Researchers demo BIOS attack that survives hard-disk wipe

A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe.

The researchers -- Alfredo Ortega and Anibal Sacco from Core Security Technologies -- used the stage at last week's CanSecWest conference to demonstrate methods (see slides .pdf) for infecting the BIOS with persistent code that will survive reboots and reflashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player.

According to this Dennis Fisher report:

"It was very easy. We can put the code wherever we want," said Ortega. "We're not using a vulnerability in any way. I'm not sure if you understand the impact of this. We can reinfect the BIOS every time it reboots."

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope. But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.

"We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable anti-virus," Ortega said.

Rob Lemos at SecurityFocus explains that the attack method requires the use of a machine that's already compromised but the scary part is that it completely prevents a defender from easily deleting an attacker's program or rootkit.

"You can remove the hard drive, trash it, and even reinstall the operating system," Sacco said. "This will still reinstall the rootkit."

Back in 2006, NGSS researcher John Heasman found a way to use a PCI device to plant an offensive rootkit on Windows machines.  Here's a link to Heasman's paper: Implementing and Detecting a PCI Rootkit (.pdf).