Documents
Intellipedia – BIOS Threats
Jan. 24 2019 — 1:48 p.m.

This page contain s dynamic content -- Highe st Possible Classification isTOP SECRET //SI/fKSecuritYBannerTerms of Use
1.
2.
3.
4.
5.
6.
7.
8.
Intelink
Blog~
Bookmarks
eCrum
Inteldocs
Intellinedia
Search
1. Entemrise Search
2. Entemrise Catalog
3. Map
4. Peonle
5. Recent Intel
6.
7. Search Su12nort
More
1. CommunitY2. GallerY3. IC Connect
4. IC PKI
5. IntelShare
6. iStO!Y7. iVideo
8. Living Intelligence
9. Maps
10. Messenger
11. Passnort
12. RSS Reader
13. Tapioca
14. URL Shortener
1. Hel12
1. Intellinedia Hel12
2.
3. Submit a Ticket
4. ISMC Watch
5. About Intelink
(U) BIOS Threats
TOP SECRET//SI//NOFORN
Jump to: navigation , search
L
(U) I would like feedback on this page. Please edit or leave a
comment on the Talk page!

(U) BIOS implant s are firmware written which reside in a computer 's BIOS and perform some function.
Though not necessarily malicious, implant s can be used to conduct CNA and CNE .[l ]
(U) BIOS attacks and implant s have been used and are kno wn by both state and non nation- state actors .
There have been pre sentation s on them in previous Black Hat and DEF CON convention s.[2] LOJACK for
laptop s is an optionally manufa cturer-in stalled BIOS implant for Dell laptop s.[1] BIOS attacks can even be
traced back at least to the Chernobyl virus in 1998.[~]
Contents
[hide]
•
•
•
•
L(U) KeY-Findings_
2....(U)KeY-Judgments
1..(U) Recent News and Reporting
±..(U) Virus attacks
o 4.1 (U) CIH
o 4 .2 (U) Black Hat 2006
o 4.3 (U) Persistent BIOS Infection
• i..(U) References
• .Q_(U)Additional Reading
[edit] (U) Key Findings
• (U) Using a BIOS implant for CNE is more difficult than for CNA . Without specific information about
the targeted system (s), the implant is much more likely to prevent proper system booting (CNA) .W
• (U) When using a BIOS implant for either CNE or CNA by remote mean s, there must be an initial
infection by traditional malware. The intruder still need s to obtain admini strator or root access . Su12121Y
chain and insider threat are both still po ssible. W
• (TS//SI//REL TO USA , FVEY ) There are currently no ways in use to detect a BIOS infection outright
on NIPRNet. The only way we would see a BIOS infection using current method s would be indirectly,
through network traffic generated when the implant phone s home. W
• (U//FOUO) The main reason for introdu cing malware into an expan sion card (or BIOS ) is to maintain a
per sisting pre sence through typical method s of system rebuild s. In addition to being immune to hard
disk reformatting and OS rein stallation s, some BIOS implant s can survive a flashing of the BIOS by
hiding in the BIOS 's free space. Graphic , sound , and network card firmware could pro vide further
hiding places . "Graphic cards have been subverted to support distributed brute-for ce pa ssword
breaking. Network cards could be used to create covert channel s . Security researchers have shown that
sound cards can be controlled by malware to emit frequencie s beyond normal hearing range designed
to exfiltrate data. "llil
[edit] (U) Key Judgments

• (TS//SI//NF) PLA and MAKERSMARK versions do not appear to have a common link beyond the
intere st in developing more per sistent and stealthy CNE. [1][~][2]
• (TS//SI//NF) Among currently compromi sed are AMI and Award based BIOS versions. The threat that
BIOS implant s po se increases significantly for systems running on compromi sed versions.[lO]
[edit] (U) Recent News and Reporting
click column headers to sort
Feed
l
[edit] (U) Virus attacks
(U) There are at least three known BIOS attack viruses.
[edit ] (U) CIH
(U) The first was a virus which was able to erase Flash ROM BIOS content , rendering computer systems
unstable. CIH , also known as "ChemobY-1Virus", appeared for the first time in mid-1998 and became active
in April 1999. It affected systems' BIOS and often could not be fixed on their own since they were no longer
able to boot at all. To repair this, Flash ROM IC had to be ejected from the motherboard to be reprogrammed
somewhere else. Damage from CIH was po ssible since the Virus was specifically targeted at the then
widespread Intel i430TX motherboard chipset , and the most common operating systems of the time were
based on the Window s 9x family allowing direct hardware access to all program s.
(U) Modem systems are not vulnerable to CIH because of a variety of chipsets being used which are
incompatible with the Intel i430TX chipset , and also other Flash ROM IC types. There is also extra
prote ction from accidental BIOS rewrites in the form of boot blocks which are prote cted from accidental
overwrite or dual and quad BIOS equipped systems which may, in the event of a crash , use a backup BIOS.
Also , all modem operating systems like Linux , Mac OS X , Window s NT-based Windo ws OS like Windows
2000 , Window s XP and newer, do not allow user mode program s to have direct hardware access. As a result ,
as of 2008 , CIH has become essentially harmle ss, at worst causing annoyan ce by infecting executable files
and triggering alerts from antivirus software. Other BIOS viruses remain po ssible , however:[ll ] since most
Windo ws users run all applications with admini strative privilege s, a modem CIH-like virus could , in

