Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Is BIOS spyware a thing?

  • Please log in to reply
5 replies to this topic

#1 _Schizo


  • Members
  • 10 posts
  • Local time:10:55 AM

Posted 19 August 2016 - 08:02 PM

I got one of my old computers back, and the previous owner has a long history of putting spyware on just about anything that can have spyware, and in any way. 

A little background on this person--He knows quite a bit about computers. He's worked with them for most of his life, he's worked on computers for the military, and for large companies. He has a masters degree in networking, and worst of all, had access to this computer for more than a year.

I went as far as replacing the hard drive, but I still don't feel certain that my computer is free of spyware. Is there some sort of spyware that could infect BIOS, or any way for it to re-infect the new hard drive?...


BC AdBot (Login to Remove)


#2 Captain_Chicken


  • BC Advisor
  • 1,366 posts
  • Gender:Male
  • Local time:12:55 PM

Posted 19 August 2016 - 08:56 PM

From quietman:

Bios/UEFI (firmware) virus's exist but are very rare. Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive a reformat and reinfected a clean disk. This type of malware exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS. Although in February 2015, Kaspersky Labs reported "persistent, invisible espionage malware inside the firmware of hard drives compatible with nearly all major hard drive brands: Seagate, Western Digital, Samsung". This particular threat targeted government and military institutions, telecom and energy companies, nuclear research facilities, oil companies, encryption software developers, and media outlets.
NSA malware found hiding in hard drives for almost 20 years
Equation Group: The Crown Creator of Cyber-Espionage
This is a quote from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.
Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.

UEFI (Unified Extensible Firmware Interface) was introducted as a replacement for traditional BIOS in order to standardize computer firmware through a reference specification. However, there are several companies that develop UEFI firmware and there can be significant differences between the implementations used by computer manufactures. These articles explain the complexity of the UEFI, secure boot protocol and exploitation.
Protecting the pre-OS environment with UEFI
Exploiting UEFI boot script table vulnerability
UEFI rootkit survives operating system reinstalls
Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means than a BIOS virus.

In short, no. There has been only 1 BIOS malware called membroni and it was very easy to spot and only targeted one specific BIOS.

Computer Collection:





#3 Iam1nsan3


  • Members
  • 20 posts
  • Gender:Male
  • Location:Australia
  • Local time:03:55 AM

Posted 20 August 2016 - 07:04 AM

Yes they are in fact in the wild. I have been infected by a ROOTKIT similar to membroni, because it affected the AWARD BIOS of that Mainboard that I owned.

It was in 2007 and I'm sure that it was administered by the NSA.

It was extremely difficult to detect but I was a determined bugger.

I was running Windows ME and all of a sudden I had a new group of tools added to my System. But it wasn't until I was sitting idle one day and was watching many mega bytes of data being uploaded that I noticed something wasn't right.

To cut a long winded story short. It did not matter if I formatted the HDD or installed Windows 2000, DOS, or Linux I even installed Windows 98 which came with long file names and a 48 bit core.

It was while running Red Hat 7.0 from the command line that I discovered a 1.4Mb file loaded into the UMB. This turned out to be Dr DOS with Netware which was set to run as soon as the Power Button was pressed, even before the PC POST was run.

Also while running Windows 98 I used a tool from the CD that allowed me to see my RAM. This is where I was able to see my BIOS which to my surprise had spelling mistakes. AWARD was spelled AW4RD and there were many others.

I even tried to re-flash my BIOS. When it started to Write, the first half was unchanged and the second half was changed. Inside the BIOS menu I found a PCI controller that wasn't there before. It had 24 or so devices attached to it, where it came from had me driven crazy. So I sent Mainboard back to MSI with diagnosis of Virus infected BIOS EPROM. And several days later arrived a brand new mainboard which had an even newer BIOS version than was on website. And a clean install of Windows 2000 was normal, with no super user tools.


I have also seen evidence of another similar one to the GodMODE Rootkit on 4 different PC's in the last year. It also had a Dr DOS image in UMB, which I used a power tool to destroy. This I expected to kill the BIOS or something. I wrote zero's to the 0 sector forward for 2Mb which I have pictures of for proof.

