Taking a Virus to the PROM

A French security researcher named Jonathan Brossard has demonstrated that a virus can infect your computer’s BIOS. That virus is not stored on the hard drive and that makes it difficult to detect and then remove.  Brousard’s presentation at Black Hat 2012 has been discussed a great deal in security columns and blogs recently. Here is what you need to know.

A computer has a primary BIOS or Basic Input Output System which is firmware that runs from PROM or Programmable Read Only Memory (or, more accurately EEPROM where “EE” stands for Electrically Erasable) on the motherboard. The BIOS checks memory, initializes devices and otherwise gets the computer ready to run the operating system such as Windows. Newer computers are shipping with a more complex startup tool called the Unified Extensible Firmware Interface.

The BIOS can be updated or “flashed” as necessary, generally with newer versions from the manufacturer.  However, because the BIOS can be erased and re-written, bad actors can also replace a good, working BIOS with a version that contains malicious code.

BIOS viruses are not a new phenomenon. The first BIOS virus was created and released in 1999. Because the BIOS runs when the computer is first started, a virus there can be particularly nasty.  Even worse, other devices on your computer have PROMS that can be infected, too. Networking cards and video cards also have them, for instance. There is no operating system running when the code on these startup programs are run, and they can affect each other–a virus on the network card can run code to manipulate the video card.

Brossard called his new proof-of-concept Rakshasa. Rakshasa is a bit nastier than earlier BIOS viruses because it can use these other PROMS to hide code needed to put it back in the BIOS if the user somehow detects it and reflashes the main BIOS. It also gets its actual malicious code from the Internet so it can be continually updated. That makes his code much more complex than, say, a traditional LAN boot.

So what about preventing these attacks? I mentioned the UEFI above. Newer computers that have the UEFI will not be as vulnerable to this attack. That’s good, but not everyone will be getting a new computer right away and the current, safer versions of UEFI can’t be retrofitted into older PCs because they require different chips. There are also pluses and minuses to UEFI, even the latest version. So be sure to research it if you are planning to enable it.

Older computers are therefore still vulnerable. This is because each computer model uses a different BIOS. That makes it hard to check for the virus. It also means that a virus might be able to infect your firmware, and make the device or computer unusable (i.e. “brick it”). Only by installing the most current BIOS and device firmware can one be protected. And that is still not enough to ensure that the virus isn’t inserted again after the update. And it may not be possible to reflash a bricked device. As I write this I wonder whether running one’s applications in a virtual machine using a tools such as VMWare would provide good protection. Thoughts?

An article from MIT’s “Technology Review” talks more about Brossard, the software and his presentation about it at the Black Hat 2012 security conference. More details of how the proof-of-concept works are discussed here.

It may not be easy to defend against such an attack, but I haven’t heard of any in the wild, yet. Being aware that such attacks can exist is the first step. Are there possible legitimate uses for a technique like this? Could it reasonably replace the PXE LAN boot for a more robust system? What do you think?

We talk more about viruses and virus defense in our introduction to system and network security course.

John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.