Rootkits Installable in BIOS

Discussion in 'Computer Security' started by nemo_outis, Jan 27, 2006.

  1. nemo_outis

    nemo_outis Guest

    Fascinating article about how rootkits may be installed in the BIOS.


    PS I think this confirms my recent post on the feasibility of capturing
    passwords for full HD OTFE encryption by installing a keylogger in the
    nemo_outis, Jan 27, 2006
    1. Advertisements

  2. nemo_outis

    Gogarty Guest

    You need to associate the password with a key file which the key logger
    cannot detect. Easy to lose the key file if it comes to that. Which is also
    the hazard of keyfiles. Oops!
    Gogarty, Jan 27, 2006
    1. Advertisements

  3. nemo_outis

    nemo_outis Guest

    No, the problem is considerably more serious than that. For instance, if I
    install a custom rootkit in the BIOS I can, in principle, completely pass
    over the input of the key, whether by keyboard, token or whatever, and
    sniff the key directly in RAM!

    nemo_outis, Jan 27, 2006
  4. nemo_outis

    Gogarty Guest

    I defer to your superior knowledge in this field. Our computers are
    faithless traitors. We entrust them with our secrets and they promptly
    regurgitate all they know to the first floozy that comes along.
    Gogarty, Jan 27, 2006
  5. nemo_outis

    nemo_outis Guest

    For the moment the risk is entirely hypothetical; it is far easier to use a
    hardware keylogger under most circumstances in which one could install a
    rootkit keylogger on a full-OTFE HD.

    However, it is wise to be aware of incipient or developing risks as well as
    more immediate ones.

    nemo_outis, Jan 27, 2006
  6. Normally once Windows has loaded the BIOS is doing very little, proper
    drivers designed for a multi-tasking environment take over.
    Brian Gregory [UK], Jan 27, 2006
  7. nemo_outis

    nemo_outis Guest

    Yes, the usual sequence is BIOS itself, in-memory image of BIOS, and then
    a handoff to Windows 32-bit drivers, etc. However, a compromised BIOS
    could subvert this handoff leaving itself still hooked in.

    Not that it need do so, of course. A compromised BIOS targeting the OTFE
    HD password entered at boottime could have performed its capture and
    stashed the data long before the 32-bit portion of Windows was running. It
    would gracefully relinquish control to Windows well-satisfied with its
    accomplishment :)


    PS. Compromising other BIOSs, such as the video BIOS, also remains a
    nemo_outis, Jan 27, 2006
  8. In the scenario at hand there either is no key file, or it will be copied
    when the drive is imaged. Assuming no "smart card" or challenge-response
    scenario as nemo and I have already discussed.

    It all breaks down to the (again) stated fact that OTFE can easily fail
    where physical security is lax or as it is in this scenario, essentially
    George Orwell, Jan 28, 2006
  9. That's because a normal BIOS willingly hands over control. It's not
    necessary for it to be that way. The only confines that determine what
    BIOS code can do are the limited space BIOS is stored in, the fact that if
    it doesn't hand over at least an illusion of control it's useless, and the
    imagination of the attacker that installs a trojanized version of your
    BIOS code. ;-)
    Borked Pseudo Mailed, Jan 28, 2006
  10. nemo_outis

    traveler 66 Guest

    Yes it does, I hope one of the anti-virus companies finds a solution for
    this soon.
    traveler 66, Jan 28, 2006
  11. By all means do tell us how an anti-virus software company is suppose to
    in any way reliably address a corrupt BIOS that does it's evil deeds long
    before that software can even be run. Explain how it's going to survive a
    piece of "firmware" that has direct control of how the operating system
    loads, and memory and devices are seen and accessed.

    And while you're at it, take a stab at how software is going to correct a
    problem that has very hardware-specific access control and solutions, even
    if it could detect such a problem reliably.

    Do you really even understand what BIOS is?
    George Orwell, Jan 28, 2006
  12. nemo_outis

    traveler 66 Guest

    I should have posted more clearly, I meant root kits in general, not
    just the type mentioned here.
    traveler 66, Jan 28, 2006
  13. nemo_outis

    Gogarty Guest

    I am a bit confused here. Does the root kit in the BIOS only function while
    the BIOS is in boot up and before it hands control to the operating system?
    If that is so, how does it compromize an OTFE hard disk? I should think the
    key logger would have to be active at all times. My OTFE disk does not run
    all the time and only runs when I type in the password, which would be long
    after the BIOS has done its thing. It is most unlikely that anyone could ever
    install a hardware key logger on my system and software ones are soon found
    and removed. Which leads me to ask: why is anyone putting key loggers on my
    system? They do turn up from time to time along with other adware and
    Gogarty, Jan 28, 2006
  14. nemo_outis

    nemo_outis Guest

    Different type of OTFE application - you're thinking about
    partition/container-file encryption (e.g., Truecrypt) while I'm talking
    about *full* HD OTFE encryption (e.g., Compusec).

    The password for full HD encryption is entered very early in the boot
    process and a compromised BIOS could, in principle, capture the password
    (or the key itself), stash it somewhere, and then let the rest of the boot
    and user session proceed normally. The adversary would surreptitiously
    "harvest" the captured password later when the computer was unattended..


    PS As for your "software ones are soon found and removed" that is a very
    rash statement. In principle, a rootkit can be absolutely undetectable by
    any program on the compromised system - the rootkit could only be detected
    by booting from known-good media (e.g., CD or USB). That current rootkits
    can sometimes be detected by software on the compromised system (e.g., by
    an AV program) only indicates that - so far - they have been imperfectly
    nemo_outis, Jan 28, 2006
  15. nemo_outis

    Gogarty Guest

    Thank you. Glad toi have people like you around who really know what they
    are talking about.
    Gogarty, Jan 28, 2006
  16. You're welcome. Damn near anything nemo know, he learned from me. :)
    Ari Silverstein, Jan 28, 2006
    Hash: SHA256

    Personally, I'd rather see something like spybot, Ad-Aware or A-Squared
    incorporate detection for this kind of thing

    *Crash Override
    - --
    A: Maybe because some people are too annoyed by top-posting.
    Q: Why do I not get an answer to my question(s)?
    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?

    Version: N/A

    -----END PGP SIGNATURE-----
    Crash Override, Jan 30, 2006
  18. nemo_outis

    nemo_outis Guest

    I have greater faith in Russinovich of sysinternals:

    For instance, the widestep elite keylogger uses a kernel-level rootkit to
    conceal itself. Yes, it can now be detected (by only a few!) but it had a
    pretty good run before that, making it one of the better software
    keyloggers (if one can use "better" in conjunction with such despicable
    spyware). Now imagine what the NSA could do.

    nemo_outis, Jan 30, 2006
  19. nemo_outis

    Roger Parks Guest

    Ironically, a compromised bios could give new life to this and other

    RootkitRevealer, Adinf, and other single-OS integrity checkers compare
    logical I/O from the OS, with physical I/O via the BIOS. And a tweaked
    bios could be changed to substitute information (or eliminate it
    altogether) so as to match the logical I/O.

    The challenge here, imho, is to get an unprivileged, WAN-connected
    process (e.g. browser, or browser extension) to either flash a bios, or
    successfully issue ACPI commands. This might be down through a
    privilege escalation following a buffer overflow of some sort, a
    wmf-type bug, or perhaps through a compromised extension!?

    Vista error#4711: TCPA / RIAA / NGSCP VIOLATION: Microsoft optical
    mouse detected Linux patterns on mousepad. Partition scan in progress
    remove offending, unapproved products. Request permission, and apply
    a new key to reactivate MS software at

    Roger Parks, Jan 31, 2006
  20. How would that work in practise?
    Brian Gregory [UK], Feb 1, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.