Does anyone knows best ways of detecting and removing firmware malware?
Rootkits that are able to flash themselves into i.e. BIOS and survive a long time of pleasant undetection by basic AV software?
Are there such tools for detecting such malware? I know that easiest way is to just re-flash BIOS and firmware using other (potentially clean) PC, but what if someone doesn’t have other PC at the time?
I bet, that using popular tools won’t give a chance detecting such pests. So what to do?
Curiosity or suspected infection? I ask only because of where you’ve created this topic. 
Both…
I too wanna know about this.
Interesting.
I assume you’d be able to see problems with other tools which would tell you that something isn’t right, as the idea would be to keep putting more on the computer, but I’d be interested to know if there’s a better way.
I believe it is very difficult to sensibly detect firmware rootkits (which is what I assume is meant here) from within an OS like Windows. However, fortunately, a rootkit like this usually has to go through the kernel to get anywhere else and it can be detected at that point. In additional, as far as I understand, these types of rootkits are most often just a delivery system for something else… and that something else is often very much detectable as it is usually just normal software (malware or otherwise).
I would suspect that a primary indication of a rootkit firmware infection would the repeated infection by more common types of infections without any apparent vector (ie. the means that the common type of infection was delivered to the suspect system).
Why do you suspect such a rootkit cricket?
Heyy Kail,
I wanna know this coz I tested lots of malware on my real system with CTM 2.9 Beta installed. Now as you know there are rootkits/malware which bypass CTM.
Now I have formatted the system & installed the OS again. No probs & multiple scanners found nothing on this newly formatted & installed system.
But whenever I boot the system with/without any security software for app 2-3 min sometimes the system is slow. I dont have any autorun i.e msconfig - startup - nothing is enabled.
I ran checkdisk too everything fine, no probs with harddisk. Not much software in this system too so free harddisk space is also good.
No scheduled jobs too.
I dont know why sometimes after boot for 2-3 mins the system is slow.
So I thought may be this type of infection.
Hi Naren
I think it would best to create your own topic on this… otherwise you’re hijacking cricket’s topic as these are likely to be different circumstances (at the very least).
In short I too wanna know that Cricket wanna know.
Fair enough. But, posting your own issues here probably isn’t the best way to go about that.
Yes, you assumed well.
Yes, they’re serving as “unseen” delivery system, but also can hide themselves and their operations. Remember, that kernel rootkit can easily spoof drivers processes so it won’t be so easy to detect it. But hardware rootkit is much more complicated, because normal anti-malware scanner can’t scan hardware for viruses .etc - it don’t have permission. So such rootkit stays completely hidden and can keep smuggling different types of malware onto one’s HDD.
Yes, that’s it. But one does not simply infect system with some ■■■■ malware. I bet such infections would be diagnosed with a huge delay, when criminal already collected precious data from our PC.
Other scenario is that our PC was part of botnet and after completed (or partly completed) mission, malware started auto-destruct like Flame worm was doing it.
As all You know, some governments have direct access to Microsoft software source code - i know that USA has, i bet China, Russia and Israel also has. Also those same govs can have access to sources of firmware of hardware manufacturers. So having source code, huge team of specialists and a lot of money and military power, one does simply is able to develop such rootkit, which can install next to firmware, hide and wait for commands. Or even if government won’t develop it, some underground black hats can.
I’ve searched through internet and didn’t found any tool, that could prevent or diagnose hardware malware. So it looks, that everyone has to develop such tool by own, though…
The best solution for getting rid of such malware (even if we don’t know we’re indeed infected, or it’s just our paranoid mind teeling us, that’s something’s not good), is to re-flash whole firmware of our PC (standby PC) using other PC, which we recognize as clean and healthy. But if it’s not clean?
Or what we gonna do, if our hardware manufacturer’s servers were attacked last week, and attackers bind some sh*t to firmware’s builds?
