Re: bios infection (was: how to fix rootkit?)
2012/2/9 Aníbal Monsalve Salazar <anibal@debian.org>:
> On Thu, Feb 09, 2012 at 11:07:20AM +1100, Russell Coker wrote:
>>On Thu, 9 Feb 2012, Stephen Hemminger <shemminger@vyatta.com> wrote:
>>>The advice I heard is trust nothing (even reflash the BIOS).
>>
>>Do you know of any real-world exploits that involve replacing the BIOS? It's
>>been theoretically possible for a long time but I haven't seen any references
>
> Persistent BIOS Infection:
> http://www.phrack.com/issues.html?issue=66&id=7
Trojan.Mebromi is one of the recent malware infecting some Award BIOS:
http://www.symantec.com/security_response/writeup.jsp?docid=2011-090609-4557-99
TDSS/TLD rootkit family is basically changing the boot process and
intercepting the Interrupt 13.
The MBR is changed and the malware moves the existing bootloader in
its own encrypted hidden
filesystem on the non-partitioned part of a disk. So it's not really
infecting the BIOS as it but more
targeting the initial boot process.
http://blog.eset.com/2011/10/18/tdl4-rebooted
So it's a reality and that's only the known ones. In any case, if you
can update your BIOS and check
the POST boot process and ensure that you don't have any power-on
self-test used to load some random codes
from "unknown" location (e.g. disks or PROM).
--
-- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- http://www.foo.be/cgi-bin/wiki.pl/Diary
-- "Knowledge can create problems, it is not through ignorance
-- that we can solve them" Isaac Asimov
Reply to: