Researchers have discovered one of the first pieces of malware ever used in the wild that modifies the software on the motherboard of infected computers to ensure the infection can't be easily eradicated. Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add malicious instructions that are …
Rootkit reflashes BIOS of computers it attacks
I thought NGSCB was supposed to protect this kind of thing, or making the BIOS readonly. How exactly does this malware get on a non-infected computer in the first place.
`We still have a while before it starts raining'
Through windows sieve ^H^H^H^H^H firewall
Root kits require root to be installed (the installer isn't typically considered part of the rootkit).
Once you have a rootkit installed all bets are off regards any antivirus or operating system protections.
The only protection against this sort of thing is a jumper setting on the motherboard to enable/disable flashing, which I believe many motherboards used to ship with.
That's what they want you to think. NGSCB/Palladium's purpose is to save Sony the trouble of installing a rootkit on your machine.
The BIOS can be reflashed from within Windows though - it's how we (legitimately) update the BIOS. It's not hard to envisage a virus taking advantage of this.
To do it though, the OS has presumably already been compromised though. This is just deep-rooting it further in the system to stand a better chance of survival. It isn't normally seen however as virus writers tend to aim as far and wide as possible, which isn't usually compatible with specific BIOS versions/manufacturers.
My guess is that it maskerades as a WoW goldfarming bot...
Bitlocker for hard drive encryption is the only thing I am aware of that came out of it, thought the rest of it had yet to be implemented.
quote from that microsoft page: "Much of the NGSCB architecture design is covered by patents, and there will be intellectual property issues to be resolved. "
this is why that thing is not used much, patents = either increased product costs for manufacturers or exposing themselves to lawsuits.
the only devices that i know to use it are the game consoles, XBOX, PlayStation and the like, but those are relatively closed and isolated ecosystems where competition in hardware is non-existent, e.g. the only way to get an xbox motherboard is from Microsoft. Same thing is for Sony and playstation motherboards.
"To do it though, the OS has presumably already been compromised though"
Not necessarily so; the delivery system could be nothing more than a maliciously corrupt firmware binary and / or flash utility.
swap the ROM
Surely if a machine did get infected to the point where the machine wouldn't boot, you would buy a new boot rom, install it and voila?
Piece of piss then.
I've done a BIOS transplant in the past, but only because I'd accepted the board was dead following a failed flash upgrade. I'd not recommend it as it's very hairy, won't give you the full functionality of the board as it likely resets it to be a "reference" mobo (in the end I got it to the stage where it would boot, barely with massive errors, enough to get to a DOS flash utility, hotswapped the failed chip back in and reflashed the firmware - success rate of 1 in 3 so far)
Maybe fifteen years ago, but pretty much all of them are surface mounted these days and I don't rate your chances of replacing one of those at home.
Some machines do, however have a backup BIOS.
With CIH this was the only way to repair an infected machine without having access to stand-alone EPROM flashing equipment, indeed, I repaired one such dead laptop for a client back in the late nineties by simply sourcing a replacement Phoenix BIOS chip from the manufacturers and dropping it in.
With this sort of infection though the prognosis is not so grim; as the BIOS re-write does not intentionally trash the EPROM like CIH did, it should still possible to simply re-flash your BIOS with an official firmware.
Not that hard, a SMD rework station can be purchased for about 100 quid and it makes changing SMD a doddle...
Its out of the leauge of your average home user but anyone whom can weild a soldering iron competantly wouldn't struggle.
The only solution
All computers with updateable bios should have a physical button connected to the write-enable pin of the chip that has to be pressed to allow flashing it, but I guess it would cost too much. Even with this feature, malware might be able to infect the bioses of really stupid users ("remember to press the bios flash button to view our fabulous p*** site"), but they surely would deserve it.
I once had...
...a BIOS that required you to confirm a BIOS reprogramming by flashing up a text screen. I'm guessing this feature died because Joe User didn't want his Windows BIOS update utility crashing Win95 every time he updated the BIOS.
With most BIOS now able to update themselves from a USB drive directly from the configuration screen, I guess it should be possible to reinstate this feature.
I thought viruses that attacked the BIOS were all the rage back in the 90s so the BIOS implementations took steps to protect themselves. Like popping up a big message on the screen saying the BIOS was being modified and did you want to proceed. Don't say all those lessons have been forgotten.
As they say,
The one thing you can learn from history is that people who don't learn from history are doomed to repeat its mistakes.
CIH did something different.
Granted, CIH did modify the BIOS, but rather than replacing the BIOS with a hacked-on version so as to be able to reinfect easily, CIH erased the 'boot block', so the machine would not boot.
To add insult to injury, it also overwrote the first 200MB of the first disk.
In effect, CIH's modifications to the BIOS were the destructive payload, not the infection mechanism.
