variety of BIOS implementations means it is unfeasible for attackers to create portable, widespread BIOS malware. Core's researchers proved this wrong. According to Core's CTO, Ivan Arce, the researchers identified a specific section of BIOS code -- a decompression routine -- used in the majority of motherboards. BIOS code is stored compressed so that it takes up less space, and code must be decompressed before it runs. The decompression routine is exactly the same in many different motherboards. This gives attackers a single snippet of code that they can target in order to compromise many different BIOSes. The result? For the first time, researchers showed that BIOS-level malware can practically infect a wide variety of ...

To demonstrate, the researchers injected code into the generic BIOS decompression routine of a commercial BIOS, and updated the corresponding checksums in the firmware. Then they re-flashed the BIOS and successfully demonstrated booting a Windows computer, as well as a separate VMware guest running OpenBSD.

An attacker that compromised the BIOS in this fashion could execute code at every boot, and install a traditional rootkit on the system's hard drive. Even if the hard drive was completely overwritten and re-installed, the BIOS malware could simply re-infect it again.

A history of BIOS malware attacks
Early BIOS versions were stored in read-only memory and could not be altered by a user (or an attacker). Over time, manufacturers switched to electronically erasable formats, such as flash memory, so that users could upgrade, or "flash," the BIOS when necessary.

Rudimentary BIOS attacks have been around for more than a decade. Back in 1999, the infamous Chernobyl virus, or CIH virus, decimated at least 700,000 systems worldwide. The Chernobyl malware was designed to overwrite the hard drive and erase the flash BIOS for motherboards that use the Pentium 430TX chipset. The Korean Supreme Court, Turkish police departments and many private companies suffered data destruction.

Chernobyl's spread was partly attributed to legitimate manufacturers such as IBM, Yamaha Corp. and Activision Inc. (as well as software pirates) who unknowingly distributed the virus in commercial products. However, Chernobyl's effect on BIOSes was limited, since it could only affect a specific chipset, and the payload was unsophisticated.

Nowadays, modern BIOS attacks have the potential to be extremely stealthy and portable. To make upgrading more convenient, manufacturers and third parties have worked to make BIOS updates easier. But as always, with convenience comes risk. There are many free BIOS-flashing utilities that will scan a system and install the latest BIOS from the Internet. BIOS updates hosted by third-party sites may be infected, and the BIOS update tools themselves may be malicious. Manufacturers usually provide updates over unauthenticated HTTP and FTP connections, leaving users vulnerable to man-in-the-middle attacks.

Unfortunately, only a small percentage of manufacturers cryptographically sign their BIOS updates, and few motherboards can verify signatures. The result is that users cannot confirm that they have downloaded a manufacturer-approved BIOS. Moreover, attackers can leverage standard infection vectors to execute their own BIOS-flashing utilities, without the knowledge of the user.

How to detect and prevent BIOS infections
Detecting BIOS infections is difficult. It's possible to calculate the cryptographic hash of a known, trusted BIOS, and compare that to the BIOS that is actually installed. However, as Ivan Arce of Core Security has pointed out, sophisticated BIOS malware may try to evade that check.

There are two ways to consistently prevent BIOS infection. First, you can physically set the BIOS to be non-writable. This often involves setting a jumper on the motherboard, which will physically prevent BIOS alterations. For enterprises that perform remote BIOS updates, configuring physical BIOS write-protection would be a big step backwards in terms of maintenance efficiency (although the effort involved in cleaning up after a BIOS infection might be greater).

Second, the emergence of Trusted Platform Module (TPM) standards and similar initiatives means that some new equipment supports hardware-based BIOS integrity checking. Using a hardware cryptographic key that is burned into the chip at production, TPM-based computers can verify that BIOSes are manufacturer-approved and have not been modified.

Two decades ago, we learned the hard way that operating systems can be infected with viruses en masse. It took time for attackers to leverage vulnerabilities, and for the antivirus industry to respond accordingly. BIOS-based malware is just another step in the arms race. An enormous amount of non-TPM equipment is still being produced, and BIOS manufacturers take few if any precautions regarding BIOS update distribution.

As BIOS modification becomes easier and as more portable attacks are developed, BIOS malware will undoubtedly emerge. Security pros must remain vigilant, encourage implementation of trusted computing infrastructures, and leverage them when they exist.

About the author:
Sherri Davidoff is the co-author of the new SANS class "Sec558: Network Forensics" and author of Philosecurity. She is a GIAC-certified forensic examiner and penetration tester. She provides security consulting for many types of organizations, including legal, financial, healthcare, manufacturing, academic and government institutions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Application and Platform Security,   Windows Security: Alerts, Updates and Best Practices,   Operating System Security,   Malware, Viruses, Trojans and Spyware,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware Windows Security: Alerts, Updates and Best Practices Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.