Going beyond Kernel rootkits...

[iago]

... and moving to BIOS rootkits?  A BIOS rootkit would work for any OS, it would survive reboot, it would survive reinstallation, and it would even survive changing harddrives!  And, it would still have as much control as a normal rootkit has, possibly even more.  It's perfectly possible to do, and virus-scanners and rootkit-checkers don't check for it yet! 

In the cat-and-mouse game of computer security, rootkits are a powerful way to hide malicious code on a compromised computer where it is difficult to detect and remove.

As detection tools become more sophisticated, one researcher thinks that the BIOS may be the new frontier for rootkits.

“There are no tools now to audit your BIOS for a rootkit,” said John Heasman, principal security consultant for NGS Software Ltd. of the U.K. Heasman, speaking at the Black Hat Federal Briefings in Arlington, Va., described a proof of concept technique for placing a rootkit at such a low level on the computer’s system that it would survive reboots, reinstallation of operating systems and even replacement of the hard drive.

http://www.gcn.com/vol1_no1/daily-updates/38102-1.html

[Newby]

Would be hard to pull off I'd imagine.

Besides, if you could access the BIOS, why install a rootkit? Why not turn off fans and overclock the processor by a few hundred times (even if you can't) so that the CPU bursts into flames, costing the owner a few hundred (if not a thousand) bucks for a new processor.

[Sidoh]

Would be hard to pull off I'd imagine.

Besides, if you could access the BIOS, why install a rootkit? Why not turn off fans and overclock the processor by a few hundred times (even if you can't) so that the CPU bursts into flames, costing the owner a few hundred (if not a thousand) bucks for a new processor.

More often than not, the primary purpose of hacking (especially if the target is not premeditated) is to obtain something from the target, not cause the target agony.  That's hard to do when your computer is a smoking pile of goo.

[Newby]

So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat.

[igimo1]

Duh. Use EFI!

[Nate]

but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?

[iago]

So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat.

The main use for rootkits is to be able to re-gain access to the computer at a later date for some specific purpose, like Sidoh said.  Worms and trojans that spread over AIM and such usually aren't rootkits. 

but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?

Yes, if you could figure out that that was the problem.  You could also just update the bios, I think that would do it too. 

[Eric]

So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat.

The main use for rootkits is to be able to re-gain access to the computer at a later date for some specific purpose, like Sidoh said.  Worms and trojans that spread over AIM and such usually aren't rootkits. 

but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?

Yes, if you could figure out that that was the problem.  You could also just update the bios, I think that would do it too. 

Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?

[Warrior]

iirc yes.

[Newby]

Yes, if you could figure out that that was the problem.  You could also just update the bios, I think that would do it too. 

Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?

That is what I think iago meant.

[Eric]

Yes, if you could figure out that that was the problem.  You could also just update the bios, I think that would do it too. 

Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?

That is what I think iago meant.

Well, I figured he meant updated as in the BIOS software being updated, or flashed.  If that's not what he meant then this would only be of great use on systems which rarely undergo hardware updates and have long-lasting CMOS batteries.  Either way, the 5 year old BIOS on the IBM machine that I'm currently using as a gateway monitors changes to the BIOS & MBR alerting me during POST if a change has been made so it's hard for me to believe that BIOS checking would be difficult for anti-virus software companies to impliment.

[iago]

Hmm, if BIOS is stored on E² then yeah, it would have to erase every time you changed a setting.  But you only have to erase E² in sectors, not the whole thing.  Without knowing more about how it works, I have no idea if changing a setting would make a difference. 

But yeah, flashing it would definitely work. 

[zorm]

Hmm, if BIOS is stored on E² then yeah, it would have to erase every time you changed a setting.  But you only have to erase E² in sectors, not the whole thing.  Without knowing more about how it works, I have no idea if changing a setting would make a difference. 

But yeah, flashing it would definitely work. 

By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.

[deadly7]

Hmm, if BIOS is stored on E² then yeah, it would have to erase every time you changed a setting.  But you only have to erase E² in sectors, not the whole thing.  Without knowing more about how it works, I have no idea if changing a setting would make a difference. 

But yeah, flashing it would definitely work. 

By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.

Exactly what I was thinking.
And if you're stupid enough to download BIOS to flash from a website that's NOT your motherboard manufacturer's company, you suck at life and deserve the rootkit.

[iago]

Hmm, if BIOS is stored on E² then yeah, it would have to erase every time you changed a setting.  But you only have to erase E² in sectors, not the whole thing.  Without knowing more about how it works, I have no idea if changing a setting would make a difference. 

But yeah, flashing it would definitely work. 

By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.

It would be difficult,  no question there.  They aren't calling it a "frontier" because it's a simple problem, because it's not. 

And actually, with (normal) e², you can write 0's, you just can't write 1's.  So maybe, just maybe, it would be possible to encode a virus in the pre-existing data.  Who knows?  But IF it was possible, it would be difficult but very rewarding. 

[zorm]

It would be difficult,  no question there.  They aren't calling it a "frontier" because it's a simple problem, because it's not. 

And actually, with (normal) e², you can write 0's, you just can't write 1's.  So maybe, just maybe, it would be possible to encode a virus in the pre-existing data.  Who knows?  But IF it was possible, it would be difficult but very rewarding. 

The BIOS has been around forever, I suspect that if it was actually possible to do something evil with it, it would have been done by now. Consider bootsector viruses for example.

Also, how rewarding would something like this actually be? I'd imagine detecting OS, finding network drivers/apis to take advantage of them would be extremely difficult and not worth the effort.

[iago]

It would be difficult,  no question there.  They aren't calling it a "frontier" because it's a simple problem, because it's not. 

And actually, with (normal) e², you can write 0's, you just can't write 1's.  So maybe, just maybe, it would be possible to encode a virus in the pre-existing data.  Who knows?  But IF it was possible, it would be difficult but very rewarding. 

The BIOS has been around forever, I suspect that if it was actually possible to do something evil with it, it would have been done by now. Consider bootsector viruses for example.

Also, how rewarding would something like this actually be? I'd image detecting OS, finding network drivers/apis to take advantage of them would be extremely difficult and not worth the effort.

True; I suppose it depends on what you actually want to do.