Checkmating Antivirus with BIOSkits

http://mason.gmu.edu/~msherif/isa564/fall11/projects/bios.pdf

Check out the aforementioned link. This new secuirty threat has been known for years, but not really prevalent due to some limiting factors, but I think we're coming upon a time where more is now possible. So far, researchers have only gone as far to say that Award bios chips are the only that are a vunerable. I believe the capabilities are already beyond one chip manufacturer existing "in the wild." Maybe not as a widespread problem to the mainstream (yet), but the topic has been awfully quiet between the AV industry/researchers and the talking radio heads/bloggers (Like Steve Gibson).

I do not know how long ago the paper before was written, but I would disagree with the statements that an attacker must physically access the victim computer, and furthermore, being able to aquire the relavent computer specs would be a challenge. Take file sharing for example. Although the moral of the example appears evident, there's no denying that an abundance of the non-technologically inclined population are dumber than my Space Bar key. An attacker not only has my ip address that I'm leeching files from, but he or she is also putting those files on my computer. Me (hypothetically speaking) being the ignorant cyber-pirate happy to receive my copy of illegal software thinks nothing of the sender or the received content. I simply unzip the file and notice a strange .info file along with the federal offensive material I sought to illegally acquire. Well, the .info file actually stored my computer specifications right down the the Bios version, but delivering the information back to the attacker hasn't happend just yet. Carelessly, I (the unintelligent cyber theif) install a package of files that I have no idea goes where, but all I know is that my five finger discount software will run! Well, now that software has Trojan type back doors and a dialer back to the attacker's proxy address that returns the results of that .info file...

Should the attacker have an established way back to the victim computer (via router firmware exploits, open ports, or simply already a permanent residence to my computer), then he or she can flash my bios via a delivered payload that begins the process of the above reading. I assert that the respective bios chip may not have to be the correct version or perhaps even the complete vendor. In the words of Gene Kranz, Flight Director of Apollo 13, "I don't give a damn about what it's built to do, I only care about what it can do." Alot of that what he said is in line with the thinking of hackers, programmers, and information security professionals. A computer with WinXP Service Pack 1 won't BSoD the computer... It will only give you more space to put other things than Servicepack 3. Moreover, just because an iPad was built for Apple's iOS doesn't mean that the hardware won't run Android (despite the fact they both operate under a Linux kernel).

Anyhow, back to our file sharing example... It is indeed possible to bypass the authors' mitigation advice today, but we might not see BIOSkits blow up as the 2012 dilemma of 2012 for three reasons I think. First, the capabilities have long been realized, but never really possible until recently in the past few years. Companies who recover Stolen laptops for businesses have used proprietary software that call home when hooked into the Internet, and it was capable of deployment to the HDD from the BIOS ROM/EEPROM. These businesses kept the knowledge under wraps to increase their ROI within the product life cycle, and I believe the few in the malware industry capable of deploying multiple forms of this malware are doing the same. This is probably why we haven't seen the wide spread "Windows 7 Anti-virus" that survives HDD reformats or its accompanying "How to" remove guide on Yahoo Answers. Secondly, the emerging UEFI systems may have the answer to this emerging threat, but I don't expect see the average user making the investment until after the damage is done to their computer. Lastly, and perhaps more troubling, is the silence regarding the topic from the mobo and AV industry. This is a really big problem for the AV industry in particular because any type of solution that checks and cleans the BIOS could yield as much negative result as the user implementing it themselves (I.e. a bricked Mobo). Mcafee recently went public with their findings of a BIOSkit sample that was a variant of the one found months before by the Chinese, but the other industry leaders have largely left the topic ignored. I think any acknowledgement from the AV industry as a whole will either be on the heels of a solution for this in their next product release, or a finger pointing festival at the mobo manufactures and/or OS manufactures.

Overall, I see this As a viable threat that could possibly be more prevalent in the wild than Recent publications have mentioned. It's great to speculate about now because this is something Norton, Mcafee, and Kaspersky really have no answer too, and if the malware industry had a place on Wall Street, then I'd be buying their stock right now. "HIDE YO KIDS! HIDE YO WIFE!"