The privilege escalation was moderately clever, and relied on a combination of a security failure in the x86 instruction set - user-mode code can trivially retrieve the base address of the interrupt descriptor table - and a security failure in Win9x - that table is writeable from user-mode code. CIH used this combination to gain access to kernel mode.
BIOS or EFI
Would be good to know if EFI is affected by this.
Simple fix though - password lock the BIOS, for anything other than Read activities.
Nice try, and one that I had at first thought would work, but, sadly these can be keylogged from the buffer and hence are not so secure. There are papers by e.g. Jonathan Brossard which demonstrate this.
IIRC many older Mainboards used to have a setting for a more complete block on bios rom write access.
You have valid point of the possibility, but actual likely hood is very low for common user, and very easy to work around in corporate environment.
How often do you need to get into the BIOS for changes, where you would need to type the password? For most machines this would only be during setup, and could certainly be done off-line before the machine is connected to the net and at risk for infection. Common user will never update their bios once PC is working, and corporate environments should already be doing most work on machines off-line.
Agreed that simple jumper to allow BIOS flash should be common feature as it used to be. Never liked being able to flash bios from windows specifically because of issues like this.
"How exactly does this malware get on a non-infected computer in the first place."
Always the bloody users.
Nothing beats a computer virus like a mechanical obstacle - bringing back a jumper on the BIOS chip's write-enable line would probably be a good idea. (It is not like flashing the BIOS is a frequent event or something generally done by the type of user who never opens their case, and if it was, you could replace the jumper with a rear-panel mini-switch, I guess).
BIOS write-protect jumper or switch, seconded. Best design would be like the reset switch on desktops - you'd have to hold it down while you powered on the system to enable BIOS flashing, and you couldn't accidentally leave it enabled.
Another insanity is trying to run anti-virus software within a potentially infected and subverted operating system. The right approach would be to boot off a DVD-ROM, download up-to-date virus signatures from the vendor and then scan the disks. Since the on-disk operating system is not active, there is nowhere for a rootkit to hide (except maybe in the BIOS, hence the need for mechanical protection).
"The right approach would be to boot off a DVD-ROM, download up-to-date virus signatures from the vendor and then scan the disks"
I have a fair rate of students bringing their infected machines in (policy says they must have AV but without admin access to their personal PCs can't enforce...), so my solution to this was to create a Windows PE boot image which can be booted via TFTP (or written to CD) and connects to a read-only network share that has SAV32CLI, updated overnight with the virus definitions that our enterprise console has downloaded. Just network-boot the machine and run a disinfect or remove scan with no worries about what is being run. or what the virus is preventing from being accessed.
"Because the BIOS is stored on a ROM, or read-only-memory chip, modifications have the potential to render a computer largely inoperable."
I'm no EE, but how do you reprogram a ROM chip? Didn't they become obsolete like 20 years ago?
how do you reprogram a ROM chip? Didn't they become obsolete like 20 years ago?
Since real ROMs are pretty much obsolete as you point out, the term is now used for things that are actually reprogrammable, but only intended to be reprogrammed for firmware updates
The thing you know as a ROM (EEPROM, strictly speaking, but generally known as a ROM) that is to say - a large discreet component in a socket on the edge of the motherboard, is no longer there. However, there is a surface mount jobbie that does the same thing. Often the surface mount jobbie has a shadow that can be swapped in, less often and usually in higher end servers there is also a read only fallback as well, just in case everything goes badly wrong.
EP - ROM DUH!
Its time to admit
that trying to make computing user friendly only makes it virus friendly.
People are going to have to play in sandboxes AND learn simple security procedures. This may sound onerous to some but when I've managed to explain it to management the response has been 'that's just what we want in the organisation'.
Getting them to sign exemption forms so they take responsibility when that security is removed from their PC's can 'do something operationally sensitive' is another matter.
CIH and the BIOS
Just to be clear, CIH didn't attempt to "infect" a computer's BIOS, just trash it.
This might sound like "much the same thing" to some people, but in reality its very difficult. Being able to infect the computer firmware with code that will execute and infect files on the hard disk at each boot has always been one of the virus "holy grails".
I remember CiH
Hit me once. Bugger to get rid of. Boot a workable machine, hotswap in buggered bios chip, reflash. What a pain in the ass. The thought occurred to me at the time that machines should be shipping with 2 BIOS ROMs. One of which would be unwritable and used purely to reflash the main BIOS back to factory specs in case of failure.
The thought occurred to others too.
There are quite a few mobos out there sporting a second, backup bios.
There are Gigabyte had this as a common feature on most MB for many years now.
However the problem is that one is not read/write and the other read only. Both are read write, and though this virus may not hit both, it would be a minimal task for the virus once booted to update BOTH BIOS to the infected state.
Again two having backup BIOS helps in this area, but doesn't solve the problem in general. The second BIOS either has to be READ only or protected by a write enable jumper (that would normally NOT be connected).
