Author Topic: BIOS/Firmware malware detection and removing - best ways to achieve  (Read 18475 times)

Offline HeffeD

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6827
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #15 on: July 05, 2012, 06:20:40 PM »
It is possible to flash the BIOS from within Windows, and does not need to run in DOS mode, and that could be an attack vector.

I haven't seen that yet. Thanks Eric.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19721
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #16 on: July 05, 2012, 06:53:47 PM »
I have flashed my BIOS like that on MSI and Asus motherboards. It's convenient but only works with flash protection disabled of course.

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11917
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #17 on: July 05, 2012, 09:50:49 PM »
So I would think that the methods I suggest in How to Know If Your Computer Is Infected would be able to detect malware like this, at least indirectly. I believe it should be able to detect the malware, or processes, spawned by such malware.

Can anyone comment on if they think this would be the case?

Thanks.

Offline cricket

  • Comodo Loves me
  • ****
  • Posts: 105
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #18 on: July 06, 2012, 03:41:07 AM »
A BIOS update can't be made while Windows is open. So at the very least, (on the newest machines) after the update files have been downloaded, your machine will reboot, the BIOS flash utility will run in DOS mode, then the machine will reboot again and load Windows.

At the very most, (older machines) you will need to place the update files on external media and boot from it to run the updater.

I think even the most novice of users would find a BIOS flashing operation to be a bit suspicious...  ;)

Check out [at]Bios, tool for Gigabyte motherboards. I've used it few times, and i remember well, that indeed after bios flashing user is forced to reboot, but there's no DOS mode needed to end the re-flashing operation.

So heading this way, rootkit can re-flash bios, then spoof the Windows Update process (like Flame worm did) and compel user to thinking that new critical update is available, so he should install it (probably download some worms or trojans which freshly installed rootkit will hide) and then reboot PC, to end the infecting BIOS process.

That's my scenario.
« Last Edit: July 06, 2012, 03:45:02 AM by cricket »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19721
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #19 on: July 06, 2012, 09:19:19 AM »
Microsoft upped the security of Windows Update so it would be very hard abuse that now. More important is to make sure the BIOS has flash protection enabled. That puts and end to it.

Offline cricket

  • Comodo Loves me
  • ****
  • Posts: 105
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #20 on: July 06, 2012, 01:08:40 PM »
Microsoft upped the security of Windows Update so it would be very hard abuse that now.

Very hard, but not impossible.

More important is to make sure the BIOS has flash protection enabled. That puts and end to it.

That's it. But new generations of firmware, like UEFI, are increasing risk of infection - this is defective by design, because UEFI is meant to be able to freely allow people doing same work, like on normal OS i.e. browsing the Internet, watching movies, writing emails..This will lead to more dangerous threats, that are nowadays.


So, we came to a potential solution of securing PC against BIOS malware - setting flash protection enabled.
Removing of suspected (but maybe fictive) infection seems also very easy - reflash completely entire hardware. Also user can copy existing infected image of firmware, and send it to AV lab, maybe they will find something.

But how we can secure other hardware firmware against such type of infections? Older models of HDD or graphic cards .etc, doesn't have any flash protection, i bet. Some new hardware also can be devoided of such protection.

Also still, we don't know how to detect such almost perfect hidden malware. Currently available tools could fall trying to detect such.
So it seems, that the easiest way (and the hardest at the same time) is to observe own PC, hack it hard and if necessary, develop own tools for such task.

This solution isn't that, what newbies are expecting.

Offline cricket

  • Comodo Loves me
  • ****
  • Posts: 105
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #21 on: July 06, 2012, 04:00:18 PM »
I forgot about Niwa!mem BIOSkit, probably some modification of Mebroni BIOSkit.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19721
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #22 on: July 07, 2012, 07:52:17 AM »
Very hard, but not impossible.
Basically everything will break when pushed hard enough. 100% security does not exist.

Quote
That's it. But new generations of firmware, like UEFI, are increasing risk of infection - this is defective by design, because UEFI is meant to be able to freely allow people doing same work, like on normal OS i.e. browsing the Internet, watching movies, writing emails..This will lead to more dangerous threats, that are nowadays.


