Author Topic: Researchers Demo BIOS Attack That Survives Disk Wipes  (Read 2893 times)

0 Members and 1 Guest are viewing this topic.

March 23, 2009, 06:55:41 pm
Read 2893 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
http://blogs.zdnet.com/security/?p=2962

http://i.zdnet.com/blogs/core_bios.pdf

Quote
The researchers — Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week’s CanSecWest conference to demonstrate methods (see slides .pdf) for infecting the BIOS with persistent code that will survive reboots and reflashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player.
Ruining the bad guy's day

March 31, 2009, 07:28:12 pm
Reply #1

HeapSpray

  • Newbie

  • Offline
  • *

  • 2
I checked PDF and a lot of other resources... It's like Sci-Fi and as far as I don't see any PoC which runs on at least 5 different systems, I say nothing like that exists or if it exists it works only on the Lab it's created in...

I studied a lot... How to access OS memory? What to write in BIOS? How to write in BIOS without corruption? How to write to BIOS from real mode OS (Windows)?

April 01, 2009, 05:49:36 am
Reply #2

Toaster

  • Newbie

  • Offline
  • *

  • 7
I studied a lot... How to access OS memory? What to write in BIOS? How to write in BIOS without corruption? How to write to BIOS from real mode OS (Windows)?

You would have to dig into OS development.. basically the attack is very easy and practicable, you flash the BIOS and done! when restarting you have your malware BIOS activated, this could drop a bootkit (to answer your question how to access Windows then)

I have to say the presentation is REALLY poor, its more a wikipedia copy of BIOS (and I haven't read Wikipedias BIOS article)..
they could really have done more..
the most work would be to support multiple systems/vendors, you would have to support different chipsets etc. and would end by patching, not replacing the existent BIOS
BIOS flash mechanism is vendor specific (some specific PCI commands or something, don't know yet)

patching the BIOS is quite easy as easy as patching anything else, you replace something with your payload and write a small hook code or something
> it would be really evil (and easy) to just modify int 13h then ;) to read the bootkit instead of the MBR

Peter