I'm sure we're all familiar with the phenomenon of malware. There's nothing new about the commonly seen methods of malware infection used by criminals, their behaviour, or their purpose, that hasn't been seen countless hundreds or thousands of times before over the last five to ten years. The only thing that has been changing for common garden-variety malware seen in the wild are minor variations to code and packing to attempt to avoid detection by anti-virus products, both heuristic and signature based. Generally, malware authors will try to cast their net as wide as possible by targeting the most commonly used operating systems and software applications, which while increasing the malware's target potential, also almost always means quicker detection and removal by anti-virus vendors and security experts.

So what kind of new attack vectors does the future hold for malware development? There are a couple of possibilities which have begun to be explored, but which have not yet really started to hit the mainstream, one such possibility is the development of BIOS and firmware based malware. Whether or not this new attack vector will become mainstream is yet to be seen, but in the battle between malware authors and anti-virus vendors, one thing is for certain, both innovation and evolution are inevitable.

As far back as 1998, the CIH virus, also known as Chernobyl or Spacefiller, which infected Windows based machines and filled the first 1024kb of a machine's boot drive with zeros, was also known to have attacked certain types of BIOS, rendering the machines inoperable unless the BIOS chip was reflashed or replaced. This concept has evolved somewhat since CIH, which simply replaced BIOS code with junk, and nine years later, in 2007, John Heasman, the director of research at NGS Software, gave a presentation at Black Hat DC, where he showed that it was possible to inject rootkit malware into the flashable ROM on PCI cards and other devices. [1]

Following on from Heasman's research, in 2009, a couple of researchers from Core Security Technologies, Anibal Sacco and Alfredo Ortega, demonstrated a method at CanSecWest, to patch a machine's BIOS with malicious code which would render them complete control of the machine. [2] This code was completely persistent, didn't rely on any kind of existing vulnerability, and would survive reboots and BIOS reflashing attempts.

While its been quite a few years since these initial demonstrations, the first BIOS rootkit in the wild was discovered by a Chinese security company known as Qihoo 360, just a few weeks ago. [3] This new malware, referred to as BMW by Qihoo 360 and Mebromi by other security vendors, has a number of separate components. Mebromi contains a BIOS rootkit, which specifically targets Phoenix Technologies' Award BIOS, as well as an MBR rootkit, kernel mode rootkit, a PE file infector and even a trojan downloader. [4] During infection, the malware checks to see if the BIOS is Award BIOS by searching for the presence of a specific string "$@AWDFLA", and if found will attempt to erase and then reflash the BIOS rom with its payload. [4] While an anti-virus package may be able to detect and remove the kernel and MBR infections, the malware will simply be restored from the BIOS upon system startup.

Of course this kind of malware infection is extremely persistent, however the scope of its threat is reduced in that it only targets Award BIOS and is not fully compatible with all of the major BIOS roms in circulation. For a BIOS rootkit to really be successful it would need to infect all of the numerous releases of different manufacturer's BIOS roms. This requires a level of complexity that is well beyond what has been seen so far, and to date malware developers have had great success without needing this kind of complexity.

We've also seen a number of other interesting examples of hardware level/firmware based malware in the last couple of years. In 2009, a security researcher known as "K. Chen" presented at Black Hat/DEFCON that it was possible to hack and infect Apple Mac keyboards. [5] Chen had found a way to reverse engineer the keyboard's firmware upgrade facility and was able to inject a keystroke logger and potentially install rootkits which would be difficult or almost immune to detection, and would be persistent regardless of a re-installation of a machine's operating system. While Apple later patched this vulnerability in a security update for Mac OS X thanks to K. Chen’s research, this example clearly shows that anything relying on firmware is a potential target for malware infection. [6]

Similarly, earlier this year, another Apple product was found vulnerable to a firmware based attack - the batteries used by Apple Macbooks, Macbook Pros and Macbook Airs. Security researcher Charlie Miller, was able to modify the firmware on Macbook batteries, which performs functions such as monitoring the battery charge level and heat regulation of the battery. It seems that these batteries' firmware chips shipped with a default password, which when discovered, would allow a hacker to control the functions of the battery, as well as potentially infect the batteries with persistent malware. [7]

As stated earlier, the scope and threat of these kinds of attacks is limited simply by how widespread these products are in use, and whether malware developers are prepared to invest their time into attacks which may compromise a smaller number of users rather than the more common varieties of operating system and application based malware, in exchange for virtual immunity to standard anti-virus detection techniques. It's definitely a trade-off, and only time will tell if BIOS and firmware level malware will really become a serious threat.

Jonathan Levine
Information Security Analyst
AusCERT