Security Basics mailing list archives
Re: Any solution for a virus in the BIOS?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 4 Dec 2007 18:31:04 +0100
On 2007-12-03 PCSC Information Services wrote:
On 2007-12-03 Michael R. Martinez wrote:On Mon, 3 Dec 2007 19:40:00 Ansgar -59cobalt- Wiechers wrote:On 2007-12-02 admin () lh com wrote:Get a av that has boot sector protection. Once you've run a scan with that, it will clear things out.Please explain how boot sector protection is supposed to help against malware living in the BIOS. You do realize that it's the BIOS that executes the boot code, don't you? Assuming the BIOS actually is infected (which isn't too clear after the OP's rather vague description) the appropriate way would be to replace the BIOS chip or flash a clean BIOS onto it using a
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
dedicated device (*not* a PC that is booted with the potentially
^^^^^^^^^^^^^^^^
infected BIOS). Also examine the supposedly infected harddisk from
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
a clean system, either by booting some live-CD after cleaning the
^^^^^^^^^^^^^^
BIOS or by attaching the disk to another system (as secondary/
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
external disk).
^^^^^^^^^^^^^
Boot into a disk that scans for virus at boot! Hiren EBCD Etc...And then what? In case you didn't notice: the BIOS starts the OS on that disk too, meaning that malware in said BIOS can also manipulate that OS and thus any software it may run, meaning that despite booting from a clean media you still have a (potentially) compromised system.Booting from a LiveCD with a current AV and defs might alleviate some of this concern.
No.
LiveCDs won't be written to during the boot process and shouldn't be exposed to this problem.
Wrong, because malware doesn't need to write to the boot disk. All it needs to do is manipulate the code that is loaded into the RAM for execution.
Flashing the BIOS seems to me to be the most appropriate fix in this case from your post it seems to me that your inability to reflash the BIOS may stem from a jumper or dipswitch setting on the motherboard that would prevent writing. Check for this before attempting to reflash.
a) I'm not the person having the problem. b) The OP still needs to flash the BIOS on some system that isn't booted from the possibly infected BIOS. Which is exactly what I suggested before.
Further to this, remove the drive in question from this system and use a HDD enclosure to mount the drive USB / Firewire to allow you to scan the drive from a 'known-good' machine.
This I had also suggested before. For your convenience I underlined the respective parts above. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- RE: Any solution for a virus in the BIOS? whip (Dec 02)
- <Possible follow-ups>
- Re: RE: Any solution for a virus in the BIOS? admin (Dec 03)
- Re: RE: Any solution for a virus in the BIOS? Ansgar -59cobalt- Wiechers (Dec 03)
- Re: RE: Any solution for a virus in the BIOS? Michael R. Martinez (Dec 03)
- Re: Any solution for a virus in the BIOS? Ansgar -59cobalt- Wiechers (Dec 03)
- Re: Any solution for a virus in the BIOS? PCSC Information Services (Dec 04)
- Re: Any solution for a virus in the BIOS? Michael R. Martinez (Dec 04)
- Re: Any solution for a virus in the BIOS? Ansgar -59cobalt- Wiechers (Dec 04)
- Re: RE: Any solution for a virus in the BIOS? Ansgar -59cobalt- Wiechers (Dec 03)