BIOS rootkits

Traditionally rootkit research has focused on accomplishing persistence and stealthiness with software running at the user or kernel level within a computer's operating system. The techniques used to run code undetected have evolved over time and studying them allows the information security community to understand the evolution of a type of malware that has severe impact on privacy and security IT users.

A potentially much more dangerous scenario is that of malware that can effectively avoid detection and removal because it has stored itself on the computer's BIOS, the firmware that runs during the boot process prior to execution of the operating system itself. Such malware would resist reinstallation of the operating system, wiping and even replacement of the hard disk and could achieve more stealthiness than OS-depedant rootkits.

In 2009 Alfredo Ortega and Anibal Sacco discovered a generic technique to modify the BIOS of certain chipsets so that they could insert homebrewed rootkit code. The technique is applicable to any computer that supports installation of BIOS updates that are not digitally signed using cryptographically strong methods.

This work is available at the Persistent BIOS infection page

During their research, they also discovered that several computer manufacturers ship computers with pre-installed BIOS firmware that already provides rootkit functionality. Closer inspection revealed that the concealed code came from a software vendor's anti-theft technology that is currently embedded in millions of computers. Further research identified and documented multiple security weaknesses that make the discovered software vulnerable to manipulation by potentially malicious parties that could turn into a highly effective rootkit. The researchers investigated ways to prevent and detect tampering software embedded in BIOS code.

This work is available at the Deactivate the Rootkit page