A new form of attack that installs a rootkit directly onto a computer's Bios
system would render anti-virus software useless, researchers have warned.
Alfredo Ortego and Anibal Sacco of
Core
Security Technologies explained that the attack is possible against almost
all types of common Bios systems in use today.
The researchers devised a 100-line Python script that could be flashed onto
the Bios to install a rootkit. Because the Bios software activates before any
other program on a computer when it starts up, normal anti-virus software would
be unable to detect it.
"We tested the system on the most common types of Bios," said Ortega. "There
is the possibility that newer types of Extensible Firmware Interface Bios may be
resistant to the attack, but more testing is needed."
The attack is only possible if the attacker already has full administrative
control of the target PC, but this is possible through a standard virus
infection. Once that is achieved, the malware operator would be able to flash a
rootkit directly onto the Bios.
Even if the initial virus was detected and removed, the computer would still
be under remote control. A full wipe of the hard drive and complete
reinstallation of the operating system would not remove it, the researchers
warned.
If a sophisticated rootkit was put onto the Bios it could be even more
difficult for an administrator to debug the system, according to Ivan Arce,
chief technology officer at Core Security.
"You would need to reflash the Bios with a system that you know has not been
tampered with," he said. "But if the rootkit is sophisticated enough it may be
necessary to physically remove and replace the Bios chip."
The attack vector is also usable against virtual systems, the researchers
said. The Bios in VMware is embedded as a module in main VMware executable, and
thus could be altered.
However, it is possible to protect against this attack by locking down the
Bios chip from flash updates, either physically or by password-protecting the
system against unauthorised changes.
"The best approach is preventing the virus from flashing onto the Bios,"
said Sacco. "You need to prevent flashing of the bios, even if it means pulling
out jumper on motherboard."
Do you agree?
Have your say on this article