ARLINGTON, Virginia -- Insider attacks and industrial espionage could
become more stealthy by hiding malicious code in the core system
functions available in a motherboard's flash memory, researchers said
on Wednesday at the Black Hat Federal conference.
A collection of functions for power management, known as the Advanced
Configuration and Power Interface (ACPI), has its own high-level
interpreted language that could be used to code a rootkit and store
key attack functions in the Basic Input/Output System (BIOS) in flash
memory, according to John Heasman, principal security consultant for
U.K.-based Next-Generation Security Software.
The researcher tested basic features, such as elevating privileges and
reading physical memory, using malicious procedures that replaced
legitimate functions stored in flash memory.
"Rootkits are becoming more of a threat in general--BIOS is just the
next step," Heasman said during a presentation at the conference.
"While this is not a threat now, it is a warning to people to look
The worries come as security professionals are increasingly worried
about rootkits. Earlier this month, a security researcher warned that
the digital-rights management software, which experts say resembled a
rootkit, used by music giant Sony BMG remained on hundreds of
thousands of servers. Last year, the first rootkit for the Mac OS X
was released to the Internet.
While some attacks have attempted to affect a computer's flash memory,
most notably the CIH or Chernobyl virus in 1998, the ability to use
the high-level programming language available for creating ACPI
functions has opened up the attack to far more programmers.
One rootkit expert at the conference predicted that the technology
will become a fundamental part of rootkits in the near future.
"It is going to be about one month before malware comes out to take
advantage of this," said Greg Hoglund, a rootkit expert and CEO of
reverse engineering firm HBGary. "This is so easy to do. You have
widely available tools, free compilers for the ACPI language, and
high-level languages to write the code in."
The firmware on most modern motherboards has tables associating
commands in the ACPI Machine Language (AML) to hardware commands. New
functionality can be programmed in a higher level ACPI Source Language
(ASL) and compiled into machine language and then flashed into the
However, the ability to flash the memory depends on whether the
motherboard allows the BIOS to be changed by default or if a jumper or
setting in the machine setup program has to be changed. Security
professionals at the conference disagrees over how many machines would
have the ability to write to flash memory turned on by the
manufacturer. While Hoglund believed that most computers would not
have protections against writing to flash memory turned on by default,
NGSSoftware's Heasman disagreed.
"The obstacles to deployment are numerous," Heasman said. "Almost all
machines have a physical protection, such as a jumper on the
motherboard, against flashing."
However, an insider attacker could flash their laptop before they
leave a company and then use the rootkit, which would survive
reinstallation of the operating system. The insider could then gain
access to the corporate network at a later time.
Because the amount of memory that could be used by an attacker in the
BIOS firmware is small, it is unlikely that an entire rootkit will be
stored in the motherboard's memory. Instead, only specific functions
and bootstrap code would likely be hidden there.
Another benefit of programming to the ACPI Source Language is that,
for the most part, the code can be ported easily to any platform.
"This is platform independent," Heasman said. "We can write a backdoor
for Windows that will elevate privilege, and turn around and use the
code on Windows."
Copyright 2005, SecurityFocus
InfoSec News v2.0 - Coming Soon!