At the recent Black Hat Federal Briefings, a presentation was given, which proposes that rootkits may soon attack the BIOS of a compromised system, via the ACPI subsystem, which intention is to provide some hardware control for power savings. This would give them multiple advantages over the current approach to a rootkit.
First, since the BIOS loads before the system actually boots from the hard drive, it has the potential of infecting multiple operating systems on the same hardware.
Next, a well-written rootkit that has been installed, undetected, to your BIOS has an extremely high likelihood of continuing to be effective, and indeed most likely recompromising your system after a complete format and reinstallation of your operating system.
Finally, a good implementation is likely to be very difficult to detect, initially, if an attacker is diligent about covering the tracks of their presence.
A PDF of the slides from the presentation at BlackHat can be found here: http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdf
The PDF includes a starting point for people wishing to mitigate this particular type of potential attack vector. Recommendations include “write protecting” the flash memory of your BIOS, if your motherboard supports it; and disabling ACPI support, both in the BIOS and operating system.
Thanks to SecurityFocus, and Slashdot for the story.
0 comments