Industry News

Security Researcher Introduces Proof-of-Concept Tool to Infect BIOS, Network Cards, CD-ROMs

For the last decade, persistent e-threats in the form of malicious code sneaking into firmware, EPROMs or BIOS chips were just a bad dream for antivirus companies. This dream has now become a cruel possibility with the introduction of Jonathan Brossard’s proof-of-concept tool that can compromise the OS at boot by replacing the BIOS (Basic Input Output System).

Named Rakshasa (after a demon in Hindu mythology), the backdoor can go as deep as the computer’s BIOS by replacing the motherboard’s genuine BIOS with a combination of Coreboot and SeaBIOS, two open-source alternatives to specific vendor-supplied firmware.

The BIOS is not the only place it copies its code: Rakshasa interferes with the PCI firmware peripheral devices such as network cards or CD-ROMs  to achieve persistency and redundancy. It also writes an open source network boot firmware called iPXE to the computer’s network card. So even if someone restored the original BIOS, the rogue firmware on the network card or the CS-ROM can very well be used to access and restart the fake one.

The matter is even worse as antivirus software usually can’t scan those areas, nor can it disinfect the malicious code because of the read-only nature of the medium. Terminating the malware can be done only with the user manually reflashing every peripheral which requires dedicated equipment and professional know-how.

More than that, file forensics is nearly impossible, even if the attack is detected. “We never touch the file system,” Brossard said, quoted by PCWorld. “If you send the hard drive to a company and ask them to analyze it for malware they won’t be able to find it,” he said.

Unfortunately, the attack can be carried out both locally (when the attacker has hands-on access to the machine), as well as remotely. Even though the proof-of-concept code has not been made public, the simple mentioning of the open-source toolset can be enough for tech-savvy cyber-criminals to replicate the attack. The full research paper is available online.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

1 Comment

Click here to post a comment
  • if this technique will be mass applied, i have to find another hobby, i cant analyze this thing… but i think the hardware viruses is the future in malware: no dependencies, no care about o.s. just a firmware injected with evil code