Yes, this is indeed the latest threat. Came across one recently and finally solved it;

At first i cleaned a customers laptop from virusses and spyware with all the usual progams (combofix, mbam, roguekiller, otl, KAV resue disk, msert, rootrepeal, gmer, aswmbr, tdsskiller, emsisoft kit, etc), but after 2 reboots the virus had infected autochk.exe again.

I finally got a bit desparate and reinstalled Vista through the recovery partition (it's an asus laptop K50IN series). Guess what, 2 reboots and Combofix reported that autochk.exe was infected again!!
The laptop is in a tightly secured LAN and hacks through a $ADMIN share can be excluded.

Now i got even more desparate ) I ended up deleting all partitions on the disk and did a clean install with my official vista DVD. And again, 2 reboots later the laptop was infected again!
I then repeated this with a brand new harddisk and an install from an official DVD but still the virus came back.

So: Brand new harddisk, official Vista DVD, no usb sticks or whatever in the laptop and still after 2 reboots Combofix reported autochk.exe as infected.

At this point i was left with 2 possible causes; Either Combofix reported a virus incorrectly or the machine was infected through bios. Now i highly trust Combofix and on the other hand a bios virus has last been seen by me back in 1999 (tsjernobyl virus).

So i took out the infected disk, downloaded the latest bios on a clean PC and saved it on a new usb stick. Booted the infected laptop and went into the bios (with F2 key), started the Easy Flash utily from there and flashed the bios. I attached the infected disk as a usb disk to a clean computer and removed all partitions. Next i placed the empty disk into the laptop and reinstalled Vista from DVD.

The laptop has been fully installed now (all updates and software needed) and i've again scanned it with all programs mentioned before. And now it's finally clean and it stays clean, no matter how many reboots

My conclusion is that the laptop was indeed infected with a bios virus, in a very very sophisticated way.

Just wanted to share this with you cause bios virusses are rare and undetectable themselves. if you want more info feel free to e-mail me.

Jaapm

Nice post bit monkey, the "Five finger discount" attitude to software and media is absolutely the crux of the problem, it appears the issues of delivering a payload to the "Super root" space the bios allows access to has already been thought about.
The issue from a hackers point of view is very simple, provide something for nothing a lot of people want, something that would require a user to willingly confer access to the Bios space.
Hey presto, a WINDOWS 7 BOOTLOADER, Literally tens of thousands of people have willingly allowed access to the Bios space, Flashing modded bios files to give their PC's the genuine look of an OEM machine so the slic tables and relevant OEM keys can be used to pass WGA.

I know one particular bootloader from a well known site puts your machine onto the volkhov botnet, (This is the designation used by peerguardian who caught the traffic, i don't know if it is actually volkhov or something else using the IP space), but not until port 135 is exposed.
Infection occurs and your presence on the botnet happens after (Sic) "Your Computer has to be restarted ." (Full stop out of place in what looks like an ordinary restart screen after windows downloads updates).

It continually writes a 20mb partition containing 249bytes of code, on installation of the OS, if you run netstat -a -o -n -b you find PID 4 SYSTEM that it is "Unable to obtain ownership information".
It seems the bioskit "Hi-Jacks" the internal ipv6 loopback at bootup.
Also when you go to install the OS, when the machine spins the disk up to read it, just before you see the white progress bar with the message, "Windows is Loading the Files", another white bar appears that loads in three jumps, 33% 33% 34%, this i think is the virus being transferred to the ramdisk before the OS files are ported to ram.
This has happened on a brand new machine with a new gigabyte UEFI motherboard running win 7 (3770k, msi 680, and a pair of second hand ssd's bought from e-bay formatted before install by the user, virus survives formatting, but not, secure enhanced erase instruction, use "Parted magic" on more recent motherboards as it supports AHCI, HDDERASE only supports IDE channels and does not work on newer boards that only seem to emulate?, ide.
Also flashing must be done from DOS to repair, the bioskit can circumvent attempts to clean it.
If you put Linux 12.04 on this machine you can find a report of a "Windows octet stream" running from the disk.

To clean it you also must clear cmos, sometimes let RAM charge dissipate, or, swap sticks if you have two of them, clean the drives, reflash the bios, the virus can be cleaned and held in abayance over reboots, but, if you shut the machine down and come back from cold, it will reinfect the disks and ram if still violable.
(I had this virus back in 2010 when i was a little less disconcerting about "Software Sources" myself, well, i grew up quick.)

