Home page logo
/

basics logo Security Basics mailing list archives

Re: Any solution for a virus in the BIOS?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 4 Dec 2007 18:31:04 +0100

On 2007-12-03 PCSC Information Services wrote:
On 2007-12-03 Michael R. Martinez wrote:
On Mon, 3 Dec 2007 19:40:00 Ansgar -59cobalt- Wiechers wrote:
On 2007-12-02 admin () lh com wrote:
Get a av that has boot sector protection. Once you've run a scan
with that, it will clear things out.

Please explain how boot sector protection is supposed to help
against malware living in the BIOS. You do realize that it's the
BIOS that executes the boot code, don't you?

Assuming the BIOS actually is infected (which isn't too clear after
the OP's rather vague description) the appropriate way would be to
replace the BIOS chip or flash a clean BIOS onto it using a
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
dedicated device (*not* a PC that is booted with the potentially
     ^^^^^^^^^^^^^^^^
infected BIOS). Also examine the supposedly infected harddisk from
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
a clean system, either by booting some live-CD after cleaning the
     ^^^^^^^^^^^^^^
BIOS or by attaching the disk to another system (as secondary/
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
external disk).
     ^^^^^^^^^^^^^

Boot into a disk that scans for virus at boot!
Hiren
EBCD
Etc...

And then what? In case you didn't notice: the BIOS starts the OS on
that disk too, meaning that malware in said BIOS can also manipulate
that  OS and thus any software it may run, meaning that despite
booting from a clean media you still have a (potentially) compromised
system.

Booting from a LiveCD with a current AV and defs might alleviate some  
of this concern.

No.

LiveCDs won't be written to during the boot process and shouldn't be
exposed to this problem.

Wrong, because malware doesn't need to write to the boot disk. All it
needs to do is manipulate the code that is loaded into the RAM for
execution.

Flashing the BIOS seems to me to be the most appropriate fix in this
case from your post it seems to me that your inability to reflash the
BIOS may stem from a  jumper or dipswitch setting on the motherboard
that would prevent writing. Check for this  before attempting to
reflash.

a) I'm not the person having the problem.
b) The OP still needs to flash the BIOS on some system that isn't booted
   from the possibly infected BIOS.

Which is exactly what I suggested before.

Further to this, remove the drive in question from this system and use
a HDD enclosure to mount the drive USB / Firewire to allow you to scan
the drive from a  'known-good' machine.

This I had also suggested before.

For your convenience I underlined the respective parts above.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]