VANCOUVER, B.C. — Two security researchers described on Thursday ways to overwrite a computer's low-level operating instructions, known as the basic input/output system or BIOS, to create persistent rootkits that can survive even a hard-disk wipe.
The researchers — Anibal Sacco and Alfredo Ortega of Core Security Technologies — presented two attacks at the CanSecWest Security Conference, injecting code into a virtual machine running the Windows operating system and, on another virtual machine, replacing critical files in OpenBSD. Because BIOS is stored on a chip on the motherboard and is used to initially run software on a computer, a program inserted into the instructions will be run whenever the system starts.
While an attacker would have to already have compromised a system to insert malicious code into the BIOS, the attack prevents a defender from easily deleting an attacker's program or rootkit, the researchers said.
"You can remove the hard drive, trash it, and even reinstall the operating system," Sacco said. "This will still reinstall the rootkit."
Other researchers have also focused on exploiting BIOS to run malicious code. In 2006, a security consultant for U.K.-based Next-Generation Security Software revealed a way to use the Advanced Configuration and Power Interface (ACPI), a collection of BIOS functions for power management, to run rootkits at startup.
BIOS attacks can be prevented by using the jumpers on many motherboards to block writing to the chips that store the system's instructions. In addition, some hardware security technologies, such as the Trusted Computing platform, could be used to check the integrity of the BIOS, preventing changes.
The researchers focused on a BIOS function that decompresses other parts of the system code as a good candidate to co-opt for their attacks. Because the function is not compressed itself and it almost never changes, it is easy to search the BIOS for a pattern matching the function, the researchers said.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos