Security researchers were able to demonstrate how a BIOS rootkit can be used against computer targets. In a lengthy demonstration, computer hackers were able to create a BIOS malware for a VMware virtual machine which was then ported to actual hardware targets.
Why BIOS Rootkits
The computer BIOS is the most basic firmware program that is used to initialize the hardware components during the bootup process on modern computers. The name BIOS refers to the acronym Basic Input/Output System. The basic functions that the program does is to test the various computer components (known as the POST phase – power-on-self-test) and to load the operating system boot loader. All BIOS instances also have a built-in configuration utility (also known as the setup menu) which can be used to toggle various options such as boot device priorities.
There are several security features that are featured in the various implementations of the code. The EEPROM chips can be updated by the users via special system utilities that can upgrade the code.
However, to prevent the risk of an aborted BIOS update that could render the computer unusable, the vendors have added a special boot block section which verifies the BIOS status with checksums and other methods to check for corruption.
Most mid and high range motherboards also feature backup BIOS chips that allow for easy recovery if the main BIOS code gets corrupted.
There are very little BIOS viruses that have been developed because its relatively hard to construct efficient attack vectors against computer users. BIOS attacks can be very dangerous as the chips cannot be easily overwritten by the users and the malicious code is launched after the system is powered on. If the code is more complex, it can even damage the computer by setting unsafe voltage levels to the main system components by doing dangerous overclocking.
Developing a BIOS Rootkit
The Computer Security Researchers from the Cyberpunk Hackers community present an attempt at creating a Bios rootkit based on a demonstration from 2009 which featured attacks against the code. A demonstration on a VMWare virtual machine was done to test the proof of concept used in previous BIOS attacks.
To start off the BIOS code was extracted using a resource extractor program. This allows for code inspection and malicious modification. The code injection was done using a crafted malware program. The actual rootkit is decompressed and injected into the BIOS with a specially designed rootkit.
The next steps were to reproduce the attack to actual physical machines. The VMWare software uses a version of Phoenix BIOS which is also used on many consumer and business machines. The hackers were able to download the BIOS code from the infected VMWare guest and port it to a real machine.
The demonstrations prove that BIOS rootkits are possible in contemporary attacks as the computer hackers continue to use complex social engineering tricks. For further information, you read the complete analysis on Cyberpunk’s site.