Alfredo Ortego and Anibal Sacco of Core Security Technologies explained that the attack was possible against almost all types of commonly used BIOS systems in use today.
The two devised a 100 line Python script that could be flashed onto the BIOS to install a rootkit. Because the BIOS software activated before any other program on a computer when it starts up then normal antivirus software would be unable to detect it.
“We tested the system on the most common types of BIOS,” said Ortega.
“There is the possibility that newer types of Extensible Firmware Interface (EFI) BIOS may be resistant to the attack but more testing is needed.”
The attack is only possible if the attacker already has full administrative control of the target PC, but this is possible through a standard virus infection. Once that is achieved the malware operator would be able to flash a rootkit directly onto the BIOS.
Even if the initial virus was detected and removed the computer would still be under remote control. Even a full wipe of the hard drive and complete reinstallation of the operating system would not remove it they warned.
If a sophisticated rootkit was put onto the BIOS it could be even more difficult for an administrator to debug the system, said Ivan Arce, chief technology officer at Core Security Technologies.
“You’d need to reflash the BIOS with a system that you know has not been tampered with,” he said.
“But if the rootkit is sophisticated enough it may be necessary to physically remove and replace the BIOS chip.”
The attack vector is also usable against virtual systems the researchers said. The BIOS in VMware is embedded as a module in main VMware executable and thus could be altered.
However it is possible to protect against this attack by locking down the BIOS chip from flash updates, either by password protecting the system against unauthorised changes or physically.
“The best approach is prevention, preventing the virus from flashing onto the BIOS,” said Sacco.
“You need to prevent flashing of the bios, even if it means pulling out jumper on motherboard.”
New BIOS attack renders antivirus useless
By
Iain Thomson
on
Mar 27, 2009 10:45AM
A new form of attack that installs a rootkit directly onto a computer’s BIOS system would render antivirus software useless researchers have warned.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Promoted Content
Security "mindset shift" needed to protect organisations
Promoted Content
Avoiding CAPEX by making on-premise IT more cloud-like
.png&h=183&w=300&c=1&s=0)
Promoted Content
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content
The Great Resignation has intensified insider security threats
Sponsored Whitepapers
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
