Motherboard chips latest target for rootkit hackers
The flash ROMs on motherboards could become the latest front in the war on viruses and hackers within a month, according to new research presented at this year's Black Hat Federal computer security conference in Washington DC.
John Heasman, principal security consultant at UK-based NGS Consulting, claims the high-level language used by the Advanced Configuration and Power Interface (ACPI), a collection of power-management functions present in almost all recent motherboards, could be used to write malware to hide a rootkit in the flash memory used by the BIOS.
And another researcher at the conference claimed it would be just one month until BIOS rootkits would appear.
"This is so easy to do," said Greg Hoglund, editor of Rootkit.com. "You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in."
Heasman has written functions using ACPI's built-in language that replaced legitimate ACPI functions. The rogue functions read from physical memory and elevate privileges, crucial elements of a rootkit attack.
Rootkits - defined by Heasman as "code run by an attacker after compromise to make further use of system resources without detection" - have gained prominence in recent months since record company Sony BMG was accused of using rootkit-like code to embed copy protection systems in any computer their CDs were played in. The software was swiftly recalled after a media outcry.
"Rootkits are becoming more of a threat in general - BIOS is just the next step," said Heasman.
The BIOS is a particularly potent means of attacking a computer, because code in the BIOS will survive hard disk reformats and operating system reinstallations. Malware present in the BIOS is difficult to detect and even more difficult to remove.
Hardware features such as motherboard write-protect jumpers and digitally signed BIOS software could help mitigate against the rootkit threat.
Heasman said: "The obstacles to deployment are numerous. Almost all machines have a physical protection, such as a jumper on the motherboard, against flashing."
"I see this more as a threat from insiders, someone who has physical access to the system," he added, citing the example of a disgruntled employee who infects their corporate laptop with a BIOS rootkit before leaving a company.
Heasman suggests that in addition to existing rootkit detectors such as Blacklight and RootkitRevealer, means of detecting the new breed of BIOS rootkits might include use of the Windows XP/2003 event log to monitor ACPI messages, and the dmesg command in Linux.
Rootkit expert Joanna Rutkowska, who also presented at the conference, added that existing rootkit detection software should adapt to the new threat by scanning for rootkit behaviour, such as interacting with operating system memory, instead of the current approach of scanning the filesystem for points of compromise.
"Today, many people believe that it's just enough to enumerate all the potential triggering points," she said. "I don't agree with this approach, as it seems to be lots of places which can be used as a triggering point - John has just showed us how to use BIOS for this, but we can also think about advanced file infection and many others."
Infection of BIOS chips with viruses is nothing new - the Chernobyl/CIH virus hit the headlines in 1998 by doing just that - but the researchers say the existence of an open high level language to create ACPI functions makes it much easier for malware writers to attack the BIOS.