Intellipedia – BIOS Threats
Jan. 24 2019 — 6:48p.m.
(U) BIOS implant s are firmware written which reside in a computer 's BIOS and perform some function. Though not necessarily malicious, implant s can be used to conduct CNA and CNE .[l ] (U) BIOS attacks and implant s have been used and are kno wn by both state and non nation- state actors . There have been pre sentation s on them in previous Black Hat and DEF CON convention s. LOJACK for laptop s is an optionally manufa cturer-in stalled BIOS implant for Dell laptop s. BIOS attacks can even be traced back at least to the Chernobyl virus in 1998.[~] Contents [hide] • • • • L(U) KeY-Findings_ 2....(U)KeY-Judgments 1..(U) Recent News and Reporting ±..(U) Virus attacks o 4.1 (U) CIH o 4 .2 (U) Black Hat 2006 o 4.3 (U) Persistent BIOS Infection • i..(U) References • .Q_(U)Additional Reading  (U) Key Findings • (U) Using a BIOS implant for CNE is more difficult than for CNA . Without specific information about the targeted system (s), the implant is much more likely to prevent proper system booting (CNA) .W • (U) When using a BIOS implant for either CNE or CNA by remote mean s, there must be an initial infection by traditional malware. The intruder still need s to obtain admini strator or root access . Su12121Y chain and insider threat are both still po ssible. W • (TS//SI//REL TO USA , FVEY ) There are currently no ways in use to detect a BIOS infection outright on NIPRNet. The only way we would see a BIOS infection using current method s would be indirectly, through network traffic generated when the implant phone s home. W • (U//FOUO) The main reason for introdu cing malware into an expan sion card (or BIOS ) is to maintain a per sisting pre sence through typical method s of system rebuild s. In addition to being immune to hard disk reformatting and OS rein stallation s, some BIOS implant s can survive a flashing of the BIOS by hiding in the BIOS 's free space. Graphic , sound , and network card firmware could pro vide further hiding places . "Graphic cards have been subverted to support distributed brute-for ce pa ssword breaking. Network cards could be used to create covert channel s . Security researchers have shown that sound cards can be controlled by malware to emit frequencie s beyond normal hearing range designed to exfiltrate data. "llil  (U) Key Judgments
• (TS//SI//NF) PLA and MAKERSMARK versions do not appear to have a common link beyond the intere st in developing more per sistent and stealthy CNE. [~] • (TS//SI//NF) Among currently compromi sed are AMI and Award based BIOS versions. The threat that BIOS implant s po se increases significantly for systems running on compromi sed versions.[lO]  (U) Recent News and Reporting click column headers to sort Feed l  (U) Virus attacks (U) There are at least three known BIOS attack viruses. [edit ] (U) CIH (U) The first was a virus which was able to erase Flash ROM BIOS content , rendering computer systems unstable. CIH , also known as "ChemobY-1Virus", appeared for the first time in mid-1998 and became active in April 1999. It affected systems' BIOS and often could not be fixed on their own since they were no longer able to boot at all. To repair this, Flash ROM IC had to be ejected from the motherboard to be reprogrammed somewhere else. Damage from CIH was po ssible since the Virus was specifically targeted at the then widespread Intel i430TX motherboard chipset , and the most common operating systems of the time were based on the Window s 9x family allowing direct hardware access to all program s. (U) Modem systems are not vulnerable to CIH because of a variety of chipsets being used which are incompatible with the Intel i430TX chipset , and also other Flash ROM IC types. There is also extra prote ction from accidental BIOS rewrites in the form of boot blocks which are prote cted from accidental overwrite or dual and quad BIOS equipped systems which may, in the event of a crash , use a backup BIOS. Also , all modem operating systems like Linux , Mac OS X , Window s NT-based Windo ws OS like Windows 2000 , Window s XP and newer, do not allow user mode program s to have direct hardware access. As a result , as of 2008 , CIH has become essentially harmle ss, at worst causing annoyan ce by infecting executable files and triggering alerts from antivirus software. Other BIOS viruses remain po ssible , however:[ll ] since most Windo ws users run all applications with admini strative privilege s, a modem CIH-like virus could , in
