SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Slackers - someone in my company was asked if it's possible for a virus to infect a bios, in such a way that's it's permanently there, even after re-installation of an(y) O/S. I'm not at all convinced this is possible - but people are getting pretty smart these days. Has anyone heard of this ? And if it is possible , how does one fix it or recover ?
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824
Rep:
Quote:
Originally Posted by Mark Pettit
Slackers - someone in my company was asked if it's possible for a virus to infect a bios, in such a way that's it's permanently there, even after re-installation of an(y) O/S. I'm not at all convinced this is possible - but people are getting pretty smart these days. Has anyone heard of this ? And if it is possible , how does one fix it or recover ?
This is pretty much a hardware question. Cases:
A. If you have a traditional PROM bios, one that cannot be upgraded without replacing the physical chip, then the answer is no, unless the virus was placed there at the factory.
B. If you have an EEPROM with no burning circuit on the motherboard then you would have to remove that bios chip (generally socketed, so easy to identify) and place it into an EEPROM burner and burn the virus infected BIOS image onto it to get it infected. For most people this is not really going to fulfill a life goal, so terribly unlikely.
C. If you have a BIOS in an EEPROM or in-place update capable firmware chip with circuitry and code to load an upgrade, then an infected upgrade could populate your chip when you load it and reside in BIOS. If your BIOS is not infected, and you never load an INFECTED BIOS, then you probably need not worry. It is JUST POSSIBLE for you to get a virus that will engage the firmware update process in the background and add live itself to the BIOS, but the virus would pretty much have to be specific to your make and model of hardware: not very likely because not very profitable for the criminal crowd.
Bottom line, if you pull firmware updates,
1, Only get them from the hardware support site and virus scan them with a good tool first.
2. Keep your old updates in a different location so you can back out to an earlier BIOS image to cover yourself in case you get a bad or infected image.
If you are one of the majority that have never applied a firmware update and never will, don't worry about it.
The more significant danger is from encryption based ransomware and traditional malware.
Do you run a malware detection software and do you take regular backups on generational media or images?
Slackers - someone in my company was asked if it's possible for a virus to infect a bios, in such a way that's it's permanently there, even after re-installation of an(y) O/S. I'm not at all convinced this is possible - but people are getting pretty smart these days. Has anyone heard of this ? And if it is possible , how does one fix it or recover ?
Well I remember Dell shipping motherboards with a virus embedded somewhere in the circuitry. I've a hunch that it is possible to do. Not just to infect firmware but also the ethernet chip, and any chips connected to the keyboard.
Theoretically it is possible, the problem is the firmware is specific to the motherboard, so your specific motherboard would need to be targeted. This makes it unlikely some random hacker dude is going to contaminate your computer. On the other hand, downloading dodgy bios firmware images from random third-party websites could be a way for this to happen. It might also be possible if a malicious program were to make it onto your computer and then accessed a remote library of modified firmware images to download and update. The problem with that, there's a lot of potential motherboards and the library would need to be substantial. There may be a way to have it done dynamically, where the malicious program extracts the bios firmware, modifies it, and then re-flashes it, but I'm not sure if it exists.
Well I remember Dell shipping motherboards with a virus embedded somewhere in the circuitry. I've a hunch that it is possible to do. Not just to infect firmware but also the ethernet chip, and any chips connected to the keyboard.
There was also a way to infect bios option ROMs on expansion cards, but these also need to be specifically targeted so it would be more of a case where a modified card compromises the system.
Nowadays, most computers have UEFI bioses capable of modifying the contents on filesystems. There have been examples of computers shipped with bloatware which gets reinstalled from BIOS even though the hard drive is completely reformatted or replaced:
Some people consider all modern BIOS/UEFI firmware to ship by default "infected". Intel started it but AMD quickly followed suit with their "Management Engines" proprietary software that has access to CPU, RAM, drives and wifi even in "soft off" state. AFAIK these management engines are in read-only addresses and cannot normally be overwritten, though I have read System 76 claims to disable them.
Ultimately, once BIOS chips were moved to programmable CMOS, firmware just became another form of software, just "in a darkened corner" less visible to Users. Since many motherboards accept Windows GUI BIOS updates, it became a lot easier to hack/infect.
Thank you folks - so I can summarize : it is technically feasible, but probably unlikely. If this is a genuine UEFI/BIOS virus (and we were told it was an ASUS gaming pc), then we will no doubt hear a LOT more about it in upcoming weeks. If we hear nothing, then my original theory that it's bunk is more likely. Cheers all.
Couple of weeks ago, someone made a BIOS module which makes it possible for BIOS to run DOOM. source
By comparison, that is like thousands upon thousands of lines where a typical virus could fit into one line.
If this is a genuine UEFI/BIOS virus (and we were told it was an ASUS gaming pc), then we will no doubt hear a LOT more about it in upcoming weeks. If we hear nothing, then my original theory that it's bunk is more likely. Cheers all.
Bunk you say? Because it isn't widely discussed? Do we see legions of outraged people complaining about recent MS EULA conditions that phone home your data including email even if they are encrypted? No, because most Windows users don't even bother to read EULAs and just click OK to get on with it.
Specific to BIOS hacks and since I've already mentioned that it is possible to completely overwrite any writable address blocks in Firmware right from a Windows Desktop environment, I'll jump right to the beginning, management engines.
You probably won't actually be interested enough to watch more than a few minutes of it (it's nerdy dry faire) but here is but one example of the access afforded at such a fundamentally low level access and communication as of 2015. It's somewhat easier now and the incredible growth of user data mining has massively increased the motivation to employ. Don't forget BIOS/UEFI is higher priority than even PID 1 by a long shot. That may possibly be mitigated by System 76's alleged disabling mechanism, but I'm not certain how they can even know it works at all let alone at 100%. If it wasn't a bit scary it's be laughable that there was uproar over Intel including unique CPU serial number data in BIOS yet so little over ME.
Note: If you really can't manage to watch much of it, there's an instructive diagram around 17:45. The hardware diagram is a known quantity. The code is not.
As far as I know, further work since then has consisted of more research and a few specific targeted attacks. As others have mentioned, virus needs to know intimate details to target specific boards and BIOS vendors. Fortunately for the black hats, to cover the majority of the market you only need implementation details on about a half dozen BIOS vendors and maybe a dozen chips.
As far as I know, further work since then has consisted of more research and a few specific targeted attacks. As others have mentioned, virus needs to know intimate details to target specific boards and BIOS vendors. Fortunately for the black hats, to cover the majority of the market you only need implementation details on about a half dozen BIOS vendors and maybe a dozen chips.
It probably isn't that easy. If it was, coreboot and associated BIOS/UEFI replacement firmware would work on a lot more platforms, instead of the handful it does.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.