The attitude towards PC's by microsoft and other security minded corporations must be one of, Making PC's stronger than the weakest user link using them. This means that partnerships between ALL motherboard manufacturers and companies like microsoft must be forged with the premise of protecting EVERYONE against the inherent stupidity that resides in our gene pool.
Having a jumper setting only works for those that will only remove it to flash a legitimate bios upgrade revision, How they go about defending against infections that happen the moment a pc is switched on, is im sure something they are thinking very hard about.
As for UEFI, it remains to be seen if it can be made to do something nobody has anticipated yet, with the threat of NVRAM being breached by hackers to hold code, these spaces must be regarded as "Inviolable" for the benefit of everyone.

Also PC World refused to even try and remove this virus stating "We don't have the tools, We are not indemnified or qualified to attempt it".

Hi, I have also noticed this very quick load before another loading files white bar appears. I have had problems with several machines after a clean reinstall. When I mention the symptoms in topics here I feel like I have told someone I have seen a UFO or Sasquatch Is there a link to the cure or can you give me instructions for a novice tech person?

Hi, I have also noticed this very quick load before another loading files white bar appears. I have had problems with several machines after a clean reinstall. When I mention the symptoms in topics here I feel like I have told someone I have seen a UFO or Sasquatch Is there a link to the cure or can you give me instructions for a novice tech person?

I managed to remove it from a socket 775 motherboard, but the more recent socket 1155 motherboard with UEFI is going to have to be RMA'd to fix it as nothing i have tried has cleaned it, it has locked the ssd's into a protected state and will not allow a firmware revision to be written to them, and is somehow stopping a reflashing of the new z77 bios, whereas on my old 775 board i could circumvent it through a DOS flash, on the z77 it somehow interferes with the process.

I began typing the instructions but i realised, it isn't a process for someone who cannot afford to lose the equipment as potentially you could brick your motherboard.
Best advice i can give you is, save for a new machine, only your processor is salvageable, you don't know where the infection is, if it is the same infection as i had, and the same as on my neighbours machine, if you do not want the grief of it being on a new machine, don't move the old parts across.
The bios virus only becomes a problem if you allow any kind of interaction with the netbios ports, in my case i was setting up wall-watcher and allowed the netbios ports to be used to monitor my router traffic, a very stupid mistake, i thought it would be ok as i am behind a second router and the first router is on a different subnet and faces the internet, i do not directly face the net, and am behind a dd-wrt secondary router.
It seems like it is always there just waiting for you to make a mistake and open the box, soon as you do, it's a damn nuisance to try and get a hold of.

I have 4 machines that I do not care about losing any data as I have already reformatted and reinstalled each of them at least 4 times. The fixes you mentioned are way over my head anyway. I really just want to know what it is and that I am not going crazy/mad. Thanks for the info.

New BIOS security standards aimed at fighting rootkit attacks
By Ellen Messmer, Network World
August 22, 2012 02:15 PM ET

........There's a growing threat of attacks on computer basic input/output system (BIOS) firmware, and to deter it, the National Institute of Standards and Technology (NIST) is putting in place new security guidelines for updating the BIOS. And in doing this, NIST is getting high-tech manufacturing to raise the bar on security. "Last September, the first BIOS-based rootkit in the wild was discovered, called Mebromi," notes Andrew Regenscheid, math researcher and project leader in NIST's computer security division.,,,,,,,,,,,,

..........manufacturers haven't uniformly applied strong security controls over BIOS in the past. This may be because BIOS updates tend to occur far less often than other kinds of computer software updates. But with the malware threat growing, it's time to focus on the BIOS, Regenscheid points out. NIST already issued BIOS security standards for desktops and laptops in April 2011, and the Department of Homeland Security has told federal agencies to use them as a basis for purchasing laptops and desktops, starting this October. The U.S. Department of Defense has issued similar instructions, says Regenscheid. Manufacturers are aware of NIST's direction in all this and are responding. "Microsoft Windows 8 has BIOS protection for the desktop," he points out....................

Entire article is in link above.