principle, still gain access to hardware.
[edit ] (U) Black Hat 2006
(U) The second one was a technique presented by John Heasman, principal security consultant for UK based
Next-Generation Security Software at the Black Hat Security Conference (2006), where he showed how to
elevate privileges and read physical memory, using malicious procedures that replaced normal ACPI
functions stored in flash memory.
[edit ] (U) Persistent BIOS Infection
(U) The third one, known as "Persistent BIOS infection", was a method presented in CanSecWest Security
Conference (Vancouver, 2009) and SyScan Security Conference (Singapore, 2009) where researchers Anibal
Sacco l1l.l and Alfredo Ortega, from Core Security Technologies, demonstrated insertion of malicious code
into the decompression routines in the BIOS, allowing for nearly full control of the PC at every start-up, even
before the operating system is booted.
(U) The proof-of-concept does not exploit a flaw in the BIOS implementation, but only involves the normal
BIOS flashing procedures. Thus, it requires physical access to the machine or for the user on the operating
system to be root. Despite this, however, researchers underline the profound implications of their discovery:
"We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable
anti virus ."Lill
[edit] (U) References
1. J BIOS Threat Mitigation Info
2. l (U) www.coresecurity.com/content/Deactivate-the-Rootkit
3. l (U) www.absolute.com/en/lojackforlaptops/home .aspx
4. l (U) www.Symantec.com/security _response/writeup.jsp?docid=2000-122010-2655-99
5. t 5 .oil 5 ·2 (TS//SI//REL TO USA, FVEY) Basic Input-Output System (BIOS) based Malware by
6.
7.
8.
9.
10.
11.
12.
13.
l
(S//NF) USCYBERCOM; J2 Bulletin 10-03; Hardware-Based Malware Demonstrates Resistance to
Standard Security Practices; 30 June 2010
J_(TS//SI//REL TO USA, FVEY) NTOC; V22-ITN-087-10 ; Analysis of a BIOS Rootkit; 24 MAY
2010
J_(U//FOUO) TDX-315/072060-10 240000Z SEP 10, source marked (TS//HCS//NF)
J_IOC CTW 2010-02-4C 28 Feb 2010
J_(TS//SI//REL TO USA, FVEY) DIRNSA, 3/00/521733-10 READDRESSALProbable Contractor
to PRC People 's Liberation Army Conducts Computer Network Exploitation Against Taiwan Critical
Infrastructure Networks; Develops Network Attack Capabilities, R 011521Z SEP 10
l New BIOS Virus Withstands HDD Wipes , March 27, 2009 by Marcus Yam - Tom's Hardware US
l Sacco, Anibal; Alfredo Ortega. Persistent BIOS Infection . Ex12.loiting..sJyff
. Retrieved on 2010-02-06 .
l Fisher, Dennis. Researchers unveil uersistent BIOS attack methods . Threat Post . Retrieved on 201002-06 .

[edit] (U) Additional Reading
• (S) DIA; Defense Intelligence Digest: BIOS: China's Covert CY-berCagabilitY-; 14 Oct 2010 (A-Sgace
required)
• (U) TOUCHWOLF - NSANet Wikiinfo page
• (U) STROMTIME BIOS Action Plan Status - NSANet Wikiinfo page
Retrieved from "htm://
Categories : CY-berThreat Assessments I BIOS
TOP SECRET//SI//NOFORN
• This page has been accessed 809 time s.
• 3 watching users
• This a e was last modified 00:08 13 March 2012 b
Personal tools
•
•
•
•
•
•
MY-talk
My_greferences
MY-watchlist
MY-contributions
Log out
Namespaces
• Pag~
• Discussion
Variants
Views
•
•
•
•
Read
Edit
Page historYWatch
Actions
• Rename /Move
• Tag this gag~
Search
Most recent editors:

l.....
s_ea
_r_ch______
......,
!
I Search
• Main Pag~
• Recent changes
• Hel12
• Random Article
• Sandbox
• Guidelines
• Recent files
• Top categories
interaction
• Featured articles
• Announcements
• Collaboration reguests
• Tutorial
• Bulletin Board
• Metrics
• AcronY.mS
• Peo12leFinder
social software tools
Toolbox
• PrivacY-policY• About Intellipedia
• ])isclaimers
•
.____I
_____,
Use of this U.S. Government system, authorized or unauthorized, constitutes consent to monitoring of this
system. Unauthorized use may subject you to criminal prosecution.
Evidence of unauthorized use collected during monitoring may be used for administrative, criminal, or other
adverse actions.

This page contains dynamic content -- Highest Possible Classification isTOP SECRET //SI/TKSecuritYBannerTerms of Use