Researchers Demonstrate Dangerous BIOS-level Malware Attack
Anibal Sacco and Alfredo Ortega, two Argentinean researchers from the security organization Core Security Technologies, have discovered a technique with which a 'Basic Input Output System' (BIOS)-level malware assault could be carried out. The malware is capable to survive even when all content of the hard-disk is deleted.
The researchers demonstrated the technique at the CanSecWest Conference held at Vancouver, Canada, during the 3rd week of March 2009. The researchers said that by injecting a tiny piece of malicious script into the BIOS, they could successfully compromise a system.
The script has proven very harmful to both the OpenBSD and Windows platforms, and also against a virtualized machine through the VMware Player software. In all these cases whenever the PC is restarted, the malware infection returns most effectively. The researchers said that even after removing and putting back the computer hard disk, the malware could not be eliminated from the machine.
Saying that it is possible to insert the code anywhere, Ortega states that although they have demonstrated a proof-of-concept, they are also developing a working rootkit to gain full control of an infected PC despite the reinstallation of the OS on the system. Ortega further said that it was possible to modify any software to plant a rootkit. He also alleged that they possessed a small code with which they could disable or delete antivirus programs.
Ortega further says that an attacker with the rootkit could potentially infect a virtual system and carry out any malicious act - all below the OS kernel stage.
But the researchers revealed that the technique of the attack requires an already compromised system. Therefore, it restricts the probability of the assault, but the biggest problem is that compromised system essentially disallows a defender to delete the attacker's code.
In 2006, John Heasman, a British Researcher at the Next-Generation Security Software (NGSS) also demonstrated how a 'Peripheral Component Interconnect' device could drop a rootkit on a Windows system. He showed how the BIOS' ACPI (Advanced Configuration and Power Interface) could be rearranged to include a malevolent ACPI Machine Language.
» SPAMfighter News - 30-03-2009