Re: Microsoft Research: Strider GhostBuster Rootkit Detection and "...stealth software that hides in BIOS, Video card EEPROM"

From: Roger Wilco (yesman_at_yourservice.invalid)
Date: 09/22/05


Date: Wed, 21 Sep 2005 21:09:54 -0400


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:PKJXe.5376$9a2.2038@trnddc04...
> From: "Art" <null@zilch.com>
>
> the consensus was that no known malware infects the BIOS.
> |
> >> Based upon my studying both viruses and hardware I can't see how
> >> it is possible.
> |
> | Why? You can download BIOS updates and reflash.
> |
>
>
> they are specifically written by the hardware manufacturer for
specific mother using a
> specific tupe of Flashable RAM or programable ROM.

This makes it a poor choice for malware that needs to be portable
between hardware platforms, but rootkits don't need to be portable.

> That is one thing, but to insert code
> and haver the BIOS still functional seems a bit far fetched.

The BIOS routine runs on the processor almost without restriction
(direct addressing, no protection) - there is no reason to assume all of
the necessary code is in that location. The code could be fragmented and
stored in multiple option ROM locations and stitched together for
instance when shadowed.

The bottom line is that what was once firmware has now entered the realm
of (malicious) mobile code.