BIOS based rootkits soon a reality?

January 28th, 2006

According to John Heasman, security researcher with NGS Software, BIOS based rootkits could be the next step in the continuing advancement of threats to computer security. During a talk last week at the BlackHat Federal conference, he introduced the concept and showed some research on how power management functions could be used to manipulate a system’s BIOS with malicious code.

What’s really scary about that is that a BIOS based rootkit would be a lot harder to detect and remove than traditional operating system based rootkits. Not only would it survive reboots, reinstalls and even operating system changes, if it was well written, it might even be completely independent of the currently running operating system and would thus make it much harder to deal with. One of the strategies to detect and remove a rootkit today is to boot a clean environment, for example a live CD with forensics software on it, and examine the system while the rootkit cannot be active. But a BIOS based rootkit would even be active in such a live-CD environment and could thus hide itself from the forensics software.

There’s a bit of hope, though – this kind of rootkit is unlikely to find its way into worms, viruses and other malware targeting ordinary computer users. The reason for that is pretty simple – there are too many different types of mainboards out there, with two many different BIOS versions. The risk for a worm trying to plant a BIOS based rootkit would be to render the computer itself useless – and a malfunctioning computer is of no use to the worm writer, whose objective is usually to take over the victim’s computer, not make it unusable. But this kind of technique could easily find its way into the toolbox of professional hackers, intelligence services etc, who have other goals they want to achieve by planting malicious software on a victim’s computer.

Resources:

NGS’s research paper
Brian Krebs’ blog @wahingtonpost.com

Technorati : , , , ,

Entry Filed under: Technology

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Calendar

January 2006
M T W T F S S
« Dec   Feb »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Most Recent Posts