Persistent Infection

I had a great time at CanSecWest 2009. There were some great speakers, the food was excellent, and the venue was pretty classy. One of the talks that stood out for me discussed using the BIOS as a means to persistently maintain control of a computer.

To my knowledge, this wasn’t the first time that the BIOS has been used by malicious code, but it is the first time that using the BIOS to fully contain and store said malicious code has been presented. By modifying the BIOS to store malicious code and install it on a local drive or device, an attacker can continually maintain control of a computer regardless of operating system reinstallations, physical change to hard drives, or other seemingly “sure fire” methods of system sanitization. This means that regardless of changes to devices or hardware, the computer remains at risk as long as the BIOS is not flashed with a “clean” image.

The most apparent usefulness is the “persistence of control” by remote attackers. However, a colleague of mine pointed out the usefulness of BIOS infection for espionage-type operations. This got me thinking about some scenarios. As a somewhat fantastical example, consider an ill-mannered company that wishes to gain an edge on the competition by engaging in corporate espionage. This company could send an agent to join the competitor’s IT department with the intention of infecting the BIOS of every computer in the company. The infection code could then persistently install some arbitrary malicious code that would log and relay data back to the intruding company. In the event that the company discovers the malicious code, most attempts to remedy the issue would likely be in vain because BIOS infection isn’t high on the list (if at all) of possible reasons for infection. This could result in costly investigations into the source of the problem and cause major setbacks to productivity if the IT department does not discover that the BIOS is compromised. Obviously, espionage operations carried out by military or law enforcement agencies could leverage BIOS infection to survive counter-surveillance measures in the field.

With BIOS sizes reaching three megabytes and beyond in some modern motherboards, attackers have a lot of room to play with. Although, even with limited capacities, an attacker needs only to have the malicious code download additional files remotely.

The caveat for this method of control is that BIOS flashing typically requires root privileges. However, an attacker who gains root access by successfully exploiting a latent vulnerability on a computer could then utilize BIOS infection as an insurance policy to ensure that root access is maintained. Additionally, physical access to a computer would obviously allow for trivial BIOS modification.