So, we came to a potential solution of securing PC against BIOS malware - setting flash protection enabled.
UEFI and BIOS are not the same.  
Quote
Removing of suspected (but maybe fictive) infection seems also very easy - reflash completely entire hardware. Also user can copy existing infected image of firmware, and send it to AV lab, maybe they will find something.

But how we can secure other hardware firmware against such type of infections? Older models of HDD or graphic cards .etc, doesn't have any flash protection, i bet.
You bet? So this danger may not even exist!
Quote
Some new hardware also can be devoided of such protection.
Again speculation. You're just scaring yourself with unsubstantiated scenarios.

Quote
Also still, we don't know how to detect such almost perfect hidden malware. Currently available tools could fall trying to detect such.
So it seems, that the easiest way (and the hardest at the same time) is to observe own PC, hack it hard and if necessary, develop own tools for such task.
Not everybody has the time or capabilities to do this.

Quote
This solution isn't that, what newbies are expecting.
Time will tell.


I forgot about Niwa!mem BIOSkit, probably some modification of Mebroni BIOSkit.
Mebroni needs kernel access to be able to infect the BIOS. An unknown program will never get kernel access with CIS. CIS will protect you from it.
« Last Edit: July 07, 2012, 07:56:07 AM by EricJH »

Offline cricket

  • Comodo Loves me
  • ****
  • Posts: 105
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #23 on: July 07, 2012, 08:15:31 AM »
Mebroni needs kernel access to be able to infect the BIOS. An unknown program will never get kernel access with CIS. CIS will protect you from it.

And what if rootkit will spread through drive-by-downloads, using 0-Days against Windows kernel protection and eventually few Internet Security systems, like Comodo :>
Then what?

Offline HeffeD

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6827
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #24 on: July 07, 2012, 12:51:26 PM »
Lets say that someone has actually managed to create a successful propagating BIOS malware. (which hasn't actually happened yet)

How exactly would any security software be able to do anything about it, even if the software was able to detect the malware? It couldn't repair or disinfect the BIOS. The only way to fix it would be to flash your BIOS again with a clean version.

As I've already stated, BIOS is very specific to your systems motherboard and chipset. We can't possibly expect a security solution to have a copy of every BIOS setup in the world.

The very best we could expect would be a message that states you have a suspected BIOS issue, and you should visit your motherboard manufacturers website to download a clean BIOS version...

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19721
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #25 on: July 07, 2012, 03:56:49 PM »
And what if rootkit will spread through drive-by-downloads, using 0-Days against Windows kernel protection and eventually few Internet Security systems, like Comodo :>
Then what?
Then there is a big chance the BO protection will catch it.

Offline cricket

  • Comodo Loves me
  • ****
  • Posts: 105
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #26 on: July 14, 2012, 04:47:05 PM »
Just performed Google search for query "scan firmware for malware". First result is Symantec's patent number 7870394: Method and system to scan firmware for malware. Looks like not only McAfee is preparing firmware protection/disinfection system against firmware malware ;>

Offline jay2007tech

  • Malware Research Group
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2026
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #27 on: July 24, 2012, 12:47:44 PM »
Quote
that kernel rootkit can easily spoof drivers processes so it won't be so easy to detect it
agreed.  Regardless on how sophisticated a rootkit is,  you still need a dropper.  The other way would be to have physical access to your machine
It's hard being a crooked Admin when the files won't pass an md5checksum test.  But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

Offline cricket

  • Comodo Loves me
  • ****
  • Posts: 105
Re: BIOS/Firmware malware detection and removing - best ways to achieve
« Reply #28 on: August 07, 2012, 07:01:07 AM »
New stuff on the block -> Rakshasa hardware backdoor.

Quote
[...]Rakshasa replaces the motherboard BIOS, but can also infect the PCI firmware of other peripheral devices like network cards or CD-ROMs, in order to achieve a high degree of redundancy.

[...]

All of these components have been modified so they don't display anything that could give their presence away during the booting process. Coreboot even supports custom splashscreens that can mimic the ones of the replaced BIOSes.[...]

And this is very creepy:

Quote
[...]Rakshasa was built with open source software. It replaces the vendor-supplied BIOS with a combination of Coreboot and SeaBIOS, alternatives that work on a variety of motherboards from different manufacturers, and also writes an open source network boot firmware called iPXE to the computer's network card.[...]

Meeen...life is getting tough..

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek