Re: Any solution for a virus in the BIOS?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-12-03 PCSC Information Services wrote:
> > On 2007-12-03 Michael R. Martinez wrote:
> > > On Mon, 3 Dec 2007 19:40:00 Ansgar -59cobalt- Wiechers wrote:
> > > > On 2007-12-02 admin () lh com wrote:
> > > > > Get a av that has boot sector protection. Once you've run a scan
> > > > > with that, it will clear things out.
> > > >
> > > > Please explain how boot sector protection is supposed to help
> > > > against malware living in the BIOS. You do realize that it's the
> > > > BIOS that executes the boot code, don't you?
> > > >
> > > > Assuming the BIOS actually is infected (which isn't too clear after
> > > > the OP's rather vague description) the appropriate way would be to
> > > > replace the BIOS chip or flash a clean BIOS onto it using a
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > dedicated device (*not* a PC that is booted with the potentially
     ^^^^^^^^^^^^^^^^
> > > > infected BIOS). Also examine the supposedly infected harddisk from
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > a clean system, either by booting some live-CD after cleaning the
     ^^^^^^^^^^^^^^
> > > > BIOS or by attaching the disk to another system (as secondary/
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > external disk).
     ^^^^^^^^^^^^^
> > > Boot into a disk that scans for virus at boot!
> > > Hiren
> > > EBCD
> > > Etc...
> >
> > And then what? In case you didn't notice: the BIOS starts the OS on
> > that disk too, meaning that malware in said BIOS can also manipulate
> > that  OS and thus any software it may run, meaning that despite
> > booting from a clean media you still have a (potentially) compromised
> > system.
>
> Booting from a LiveCD with a current AV and defs might alleviate some  
> of this concern.

No.

> LiveCDs won't be written to during the boot process and shouldn't be
> exposed to this problem.

Wrong, because malware doesn't need to write to the boot disk. All it
needs to do is manipulate the code that is loaded into the RAM for
execution.

> Flashing the BIOS seems to me to be the most appropriate fix in this
> case from your post it seems to me that your inability to reflash the
> BIOS may stem from a  jumper or dipswitch setting on the motherboard
> that would prevent writing. Check for this  before attempting to
> reflash.

a) I'm not the person having the problem.
b) The OP still needs to flash the BIOS on some system that isn't booted
   from the possibly infected BIOS.

Which is exactly what I suggested before.

> Further to this, remove the drive in question from this system and use
> a HDD enclosure to mount the drive USB / Firewire to allow you to scan
> the drive from a  'known-good' machine.

This I had also suggested before.

For your convenience I underlined the respective parts above.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq