BIOS Malware Almost Invisible

Wednesday, August 1, 2012 @ 03:08 PM gHale


A new proof-of-concept hardware backdoor called Rakshasa can replace a computer’s BIOS (Basic Input Output System) and can compromise the operating system at boot time without leaving traces on the hard drive.

Rakshasa, named after a demon from the Hindu mythology, is not the first malware to target the BIOS, which is the low-level motherboard firmware that initializes other hardware components. However, it differentiates itself from similar threats by using new tricks to achieve persistency and evade detection, said Jonathan Brossard, chief executive and security research engineer at French security company Toucan System, at Defcon in Las Vegas.

RELATED STORIES
New Morto Worm More Potent
Chem Co. Halts USB Stick Attack
Exploit Determines OS, then Attacks
Disabled Auto-Run Saves Energy Firm

Rakshasa replaces the motherboard BIOS, but can also infect the PCI firmware of other peripheral devices like network cards or CD-ROMs, in order to achieve a high degree of redundancy.

Rakshasa, built with open source software, replaces the vendor-supplied BIOS with a combination of Coreboot and SeaBIOS, alternatives that work on a variety of motherboards from different manufacturers. It also writes an open source network boot firmware called iPXE to the computer’s network card.

All of these components have a modification so they don’t display anything that could give their presence away during the booting process. Coreboot even supports custom splashscreens that can mimic the ones of the replaced BIOSes.

Existent computer architecture gives every peripheral device equal access to RAM (random access memory), Brossard said. “The CD-ROM drive can very well control the network card.”

This means even if someone were to restore the original BIOS, rogue firmware located on the network card or the CD-ROM could reflash the rogue one, Brossard said.

The only way to get rid of the malware is to shut down the computer and manually reflash every peripheral, a method that is impractical for most users because it requires specialized equipment and advanced knowledge.

Brossard created Rakshasa to prove that hardware backdooring is practical and can occur somewhere in the supply chain, before a computer goes out to the end user.

However, if an attacker would gain system privileges on a computer through a different malware infection or an exploit, they could also theoretically flash the BIOS in order to deploy Rakshasa.

The remote attack method wouldn’t work in all cases, because some PCI devices have a physical switch that needs to move in order to flash a new firmware and some BIOSes have digital signatures, Brossard said.

Coreboot, though, has the ability to load a PCI extension firmware that takes precedence before the one written on the network card, therefore bypassing the physical switch problem.
The attack “totally works when you have physical access, but remotely it only works 99 percent of the time,” Brossard said.

The iPXE firmware that runs on the network card undergoes configuration to load a bootkit — malicious code that gets executed pior to the operating system and can infect it before any security products start.

Rakshasa is different because it uses the iPXE firmware to download the bootkit from a remote location and load it into RAM every time the computer boots.

“We never touch the file system,” Brossard said. If you send the hard drive to a company and ask them to analyze it for malware they won’t be able to find it, he said.

In addition, after the bootkit has done its job, which is to perform malicious modifications of the kernel — the highest-privileged part of the operating system — it unloads from memory. This means a live analysis of the computer’s RAM won’t be able to find it either.

Detecting this type of compromise is very hard because programs that run inside the operating system get their information from the kernel. The bootkit could very well fake this information, Brossard said.

The iPXE firmware is capable of communicating over Ethernet, Wi-Fi or Wimax and supports a variety of protocols including HTTP, HTTPS and FTP. This gives potential attackers options.



Leave a Reply

You must be logged in to post a comment.