principle, still gain access to hardware. [edit ] (U) Black Hat 2006 (U) The second one was a technique presented by John Heasman, principal security consultant for UK based Next-Generation Security Software at the Black Hat Security Conference (2006), where he showed how to elevate privileges and read physical memory, using malicious procedures that replaced normal ACPI functions stored in flash memory. [edit ] (U) Persistent BIOS Infection (U) The third one, known as "Persistent BIOS infection", was a method presented in CanSecWest Security Conference (Vancouver, 2009) and SyScan Security Conference (Singapore, 2009) where researchers Anibal Sacco l1l.l and Alfredo Ortega, from Core Security Technologies, demonstrated insertion of malicious code into the decompression routines in the BIOS, allowing for nearly full control of the PC at every start-up, even before the operating system is booted. (U) The proof-of-concept does not exploit a flaw in the BIOS implementation, but only involves the normal BIOS flashing procedures. Thus, it requires physical access to the machine or for the user on the operating system to be root. Despite this, however, researchers underline the profound implications of their discovery: "We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable anti virus ."Lill  (U) References 1. J BIOS Threat Mitigation Info 2. l (U) www.coresecurity.com/content/Deactivate-the-Rootkit 3. l (U) www.absolute.com/en/lojackforlaptops/home .aspx 4. l (U) www.Symantec.com/security _response/writeup.jsp?docid=2000-122010-2655-99 5. t 5 .oil 5 ·2 (TS//SI//REL TO USA, FVEY) Basic Input-Output System (BIOS) based Malware by 6. 7. 8. 9. 10. 11. 12. 13. l (S//NF) USCYBERCOM; J2 Bulletin 10-03; Hardware-Based Malware Demonstrates Resistance to Standard Security Practices; 30 June 2010 J_(TS//SI//REL TO USA, FVEY) NTOC; V22-ITN-087-10 ; Analysis of a BIOS Rootkit; 24 MAY 2010 J_(U//FOUO) TDX-315/072060-10 240000Z SEP 10, source marked (TS//HCS//NF) J_IOC CTW 2010-02-4C 28 Feb 2010 J_(TS//SI//REL TO USA, FVEY) DIRNSA, 3/00/521733-10 READDRESSALProbable Contractor to PRC People 's Liberation Army Conducts Computer Network Exploitation Against Taiwan Critical Infrastructure Networks; Develops Network Attack Capabilities, R 011521Z SEP 10 l New BIOS Virus Withstands HDD Wipes , March 27, 2009 by Marcus Yam - Tom's Hardware US l Sacco, Anibal; Alfredo Ortega. Persistent BIOS Infection . Ex12.loiting..sJyff . Retrieved on 2010-02-06 . l Fisher, Dennis. Researchers unveil uersistent BIOS attack methods . Threat Post . Retrieved on 201002-06 .
 (U) Additional Reading • (S) DIA; Defense Intelligence Digest: BIOS: China's Covert CY-berCagabilitY-; 14 Oct 2010 (A-Sgace required) • (U) TOUCHWOLF - NSANet Wikiinfo page • (U) STROMTIME BIOS Action Plan Status - NSANet Wikiinfo page Retrieved from "htm:// Categories : CY-berThreat Assessments I BIOS TOP SECRET//SI//NOFORN • This page has been accessed 809 time s. • 3 watching users • This a e was last modified 00:08 13 March 2012 b Personal tools • • • • • • MY-talk My_greferences MY-watchlist MY-contributions Log out Namespaces • Pag~ • Discussion Variants Views • • • • Read Edit Page historYWatch Actions • Rename /Move • Tag this gag~ Search Most recent editors:
l..... s_ea _r_ch______ ......, ! I Search • Main Pag~ • Recent changes • Hel12 • Random Article • Sandbox • Guidelines • Recent files • Top categories interaction • Featured articles • Announcements • Collaboration reguests • Tutorial • Bulletin Board • Metrics • AcronY.mS • Peo12leFinder social software tools Toolbox • PrivacY-policY• About Intellipedia • ])isclaimers • .____I _____, Use of this U.S. Government system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal, or other adverse actions.