Proof-of-concept BIOS malware & Draft NIST SP 800-147B, BIOS Protection Guidelines for Servers

Editor’s Note:  NIST’s Draft Special Publication 800-147B “BIOS Protection Guidelines for Servers” is attached here.  Comments are due September 14, 2012 and should be sent to:  Below is a story that illustrates why BIOS protection is needed.

From: FierceCIO

Proof-of-concept BIOS malware can hide in PCI firmware

By Paul Mah

Hardware on the motherboard, including the BIOS and PCI firmware of devices such as network cards or CD-ROMs, can be infected by malware. This was demonstrated by security researcher Jonathan Brossard at both the Black Hat security and Defcon hacking conferences last week.

Brossard created the proof-of-concept malware using open-source software that successfully compromised the BIOS and which left no traces on storage drives. While BIOS malware is hardly something new, his malware–called Rakshasa after a demon from the Hindu mythology–goes a step further by infecting other peripheral hardware to achieve an unprecedented level of persistency.

The root of the problem has to do with how current computer architecture  gives every peripheral device equal access to the RAM via the system bus. As such, redundant copies of Rakshasa could theoretically corrupt the low-level motherboard firmware even after it has been replaced by a vendor-supplied one.

As reported by Network World, “The only way to get rid of the malware is to shut down the computer and manually reflash every peripheral, a method that is impractical for most users because it requires specialized equipment and advanced knowledge.”

The only silver lining here is how some motherboards and PCI devices  incorporate a physical switch that needs to be toggled in order to flash a new firmware. Some BIOSs have digital signatures too, which make it harder to replace with a Trojan version.

Unfortunately, Brossard noted that the creation of hardware backdoors in that way is completely practical when done before a computer is delivered to the  end-user. Personally, I think this may have ramifications for governments purchasing computers directly from sources that have the opportunity to plan backdoors by infecting the BIOS and attached peripherals.

For more: – check out this article  at Network World


Leave a Reply

Your email address will not be published.

Please Answer: *