Method of injecting persistent code into BIOS demonstrated

Mar 25, 2009 11:52 GMT  ·  By

Two security researchers have demonstrated (PDF slides), at CanSecWest, a method of injecting malicious code into virtually all types of BIOSes. The technique can be used to deploy malware that survives even the most severe cleaning attempts, like hard disk wiping.

The Basic Input/Output System (BIOS) acts as the motherboard's firmware inside a computer. It contains the first code executed when that computer is powered and serves different functions such as device identification, testing and initialization. This puts the machine into a specific state from where the operating system can take over.

Alfredo Ortega and Anibal Sacco, two Argentinian security researchers from Core Security Technologies, have shocked the people at CanSecWest when they have presented how persistent code can be injected and executed from the BIOS environment. According to their own account, the implications are huge.

The malicious BIOS code is executed using the VGA ROM signature as ready-signal. “We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable anti-virus,” Mr. Ortega exemplifies the possibilities.

The attacks that can be instrumented are platform-independent. In order to prove this, the researchers have demonstrated how full control can be gained on systems running Windows, OpenBSD, or even a virtual machine environment.

The tool used by the researchers to patch the BIOS consists of a 100-line-long script written in Python. “It was very easy. We can put the code wherever we want. We can reinfect the BIOS every time it reboots,” they comment for Threat Post.

The tool is designed to be able to flash almost all types of BIOSes, regardless of the motherboard manufacturer, and it does it in such a way that the rogue instructions are even protected from re-flashing.

The only drawback is that injecting the malicious code by patching the BIOS requires root privileges on or physical access to the system. However, once an attack is successful, it is very hard to mitigate. “You can remove the hard drive, trash it, and even reinstall the operating system. This will still reinstall the rootkit,” Anibal Sacco notes.

Methods of compromising the BIOS or the firmware of certain devices have been previously reported, but they have been limited to specific models. In fact, this technique is based on past persistent rootkit research done by John Heasman, who demonstrated, in 2007, how malware could be installed in the ROM of a PCI device.