[Infowarrior] - Researchers unveil persistent BIOS attack methods

Richard Forno rforno at infowarrior.org
Mon Mar 23 19:55:20 UTC 2009 

March 19, 2009, 11:41 AM
Researchers unveil persistent BIOS attack methods
By Dennis Fisher
http://threatpost.com/blogs/researchers-unveil-persistent-bios-attack-methods

Apply all of the browser, application and OS patches you want, your  
machine still can be completely and silently compromised at the lowest  
level--without the use of any vulnerability.

That was the rather sobering message delivered by a pair of security  
researchers from Core Security Technologies in a talk at the  
CanSecWest conference on methods for infecting the BIOS with  
persistent code that will survive reboots and reflashing attempts.  
Anibal Sacco and Alfredo Ortega (above) demonstrated a method for  
patching the BIOS with a small bit of code that gave them conplete  
control of the machine. And the best part is, the method worked on a  
Windows machine, a PC running OpenBSD and another running VMware Player.

"It was very easy. We can put the code wherever we want," said Ortega.  
"We're not using a vulnerability in any way. I'm not sure if you  
understand the impact of this. We can reinfect the BIOS every time it  
reboots."

Sacco and Ortega stressed that in order to execute the attacks, you  
need either root privileges or physical access to the machine in  
question, which limits the scope. But the methods are deadly effective  
and the pair are currently working on a BIOS rootkit to implement the  
attack.

"We can patch a driver to drop a fully working rootkit. We even have a  
little code that can remove or disable antivirus," Ortega said.

The work by the Core team follows on to research done on persistent  
rootkits by John Heasman of NGSS, who was able to devise a method for  
placing rootkits on PCs using the memory space on PCI cards. In a  
presentation at Black Hat DC in 2007, Heasman showed a completely  
working method for loading the malware on to a PCI card by using the  
flashable ROM on the device. He also had a way to bypass the Windows  
NT kernel and create fake stack pointers.

In an interview at the time, he told me: "At that point it's game  
over. We're executing 32-bit code in ring zero."

As application and operating system protection mechanisms continue to  
become more sophisticated and more difficult to evade, expect to see  
more and more attacks targeting the hardware and low-level software,  
where there are still opportunities for success.

More information about the Infowarrior mailing list