Highly persistent backdoor infects BIOS, peripherals

Powered by SC Magazine
 

Malware hides from forensic analysis.

Sydney-based penetration tester Jonathan Brossard has created a hardware backdoor that replaces a machine’s BIOS and is extremely difficult to remove.

The proof of concept firmware dubbed Rakshasa, named after the mythical demon in Hindu, replaced the BIOS with open source software Coreboot and SeaBIOS and could mimick many boot logos.

It was highly persistent and able to infect firmware in peripheral hardware devices through PCI expansion, plus could load iPXE firmware to the network card.

Once malware had spread to the devices, it could reinstall on the BIOS should the user attempt to reflash the original firmware.

It was designed to download the malicious bootkit files over a variety of internet connections when a system started up. These would be written briefly to memory rather than the master boot record, a tactic that left nothing for forensic analysts to find even in live analysis, Brossard said.

Configuration and version updates could be also downloaded from command and control servers.

Installation typically required physical access to a target machine in order to activate firmware write protection which took the form of an on and off switch on some devices.

The most realistic attack scenario was within the supply chain where a manufacturer could install the malware, but Brossard says remote installation could be possible on a machine already in an attackers’ control that did not have BIOS write protection, and because Coreboot was able to load PCI extension firmware before the stock firmware on the network card.

Brossard did not release the code. More information was available in his technical paper (pdf).

Copyright © SC Magazine, Australia


Highly persistent backdoor infects BIOS, peripherals
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1785

Vote
Do you support the abolition of the Office of the Information Commissioner?