Tuesday, March 24, 2009

Chernobyl All Over Again?

| Brett D. Arion |
No no, this is not another nuclear disaster, this is more the boot-sector/BIOS invasion type incident. Since CIH (Chernobyl) broke out in 1998, manufacturers responded by write-protecting the system BIOS. That seemed to be sufficient until researchers from Core Security presented details at CanSecWest that they can replace the system BIOS on write-protected systems.

The demonstration showed that it is possible to replace the current system BIOS by loading a new hacked BIOS into flashrom, make some tweaks in settings, rework the checksums to ensure integrity checking passes, and then doing a flash. This ultimately would allow one to do just about anything with an infected system. There is a nagging question though, why go to all this trouble? There are much easier ways to take control of systems with a heck of a lot less effort. I also know some skeptics are saying "yeah right but it has to be executed"...actually this seems quite easy given the rate that people are installing malware disguised as Anti-Virus software, or other forms of software. Could it be that this is a stealthy way to keep control of machines longer than the normal bot infection?
Will the BIOS industry respond?
Can malware detection find it?

I guess only time will tell, but at least we can see that one thing is true, history always repeats itself.....oh the days of boot-sector and BIOS invasion attempts.....

Details of the Presentation can be found here, and the Abstract reads:

"When developing rootkits, one of the biggest problems is executing the malicious code, surviving reboots and remaining undetected. This talk will demonstrate how malicious code can be injected into commercial BIOS firmware. Instead of utilizing other rootkit methods which make use of the ACPI specification, Core Security has focused on a binary generic implementation independent of the installed OS to simulate how attackers can take control of a system."

Free Security Magazines