Hi,
Could patching the bios be used as a vector for a rootkit?. Many posts indicate that the new wave of rootkits will be via modifying the ACPI tables of the virus and thus be undetectable. (http://www.securityfocus.com/news/11372) google returns hundreds of hits when searching for "bios rootkits".
Using the emulated bios in the same way that vistaloader works, could also be used to insert a rootkit. This would potentialy be very powerful as it does not depend on the OS running on the machine and can survive an O/S reload.
What is the general opinion on this? is it possible or simply too hard to do with all the different bioses available?.
I know I have been trying to figure out how to edit a bios without much success, so it can be very tricky. combine this with the different bios versions etc and it seems very unlikely to me.

edit.
check out this link http://www.lockergnome.com/nexus/usrbingeek/2007/05/04/security-researchers-talk-about-rootkit-for-vista/

I don´t know much about rootkits and its code and the size needed, but I know to mod some of the bioses.

Generally it´s possible to flash code containing new modules on bios chip via software. (e.g. winflasher do). It could happen without the notice of the user. It has not to be a new modified acpi module, so it depends only on the manufacturer of bios (mainly AMI and AWARD). This means the differences of bioses (almost) don´t matter cause there is no need to modify a module, just to add one. (Like ISA.BIN method of Gkend).

BUT:

The code will AND MUST be always loaded into ram on bootup to be executed
And:
The code that flashes bios is detectable, too.

Any detector such as antivir is able to scan ram. If the sequence of the malicious code is known it will be detected. The only problem is that removing it from eeprom is a bit complex (for unexperienced users).
Antivir: Your PC is infected with blahhkit. Could not remove malicious code. It is stored on eeprom, please reflash:rolleyes:
There is no reason to care just a good story for the writers of headlines.
Any comments?

Yen

I don´t know much about rootkits and its code and the size needed, but I know to mod some of the bioses.

Generally it´s possible to flash code containing new modules on bios chip via software. (e.g. winflasher do). It could happen without the notice of the user. It has not to be a new modified acpi module, so it depends only on the manufacturer of bios (mainly AMI and AWARD). This means the differences of bioses (almost) don´t matter cause there is no need to modify a module, just to add one. (Like ISA.BIN method of Gkend).

BUT:

The code will AND MUST be always loaded into ram on bootup to be executed
And:
The code that flashes bios is detectable, too.

Any detector such as antivir is able to scan ram. If the sequence of the malicious code is known it will be detected. The only problem is that removing it from eeprom is a bit complex (for unexperienced users).
Antivir: Your PC is infected with blahhkit. Could not remove malicious code. It is stored on eeprom, please reflash:rolleyes:
There is no reason to care just a good story for the writers of headlines.
Any comments?

Yen

You're saying antivir would catch something that they outline here?

https://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdf

When someone simply uses ASUS EZ-Flash, I find that kind of hard to believe.

Anything done to the bios should be made so we can see how it was done, no one has ever posted an AMI bios tutorial which should only take a few minutes to do for something like a P5WDH and could be extended over to doing almost any AMI bios....but nooo they want you to have the professionals do it, WHY WHY... because it's so easy to throw a virus in there when you are updating your rom and you guys dont question it for a second, well this topic starter did...thank god he seems like the only other person in these forums that cares.

ps. i'll put a TWO HUNDRED DOLLARS in an escrow account if you can show me a p5wdh deluxe bios, that HAS a virus in it (an actual bios virus, not just bogous code in the rom file so that a virus detector says it is infected), that GETS FLASHED NORMALLY with EZ-BIOS and doesn't corrupt my system, that antivir catches.

You know what, if you can do it by tomorrow, I'll make it four hundred dollars...thats how confident i am that what you're saying is BS

I don´t know where to start. Almost all of your arguments are empty assertions.

....no one has ever posted an AMI bios tutorial which should only take a few minutes to...

Wrong.
All the knowledge to mod bioses is from vistafans.com a cinese website.There are AMI tutorials over and over. First was published February.

I´ve uploaded one of the best AMI and Award modifiing methods for you.

http://rapidshare.com/files/30216597/AMI_AWARD_SUPER_STATIC.rar.html
(hope your skills are high enough to reconstruct).

....they want you to have the professionals do it, WHY WHY...

RTFM, which I´ve uploaded. It´s not that easy that everyone is able to do it by themself. The modders like China4Ever (a good friend) spend a lot of time only to make others happy....Huhhh but you are afraid of! Any psychological disturbances? Are you suffering from paranoia? I suggest you to stay in your house and to lock all the doors!
....You know what, if you can do it by tomorrow, I'll make it four hundred dollars...thats how confident i am that what you're saying is BS

To clarify that: I have to proof and to do nothing, my friend. I don´t need your dollars. You are saying and assuming that the modders intension is, or could be to harm others.

You have to proof that accusation! Show me ONE bios with malicious code!!!
You may download any modded bios and compare to the original ones. You may see the differences and decide if you wanna trust or not. There is nothing secret at all. Why did you not ask one of the modders what they are doing exactly, instead of making senseless assumptions, ha?


As I said:
The code will AND MUST be always loaded into ram on bootup to be executed.
It can and will be detected by any virus scanner (if a part of the code a string or sequence is known). Everyone who has only a little bit of knowledge will approve that.


BTW: Not all the people who are offering a service and charge nothing for have a bad intension.

Furnish proof and we may continue to discuss! And buy Vista. Don´t care about the others, take care of yourself. If you don´t trust, let it be!


Yen

Hi Yen,

The file you uploaded to Rapidshare is gone. Any chance to upload again somewhere else?

Thanks!
daxanadu

Link should work now. It´s google translated from Chinese.

Yen

Hi Guys,
Before I start a flame war, it was never my intention to imply that these bios mods contain a virus. Apologies if I have given that impression.
For a start the tools are available to see what the mods done are.
My original question was simply to ask if it is *possible* for a root kit to be carried in the bios. A root kit is not a virus, it is quite different. and a root kit running from bios will not be detectable by any of todays means since it is in RAM first and therefore has a chance to hide before any scanners are loaded.
My presumption for this is that the bios can carry executable code and if this is the right code it can subvert the running OS. This is certainly the thinking behind some, and claims of such a rootkit prototype already existing seem to back that up.
cheers.

@gz1
No problem, I know that and I aswered your question with best of my knowledge.
Shaba230 seems to be a person, who has got a problem with peoples who spent time to make others happy and even charge nothing for it. To misstrust seems to be an american (U.S.A.) attribute.


Yen

@gz1
No problem, I know that and I aswered your question with best of my knowledge.
Shaba230 seems to be a person, who has got a problem with peoples who spent time to make others happy and even charge nothing for it. To misstrust seems to be an american (U.S.A.) attribute.




Yen

Hey, easy now on the American thing :). Not everybody here is as paranoid as that guy... Just do a google search for his handle and read some of his threads on other forums... Looks to me like he tries to get folks to be afraid of using the different Vista hacks out there.

And if he's got so much cash hanging around that he can drop 400 on a proof-of-code type thing, why not just friggin buy Vista and not have to worry about it?

what i think, he's must be trying to spread the paranoia disorder virus.

Sign: An unmistakable sign of paranoia is continual mistrust. People with paranoid personality disorder are constantly on their guard because they see the world as a threatening place. They tend to confirm their expectations by latching on to any speck of evidence that supports their suspicions and ignore or misinterpret any evidence to the contrary. They are ever watchful and may look around for signs of a threat.