Check Black Hat 2006 presentations by John Heasman: Implementing and Detecting an ACPI BIOS Rootkit and Implementing and Detecting a PCI Rootkit - i bet these two helped a lot those who want to own boxes.
Be sure to read about Joanna Rutkowska’s “Blue Pill” rootkit.
At the moment that’s all i can write about…
Cheers
It’s not that people don’t know how to do it, it’s just that as an infection vector, it just doesn’t make much sense.
BIOS firmware is very specific to a given machines motherboard/chipset. This means a lot of time is going to be spent by the malware author writing very specific code that is only going to affect a very small subset of machines out there. The payoff just isn’t there.
The only way this is even slightly viable, is if the malware author knows where there is a large number of machines with identical hardware. (Like a corporate environment)
And even then, flashing the BIOS isn’t an invisible operation. Chances are really good that the user is going to see this occurring and know it isn’t normal operation of their machine, and will likely turn it off during the procedure. (most likely bricking the machine)
This is why most instances of BIOS malware are merely proof-of-concept. BIOS malware continues to be extremely rare in the wild, even though as you’ve pointed out, the concept has been around for years.
Hmm… i didn’t experienced live controlled infection by BIOS-targeted malware - by controlled i mean in security research lab - but i don’t think so, that well developed rootkit could show what it’s doing to the PC user, during the infection process.
I bet average person even won’t notice anything suspicious (maybe even expert could see nothing, until start thoroughly searching through system), while such rootkit start installing on system, then flash next to bios and download another malware.
Also no HIDS, nor HIPS can be useful, if such rootkit appears in one’s system - simply it will be unattainable for anti-malware scanner.
I have a question to Comodo Malware Research Group and Comodo Dev Team: what’s your opinion on McAfee DEEPSafe?
I know that’s good marketing, but also a proof, that Intel knows about this problem, and receives this, as a serious threat. I bet other security software vendors started developing same technologies some time ago, but don’t want to admit that.
A BIOS update can’t be made while Windows is open. So at the very least, (on the newest machines) after the update files have been downloaded, your machine will reboot, the BIOS flash utility will run in DOS mode, then the machine will reboot again and load Windows.
At the very most, (older machines) you will need to place the update files on external media and boot from it to run the updater.
I think even the most novice of users would find a BIOS flashing operation to be a bit suspicious… 
To take a different angle here. It is possible to flash the BIOS from within Windows, and does not need to run in DOS mode, and that could be an attack vector. However a BIOS usually has flash protection. With that enabled I cannot run a BIOS flash from within Windows.
I guess a way of detecting could be to make a dump of the BIOS to a bin file (DOS based flash tools are capable of doing that for back up purposed) and then compare the hash to the .bin file downloaded directly from the manufacturer’s web site.
I am not familiar with the process of making a back up of the BIOS but may be it would be necessary to first set the BIOS to defaults before making the back up.
I haven’t seen that yet. Thanks Eric.
I have flashed my BIOS like that on MSI and Asus motherboards. It’s convenient but only works with flash protection disabled of course.
So I would think that the methods I suggest in How to Know If Your Computer Is Infected would be able to detect malware like this, at least indirectly. I believe it should be able to detect the malware, or processes, spawned by such malware.
Can anyone comment on if they think this would be the case?
Thanks.
Check out @Bios, tool for Gigabyte motherboards. I’ve used it few times, and i remember well, that indeed after bios flashing user is forced to reboot, but there’s no DOS mode needed to end the re-flashing operation.
So heading this way, rootkit can re-flash bios, then spoof the Windows Update process (like Flame worm did) and compel user to thinking that new critical update is available, so he should install it (probably download some worms or trojans which freshly installed rootkit will hide) and then reboot PC, to end the infecting BIOS process.
That’s my scenario.
Microsoft upped the security of Windows Update so it would be very hard abuse that now. More important is to make sure the BIOS has flash protection enabled. That puts and end to it.