It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


Researchers unveil persistent BIOS attack methods

page: 1

log in


posted on Jul, 31 2009 @ 01:00 PM

Apply all of the browser, application and OS patches you want, your machine still can be completely and silently compromised at the lowest level--without the use of any vulnerability.

That was the rather sobering message delivered by a pair of security researchers from Core Security Technologies in a talk at the CanSecWest conference on methods for infecting the BIOS with persistent code that will survive reboots and reflashing attempts. Anibal Sacco and Alfredo Ortega (above) demonstrated a method for patching the BIOS with a small bit of code that gave them conplete control of the machine. And the best part is, the method worked on a Windows machine, a PC running OpenBSD and another running VMware Player.

"It was very easy. We can put the code wherever we want," said Ortega. "We're not using a vulnerability in any way. I'm not sure if you understand the impact of this. We can reinfect the BIOS every time it reboots."

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope. But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.

"We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus," Ortega said.

The work by the Core team follows on to research done on persistent rootkits by John Heasman of NGSS, who was able to devise a method for placing rootkits on PCs using the memory space on PCI cards. In a presentation at Black Hat DC in 2007, Heasman showed a completely working method for loading the malware on to a PCI card by using the flashable ROM on the device. He also had a way to bypass the Windows NT kernel and create fake stack pointers.

In an interview at the time, he told me: "At that point it's game over. We're executing 32-bit code in ring zero."

As application and operating system protection mechanisms continue to become more sophisticated and more difficult to evade, expect to see more and more attacks targeting the hardware and low-level software, where there are still opportunities for success.

Let me see if I can get across at least some of the potential implications of this to the average reader, who may not understand fully what this means.

The fact that these attacks can actually survive a reflashing of the BIOS is serious indeed. It means that using these methods someone can compromise any windows machine at its lowest level- this means behind your operating system, as these attacks are OP sys independent. And that probably means (I would guess) they can affect macs or Linux systems just as easily. They run before your operating system even loads or boots up, and way before your ever see a windows desktop.

Now you can bet every hacker from here to the moon is chomping at the bit (no pun intended) to get their hands on this source code. Because with it they can bypass all antivirus software, no matter how good, and do whatever they want since they are operating this code outside of, and independent of, the Operating System.

I can only imagine that the NSA/FBI/CIA and other intelligence agencies have probably already figured this out long ago, and have been able to compromise machines at will.

One keylogger implanted in this code for example would go completely undetected by anything you throw at it, and could be used to steal any keystroke you ever entered. This includes online banking passwords to your bank account.

So what's the solution to this problem? It would seem to me from reading this that hardware manufacturers are going to have to get on the ball quickly and seal these hardware based holes in their products. When you are dealing with low level hardware vulnerabilities like these, it is way beyond the typical anti-virus issue.

It may require going back to non-flashable BIOS ROM chips instead of EPROM chips so that no writing whatsoever is possible to these critical chips. The downside to that of course is that users will not be able to do certain things like be able to accommodate a new CPU for example which otherwise uses the same pin configuration, and would therefore be upgradeable.

Personally I would rather give up whatever upgrade and compatibility benefits EPROMS offer in much bigger favor of totally secure, non writable ROMs. How many of you users have ever flashed your BIOS anyway? These days, as fast as technology moves, by the time you are ready to flash your BIOS to install the latest CPU (assuming the new CPU is beyond the capability of the motherboard), they have changed pin configurations on the CPUs anyway- rendering your motherboard obsolete if you want the new CPU.

So flashable BIOS was only of limited use to begin with. A ROM (Read Only Memory) chip cannot be written to once it is etched at the factory, thereby eliminating or very severely reducing the possibilities of any code like this being run on your machine.

[edit on Fri Jul 31st 2009 by TrueAmerican]

posted on Jul, 31 2009 @ 01:05 PM
You can be sure that the alphabet agencies have been using these methods for years to do their dirty work.

posted on Jul, 31 2009 @ 01:29 PM

My computer crashes, maybe every two weeks or so, you know, the whole BLUE SCREEN OF DEATH, and its always BIOS related. I'm running a simple Dell PC with XP and AVG, and after a crash I am advised to go to my computer manufacturer's website for BIOS updates. Well, nothing I've done has solved this problem, and way in the back of my mind I had a feeling it was some kind of virus, but now I'm curious if its related to these BIOS attacks mentioned in the article. So far, its not a huge concern to me, I've only lost whatever data I happen to have open at that moment, but the randomness of the crashes and the thought that maybe something more is going on in the background of my computer has me a little wigged out. Anyways, thanks for bringing this up!

posted on Jul, 31 2009 @ 01:46 PM

Originally posted by warrenb
You can be sure that the alphabet agencies have been using these methods for years to do their dirty work.

lol Hackers have been using this for years. Only reason I know is because had a friend get infected with something like this about 2 years ago and we never could get rid of it although he did find what was going on and because it was such a nasty little thing he backed it up on a flash drive and trashed his computer saying he needed a new one anyway.

Maybe someone knows more about this but we were discussing whether or not it would be possible to encrypt the entire bios chip itself to prevent and code from being executed that was placed on the bios unencrypted but that is going past both of our expertise. We thought about having a password every time something is installed so you wouldn't need to type in a password for every little thing running in the bios. Sense this would not be installed with a password it would in effect become similar to a temp/junk file that is not executable.

posted on Jul, 31 2009 @ 10:24 PM
reply to post by aecreate

Try using Avira Antivir, Malwarebytes' Antimalware, and switch to ZoneAlarm firewall if you're using the default windows firewall (all free, available at

On topic:

This is kind of old news, there's been ways to compromise the BIOS in ways that can't be fixed for quite a while and there's not a lot that can be done about it. But
and flag for bringing attention to it, a lot of people out there probably didn't know.


posted on Jul, 31 2009 @ 11:50 PM
reply to post by TrueAmerican

This is not actually new, it can be done, the same as someone wiring your car or whatever, it needs access to your system, either via a software security hole, or physical access, so first, they need to somehow log into your system, then flash the memory, or sit on your desk and do it from your started session.

The issue here is that lots of people click on spam links or similars and download trojans and virus, those are the target for this kind of attack, they will never realize what's going on, and so neither will do most pc repair shops, at least not for a while.

Fixing this holes on the hardware is kind of hard, there are already thousands of hardware cards that can be used with this approach, those can't be replaced, the only way is as someone else said, to make everything read only, but i am sure there will be another solution later on, like, a hardware antivirus or something like that that runs before the os starts and gets rid of any hardware infections.

Current antivirus software will keep working, if you just don't run a trojan/virus installer, you are safe, current security practices are good enough if people actually use them, if your going to click on some weird link to an exe file, then there's nothing that can save you from yourself


top topics

log in