When I rebooted that machine with Hiren's Boot CD on board I not only booted successfully into Windows XP in RAMDISC but I read the boot logs. Every device connected noted the missing HEAD and all combined together to re write the missing piece. The application also had taken over the booting and added re-directs into the boot process which made the dead device work again.

3 of the 4 PC's with same infection i had previously worked on, this made me point to myself as the Infector, but then the 4th arrived and it was untouched by me. also 3 of the 4 machines are laptops with the Insyde BIOS loaded. The 4th is a desktop with a Gigabyte DDR3 board running Phoenix BIOS.

The infection was nearly identical on all 4 machines. No Rootkit tools ran at all, always failed. Even GMER crashed when run.

The infection appears to attempt to connect to several different servers with the goal of uploading lists of all files on PC HDD. After even removing drivers from wifi & BT devices they were still able to maintain a dedicated connection that could not be disabled. So I disabled in BIOS.

The infection was even attempting to send data via the Infra Red port, COM port, one had an AM/FM tuner installed and was trying to connect out with that. That machine I killed with a hammer.


The infection on 4 machines had me contemplating the reality that every new PC has an exploitable EPROM that will be activated depending on what the user does online. But I had been pulling These PC's apart from the inside for 3 months and my head had me think many fantasy scenarios. But I did find one of the laptops that had Windows Update Server as the deployment source for what had taken over the PC. Or did it?

#4 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:04:55 AM

Posted 20 August 2016 - 04:58 PM

That's why I suggest when a major compromise is detected, it's wise to:

(1) when you reinstall the operating system, make sure you delete all partitions, and then do a full hard drive format. This will insure a new MBR is created.

(2) if the Windows operating system image is located on the D partitions, then delete the C partition ONLY.


Researchers spot BOOTRASH malware, executes before OS boot. http://www.scmagazine.com/researchers-spot-a-malware-that-installs-and-executes-before-an-operating-system-boots/article/458290/

New PC malware loads before Windows, is virtually impossible to detect. http://www.extremetech.com/computing/219027-new-pc-malware-loads-before-windows-is-virtually-impossible-to-detect

How to discover hidden rootkits. http://www.techradar.com/au/news/computing/pc/how-to-discover-hidden-rootkits-1095174

Protecting the pre-OS environment with UEFI. https://blogs.msdn.microsoft.com/b8/2011/09/22/protecting-the-pre-os-environment-with-uefi/

Edited by Crazy Cat, 20 August 2016 - 04:58 PM.


Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.



#5 RolandJS


  • Members
  • 4,533 posts
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:11:55 AM

Posted 20 August 2016 - 05:13 PM

Exactly what BIOS do you have?  Exactly what make model & number motherboard do you have?  What is [or are if dual-booting] the OS?  Long ago, when BIOS, DOS 2.01 - 3.3, Windows 3.1 - to WFW311 ruled, it definitely was possible [albeit somewhat difficult] to get a BIOS and/or a Track Zero virus or malware or spyware.  There were tools back then to discover, to stop the bad activity, and to destroy the bad stuff.

Edited by RolandJS, 20 August 2016 - 05:14 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.


Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)

#6 Iam1nsan3


  • Members
  • 20 posts
  • Gender:Male
  • Location:Australia
  • Local time:03:55 AM

Posted 22 August 2016 - 05:50 AM

Exactly what BIOS do you have?  Exactly what make model & number motherboard do you have?  What is [or are if dual-booting] the OS?  Long ago, when BIOS, DOS 2.01 - 3.3, Windows 3.1 - to WFW311 ruled, it definitely was possible [albeit somewhat difficult] to get a BIOS and/or a Track Zero virus or malware or spyware.  There were tools back then to discover, to stop the bad activity, and to destroy the bad stuff.

This happened in PC time, long long ago. I cannot remember what mainboard model number was but I do remember that my CPU was an Athlon XP 2100+ and the Mainboard was a top spec MSI branded board using DDR 1.

The infection did attack the Zero sector of all HDD's which made Formatting useless.

I want to add this link for others to read. This is about a Security Specialist named Dragos Ruiu who discovered a Rootkit infection that seems to defy belief in what it can do. Many of his peers have simply dismissed his story as either "Impossible" or a "FAKE". I know how truthful his strange tale is.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users