Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can a keylogger infect BIOS and then transfer to Windows?


  • Please log in to reply
7 replies to this topic

#1 fgeelo

fgeelo

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 08 September 2010 - 06:03 AM

As per the title, I am concerned about whether or not the BIOS could be infected with a keylogger, and then on a subsequent re-format of the HDD, the keylogger could transfer from BIOS to Windows OS and keylog activity on Windows. Is this possible at all? At the end of the day, is wipng your HDD enough to 100% be sure you have removed a keylogger? Thanks very much for your help.

BC AdBot (Login to Remove)

 


#2 fgeelo

fgeelo
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 08 September 2010 - 05:51 PM

Is anybody able to help? I am aware of hardware keyloggers - those which have to be plugged into the computer and then retrieved, but my concern is if a keylogger can survive elsewhere than in a HDD and still call home to the person who planted it in the first place via the internet. Thanks for your help.

Edited by fgeelo, 08 September 2010 - 05:51 PM.


#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:17 AM

Posted 08 September 2010 - 07:41 PM

http://www.technibble.com/rootkits-that-su...d-reformatting/

It's highly unlikely you have an infected bios
Chewy

No. Try not. Do... or do not. There is no try.

#4 fgeelo

fgeelo
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 08 September 2010 - 07:46 PM

Thanks for your reply.

Yeah, it may be highly unlikely. But at the moment I am looking to eliminate ALL possibilities.

So, lets just say my BIOS or whatever was in fact infected. If I were to simply pull the battery out of the Motherboard (CMOS, I think it's called?) and then replace it 60 seconds or so later, as well as wiping out my entire HDD, would that be a 100% way to be sure I am clean? Or would I have to do more?

Edited by fgeelo, 08 September 2010 - 07:47 PM.


#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:17 AM

Posted 08 September 2010 - 07:58 PM

I was being conservative, infecting a bios was done with as a demonstration at a tech conference, read the link I posted, it's all in there.

You do not have a bios infection.

My son and I once cleared cmos with the hard drive disconnected, then flashed his bios, then used bootable floppy to wipe his hard drive then reinstalled his OS to only find his issues were his setting his bios up wrong.

:thumbsup:
Chewy

No. Try not. Do... or do not. There is no try.

#6 fgeelo

fgeelo
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 08 September 2010 - 08:57 PM

How does a BIOS get infected with a rootkit in the first place? Does it have to be done whilst flashing it, or can it happen passively when you insert an infected media device like an external HDD or a CD or something?

If someone can answer that, Id appreciate it.

And lets say that I wanted to go just that extra mile. How could I do a BIOS Flash with a CD burnt with the BIOS ROM file from my manufacturer?

Edited by fgeelo, 08 September 2010 - 09:13 PM.


#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:17 AM

Posted 08 September 2010 - 09:31 PM

This scenario seems plausible(theoretically)

Even if we were to say our malicious exploiters would NEED the exact manufacturer, version and model of the BIOS Chip in your system, lets assume weíre in an extremely organized setup:
1) Malware can be created to create an outgoing connection once run on the victimís machine.
2)The malware identifies your machine and its components (specifically the BIOS model make and version)
3) The Malware executes a download to receive any components needed from here on out (Edited infected BIOS variants, auto-running scripts, you name it).
4) The Malware flashes the BIOS within the OS and triggers a reboot
Ė (Alternative) The Malware editís the boot order, triggers a reboot, the boot order allows it to flash right after post (possibly in itís own environment to silently install), reboots again to finalized
5) you are now the host of a very volitile infection.


But it's beyond the means of malware writters
Chewy

No. Try not. Do... or do not. There is no try.

#8 fgeelo

fgeelo
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 08 September 2010 - 10:46 PM

Interesting indeed, and good to hear it is outside of the reach of current writers.

Would you be able to please shine some light onto the questions I asked in the post above, please?

Mainly, can a BIOS, or ANY other part of a computer that is NOT the internal HDD be infected with a keylogger/rootkit from a removable media device like a USB stick or an external HDD executing an autorun infection or something other?

Also, I've heard about Video Cards and Network Cards and such being infected but I am quite clueless of to the specifics of it, if you could explain, please do.

Also, how can you flash a bios with a USB stick with the .ROM file from the motherboard manufacturer?

Thanks so much for your replies.

Edited by fgeelo, 09 September 2010 - 07:25 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users