End of the World As We Know It – Demo - BIOS Attack That Survives Wiping Disk

This is the sort of thing that comes along every once in a while, and should make all security researchers kick up their game a few notches. When an attacker can compromise a machine so thoroughly that wiping a hard disk (or replacing it) can still leave the machine compromised, it is time for us all to worry.

Though I’m certain that some very specific circumstances must be met, the very fact that under a single circumstance this can happen should be very sobering to anyone who cares about their data. Also, once this gets out – and it will, things rarely stay secret long – lots of problems will be developing. This is the sort of problem that will cause a real and literal meltdown – users infected will simply not trust their machines, and we’ll start seeing entire PCs going into a molten pool, like the character Arnold played in T2.

from ZDNet -

A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe.

The researchers — Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week’s CanSecWest conference to demonstrate methods (see slides .pdf) for infecting the BIOS with persistent code that will survive reboots and reflashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player.

According to this Dennis Fisher report:

“It was very easy. We can put the code wherever we want,” said Ortega. “We’re not using a vulnerability in any way. I’m not sure if you understand the impact of this. We can reinfect the BIOS every time it reboots.”

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope. But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.

“We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable anti-virus,” Ortega said.

Rob Lemos at SecurityFocus explains that the attack method requires the use of a machine that’s already compromised but the scary part is that it completely prevents a defender from easily deleting an attacker’s program or rootkit.

“You can remove the hard drive, trash it, and even reinstall the operating system,” Sacco said. “This will still reinstall the rootkit.”

Back in 2006, NGSS researcher John Heasman found a way to use a PCI device to plant an offensive rootkit on Windows machines.  Here’s a link to Heasman’s paper: Implementing and Detecting a PCI Rootkit (.pdf).

News like this should make most glad that this type of threat is not something needing to be dealt with every day.

If this ever becomes widespread, people will flock to less popular, and therefore not yet compromised platforms. It could certainly change the face of computing. Looking at the claim, however, what would that platform be? Easily compromising Windows, OpenBSD, and a virtual machine makes the choices slim, as all of those cover the largest sector of the market today.

The market for used Amigas just went up a great deal!

§

•