"Because the BIOS is stored on a ROM, or read-only-memory chip, modifications have the potential to render a computer largely inoperable."
Thanks, but I know what ROM stands for. I also know what EEPROM stands for. I even know the difference between the two.
What I fail to understand is the connection between the type of memory used and rendering the computer largely inoperable. How would a BIOS stored in SRAM fare any better?
They should bring back the physical flash enable jumper...
But there's not just the BIOS to worry about, virtually all of your hardware has a small upgradeable firmware attached to it, video bios, hard drive firmware, even keyboards have firmware... Plenty of places for malicious code to embed themselves.
Yep - IIRC viruses have already been found and written on these kind of peripherals. It won't be too long before the (GP)GPU that modern gfx cards sport start to get hit in a main stream manner, and it'll be down to idiot operating systems and "developers" forgetting security entirely and adding features that can be used in an insecure way or can escalate their access across a system.
Reasonable durability (sale of goods) or forseeability of breakdown
in the case of consumer purchases, MIGHT provide a remedy AND an incentive/kick up the bum for the MOBO or system suppliers/mfrs to get their acts together.
In the USA the contract is all, I gather, although even there they've brought in federal "lemon laws" where stuff just doesn't work - whereas in the UK a clause attempting to absolve the supplier for liability for anything related to virus infections might well be struck out for being unfair/unbalanced/an attempt to avoid responsibilies under SOGA etc.
It's hardly the responsibillity of the manufacturer if you've installed dodgy software which compromises your system.
That would be like a safe manufacturer being held responsible for your allowing a man in a stripy jumper with a sack saying "swag" into the room with your safe and leaving him there to do what he wants.
Is it just me?
.. having flashbacks to the good old BBC Model B with sideways RAM? Putting 'borrowed' ROM images in and then having to wire in a write-protect switch because the sneaky ROM authors started doing write tests in case someone had 'borrowed' their ROM and loaded it into sideways RAM..
Find some way of triggering the emergency boot block, such as deliberately performing a failed flash.
This may be specific to a particular BIOS, but the virus writers don't need me to suggest to them that uploading every additional BIOS found to their evil servers, and downloading a cracked version of any compatible one on file, will let them have lots more fun.
And once an evil BIOS is running, is there anything that it can't do? Such as hiding itself as well as the virus on disk from anti-virus software?
As for EFI - yeah, they can probably get us that way, too. Beware of insertable media carrying EFI routines.
According to the article, the code is loaded onto a ROM -READ ONLY memory. It is, in fact, an EEPROM, Electrically Eraseable Programmable Read Only Memory. If it was actually READ ONLY, how would the code write to it?
Since it's primarity attacking computers in China, will the three-letter agencies claim it is the Chinese Government attempting to monitor it's people or will China claim it is an attack by the US and it's allies?
depends on who its infecting most really
If the "victims" tend to be scientists, military and government officials, heads of corporations and like I would look more towards the US (or EU, or Russia, or even more likely... Israel)
If on the other hand the "victims" are authors, newpaper writers, heads of religious or social groups etc etc, then one would safely assume its coming from the Chinese hack state
where's me box of soldering irons ?
that nWP pin is going to get a wire strap to ground...
(notWriteProtect : a pin on the bios chips that, if pulled low physically blocks the flash chip to be rewritten) Most motherboards these days use SPI flash chips like 25M90's and alike. These all have such a pin. Some motherboards already have a jumper to tie this pin down.
Also parallel flash has this.
GOOD, EXCELLENT AND DOUBLE GOOD ... Ta
It's nearly winter in the northern hemisphere - bring on the jumpers ;-)
Since re-flashing the bios is a rarely occurring event, why don't motherboard manufactures put a switch that has to be set in order for the bios to be flashed. End of problem.
why don't we just give up on this computer thing?
Hmmm… have you ever thought…
that that "who needs computers, anyway" idea fits in awfully well with the know-nothing-or-even-less attitude being pushed as a replacement for intelligent discourse and debate these days in what used to be the United States? Wouldn't surprise me at all to read some future historian in a few decades paint a convincing case that the Kochs or other corporate minders of the "Tea Party" useful idiots were heavily invested in this sort of thing.
what's more worrying is the realisation that a suitably virulent strain of malware could destroy millions of PCs by flashing junk to the BIOS. And even if the victim identifies faulty BIOS firmware as the problem, they're unlikely to go to the expense of fixing it. They'd probably go to the far greater expense of buying a new machine. Especially if they use the increasingly popular laptop form factor.
Time to buy a Mac? LOL.
- Comment Renewable energy 'simply WON'T WORK': Top Google engineers
- Leaked screenshots show next Windows kernel to be a perfect 10
- Amazon warming up 'cheapo web vid' cannon to SINK Netflix
- Windows Phone will snatch biz No 2 spot from Android – analyst
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!