January 27, 2006

At the recent Black Hat Federal Briefings, a presentation was given, which proposes that rootkits may soon attack the BIOS of a compromised system, via the ACPI subsystem, which intention is to provide some hardware control for power savings. This would give them multiple advantages over the current approach to a rootkit.

First, since the BIOS loads before the system actually boots from the hard drive, it has the potential of infecting multiple operating systems on the same hardware.

Next, a well-written rootkit that has been installed, undetected, to your BIOS has an extremely high likelihood of continuing to be effective, and indeed most likely recompromising your system after a complete format and reinstallation of your operating system.

Finally, a good implementation is likely to be very difficult to detect, initially, if an attacker is diligent about covering the tracks of their presence.

A PDF of the slides from the presentation at BlackHat can be found here: http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdf
The PDF includes a starting point for people wishing to mitigate this particular type of potential attack vector. Recommendations include “write protecting” the flash memory of your BIOS, if your motherboard supports it; and disabling ACPI support, both in the BIOS and operating system.

Thanks to SecurityFocus, and Slashdot for the story.

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.