Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ways of infecting your BIOS


  • Please log in to reply
5 replies to this topic

#1 dominikCZ

dominikCZ

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 25 February 2017 - 11:33 AM

Hi,

I've recently flashed a new BIOS for my motherboard (ASRock Z170 Extreme 4) using the BIOS built-in option "Automatically download from the Internet and install" and this option wanted me to plug an USB drive in the computer. I used my USB drive I have in my wallet, which has been used at least in hundred different computers.

I am wondering if there is a way to get your BIOS infected by using an infected USB stick to flash it. Could some sort of malware blame the flashing tool to use a different version of BIOS than the downloaded one?

I actually think that this form on infection is highly improbable, but I was just curious if it is possible.

Would my AV software (I use KIS 2017) detect such sort of malware? I don't think it is capable of reading BIOS information, but BIOS malware is installed in order to perform some actions in the OS which is what my AV could notice.

Thank You for Your reply,

Dominik

P.S.: Just to get sure, I downloaded the same version of BIOS from a trusted computer and flashed it again using the same, but this time formatted flash drive :-)

 

 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 25 February 2017 - 12:48 PM

Can you provide more details on what you had to do exactly with the USB stick?

For example, did you have to reboot the computer and was the new BIOS then read from the USB stick?


Edited by Didier Stevens, 25 February 2017 - 12:49 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 dominikCZ

dominikCZ
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 25 February 2017 - 12:56 PM

Can you provide more details on what you had to do exactly with the USB stick?

For example, did you have to reboot the computer and was the new BIOS then read from the USB stick?

 

The process was:

1) boot into UEFI, select "Download from the Internet and install".

2) UEFI connected to the Internet, asked me if I want to download new BIOS version. Clicked "Yes"

3) BIOS downloaded, message "Please insert USB storage device and click OK" appeared. Flash drive inserted, clicked OK.

4) Computer restarted. "BIOS flash tool" or something like this started. BIOS flashed.

5) Computer restarted.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 25 February 2017 - 04:03 PM

So Windows was never active during the process? Then no Windows malware could have interfered with the upgrade.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 dominikCZ

dominikCZ
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 26 February 2017 - 05:09 AM

So Windows was never active during the process? Then no Windows malware could have interfered with the upgrade.

Thanks, this is what I wanted to know :-) .

 

Generally, is this sort of malware hardware-specific, e.g. it is focused on one common motherboard model, or can it attack multiple computers?

Is there any difference in vulnerability between classic BIOS and UEFI?


Edited by dominikCZ, 26 February 2017 - 05:40 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:11 PM

Posted 27 February 2017 - 06:39 PM

Bios/UEFI (firmware) virus's exist but are very rare. Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive a reformat and reinfected a clean disk. This type of malware exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS. Although in February 2015, Kaspersky Labs reported "persistent, invisible espionage malware inside the firmware of hard drives compatible with nearly all major hard drive brands: Seagate, Western Digital, Samsung". This particular threat targeted government and military institutions, telecom and energy companies, nuclear research facilities, oil companies, encryption software developers, and media outlets.

This is a quote from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.


UEFI (Unified Extensible Firmware Interface) was introduced as a replacement for traditional BIOS in order to standardize computer firmware through a reference specification. However, there are several companies that develop UEFI firmware and there can be significant differences between the implementations used by computer manufactures. These articles explain the complexity of the UEFI, secure boot protocol and exploitation.

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users