Other issues in this category (18)
While the operating system is booting up…
Friday, June 2, 2017
I'm a system administrator, and if I fix a problem with a computer and then some old
lady who can’t tell a keyboard from a skate board gives me a knowing look and asks,
"Well, what was it?", do you think I'm going to explain to her the nature of a complex system failure?
It's much easier for me to grunt in reply that it was something like "a virus".
I don't really care what she tells her friends about the vicious infection that broke down her computer.
In this issue we will continue our series about rare computer troubles. Today we'll talk about BIOS and boot sector infections. Let's start with the BIOS.
BIOS firmware is shipped with computer motherboards. As soon as the system is powered up, it springs into action even before the operating system (OS) is loaded. Specifically, the BIOS facilitates the initial system diagnostics, detects available hard drives, and reads data from the disks to boot up the OS.
It’s the BIOS logo that we see before the OS starts loading.
The BIOS drew virus makers' attention in the MS-DOS era because, among other things, the firmware incorporates interrupt code that facilitates OS-hardware interaction. Specifically, interrupt call 13h is responsible for reading and writing data into disk sectors.
Criminals used the interrupt calls to create so-called boot viruses that would restore themselves when the OS was loaded and remain invisible to users.
Windows doesn't use BIOS interrupt calls (it clears the interrupt vector table at the beginning of its boot process) to load its components starting with the kernel; that's why nowadays intercepting BIOS interrupt calls isn't so relevant for malware. Malware can only use interrupt call 13h to read or write data to an arbitrary disk sector before the OS is loaded.
In 2011, Doctor Web security researchers encountered a somewhat unique rootkit (dubbed Trojan.Bioskit.1) that could only infect the BIOS – from Award Software. Later on, attempts to spread another modification of Trojan.Bioskit were detected, but due to errors in the code, this version of the Trojan does not represent any serious threat.
Accessing and re-flashing a BIOS chip is no trivial task. To accomplish this, one has to communicate with the motherboard chipset in order to access the chip. Then one must detect the chip and use the data erase/write protocol supported by the chip. However, the Trojan’s author chose an easier way and let the BIOS do all the work. He used information acquired from a Chinese researcher going by the alias Icelord. It was back in 2007 when an analysis of the Winflash utility for Award BIOS revealed a simple method to reflash the chip via the BIOS's service in the System Management Mode. The OS doesn't have access to the SMM and SMRAM code (if the BIOS is written properly, it will block access to the code), so the code is executed independently.
System Management Mode is an operational mode in which all normal code execution, including that of the OS, is suspended. Instead, special software is run with high privileges. As usual, it was designed for a legitimate purpose—to handle memory and chipset errors and shut down an overheated CPU. But it could also be used to circumvent OS security features and launch rootkits. SMM code has been granted unrestricted access to all the system memory including the kernel and hypervisor memory segments.
Rakshasa malware completely replaces the BIOS, uses Coreboot to initialise hardware, and uses SeaBios to emulate the BIOS’s UI. It also utilises iPXE to facilitate network boot and remote control via LAN, WIFI, WIMAX, and LTE and later loads the bootkit Kon-boot to modify Windows and Linux kernel variables.
It can carry out attacks of the following types:
- Remove SMM fixes. SMM. This enables malware code to be executed, while the execution of any other code is suspended. In this way, the malware process is run with superuser privileges and thus can change any settings and modify any files on the computer.
- Disable the BIOS NX feature—the attribute that marks certain memory areas as non-executable. This enables the malware code to be executed to circumvent password protection and gain remote control over the target machine.
- Disable ASLR (Address Space Layout Randomisation)—this is a technique that provides random addresses for key data areas of a process. ASLR complicates buffer overflow attacks because an attacker wouldn't know the address of a vulnerable process. With ASLR disabled, launching an attack on any OS becomes much easier.
- Replace a password prompt to acquire TrueCrypt/BitLocker passwords. BIOS facilities are then used to emulate keyboard input to decrypt data which can be altered or copied.
- Modify the file system before the OS boots up to enable the remote administration mode and infect the system with other malware.
- It can use Wi-Fi and WIMAX to download separate modules or entire OS images and thus bypass firewalls and compromise the network.
- If the BIOS is reflashed or the OS is reinstalled, the malware can recover itself using the image it has previously written onto any PCI device such as an Ethernet adapter, SATA controller, or even trusted devices.
- It can also circumvent ADM SVM, Intel Trusted Execution Technology and other similar security features because the motherboard’s firmware code is executed before any of them spring into action.
A typical Rakshasa infection scenario involves attackers gaining access to the target system’s hardware and uploading the malware from removable media onto the supplied PC hardware. This means that a brand-new computer can be shipped infected.
The Anti-virus Times recommends
Currently, the odds are low for your system to get infected with a malware program that is similar to the species we described above. But it is possible if, for example, your competitors become interested in your data. There are two reasons why malicious code can end up in system areas:
- The manufacturer or its supplier may want to make some extra money and sell personal user information to a third party.
- Do not neglect to update the BIOS firmware. BIOS updates can eliminate known defects as well as prevent malware infections (including those that use SMM).
- If something can be written somewhere, it can also be detected. Don't believe unsubstantiated claims about brand-new Trojans that can't be detected by anti-viruses unless those claims are supported by reputable anti-virus companies. If a malware program has been in the headlines and it really exists, customers are already besieging their suppliers in order to acquire protection—and that’s a fact no one can ignore.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.