Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

how to be certain BIOS is clean of rootkits?


  • Please log in to reply
2 replies to this topic

#1 Chicken Merengo

Chicken Merengo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 07 April 2012 - 08:53 AM

Several of my computers have been temporarily in the hands of someone I don't trust, who has a fair amount of potential resources at their disposal. I want to be certain that no malware of any sort remains on these machines.

Wiping the hard drives and re-installing the OS is no problem. However, these days it is theoretically possible for a rootkit to infect the BIOS and survive a HD wipe.

My question is: how can I be certain that the BIOS is clean?

Does removing the motherboard battery reset the BIOS to its factory condition or is it possible for some firmware/malicious code to survive that?

Does reseting the BIOS using motherboard jumpers reset the BIOS to its factory condition or is it possible for some firmware/malicious code to survive that?

I'm aware of more extreme options like replacing the motherboard or BIOS chip entirely. I would like to know whether it is possible to be certain of a clean BIOS without resorting to such options. If it is not possible to be 100% certain without using those options, then that would be useful to know, and I'll consider what best to do.

Advice appreciated, but please only reply if you know enough about how a BIOS works to fairly sure of your answer; guesswork (even educated guesswork) is not helpful.

Thanks very much!

BC AdBot (Login to Remove)

 


#2 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:11:27 AM

Posted 07 April 2012 - 11:12 AM

As far as I know the only way to be 100% certain that the BIOS is clean is to replace it or if it is removable, then remove it and then flash it in a eprom programmer.

Removing the battery or using the jumpers does not reset the bios itself. That only resets the stored settings. The actual software that is the bios would stay the same. From my reading the BIOS infector can even survive flashing the bios to a new version unless you pull the BIOS and reflash it off of the motherboard.

The reason flashing the bios in the motherboard does not work is when you turn it on to flash the motherboards BIOS the rootkit would already be active and will protect itself from being overwritten.

For now these BIOS rootkits are very rare and the likelihood that your motherboard has one is slim to nil.

They may stay rare as the BIOS infector has to know how to infect each brand and variant of bios. In the real world a Normal (?) rootkit works for the bad guys.

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#3 Chicken Merengo

Chicken Merengo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 07 April 2012 - 01:15 PM

That's what I suspected, but it's really useful to have it confirmed, even though it isn't what I was hoping to hear..

Thanks for such a speedy response! :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users