For the last decade, persistent e-threats in the form of malicious code sneaking into firmware, EPROMs or BIOS chips were just a bad dream for antivirus companies. This dream has now become a cruel possibility with the introduction of Jonathan Brossardâ€™s proof-of-concept tool that can compromise the OS at boot by replacing the BIOS (Basic Input Output System).
Named Rakshasa (after a demon in Hindu mythology), the backdoor can go as deep as the computerâ€™s BIOS by replacing the motherboardâ€™s genuine BIOS with a combination of Coreboot and SeaBIOS, two open-source alternatives to specific vendor-supplied firmware.
The BIOS is not the only place it copies its code: Rakshasa interferes with the PCI firmware peripheral devices such as network cards or CD-ROMsÂ to achieve persistency and redundancy. It also writes an open source network boot firmware called iPXE to the computer’s network card. So even if someone restored the original BIOS, the rogue firmware on the network card or the CS-ROM can very well be used to access and restart the fake one.
The matter is even worse as antivirus software usually canâ€™t scan those areas, nor can it disinfect the malicious code because of the read-only nature of the medium. Terminating the malware can be done only with the user manually reflashing every peripheral which requires dedicated equipment and professional know-how.
More than that, file forensics is nearly impossible, even if the attack is detected. “We never touch the file system,” Brossard said, quoted by PCWorld. â€œIf you send the hard drive to a company and ask them to analyze it for malware they won’t be able to find it,â€ he said.
Unfortunately, the attack can be carried out both locally (when the attacker has hands-on access to the machine), as well as remotely. Even though the proof-of-concept code has not been made public, the simple mentioning of the open-source toolset can be enough for tech-savvy cyber-criminals to replicate the attack. The full research paper is available online.