• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Question BIOS (UEFI) Based Malware?

BoomerD

BoomerD

No Lifer
if this is in the BIOS and loads before the OS or any kind of Anti-virus/Malware software...how the hell can it be dealt with?
Fortunately it doesn't seem to be wide spread...yet...but...


CosmicStrand is the latest in a string of sophisticated malware that reaches hardware bits you'd think were much harder to breach than your typical OS installation. But harder to breach doesn't mean unreachable, as any cybersecurity researcher will tell you. Researchers have recently found strands of a particularly nifty piece of malware lurking in both ASUS and Gigabyte motherboards based on Intel's H81 chipset. CosmicStrand has evolved since its first appearance back in 2016, and it's currently unclear if the breakout is confined to both companies' offerings of the larger motherboard market yet holds a darker revelation.

Researchers from Kaspersky labs found the malware stranded in the motherboards' Unified Extensible Firmware Interface (UEFI) - their boot sector, so to speak, which is tasked with identifying, verifying and booting up all the connected hardware bits. From simple fans spinning up all the way to your PC's overclocking capabilities on the latest and greatest gaming CPUs - it all leads to your PC's BIOS. For the sake of clarity, this isn't the first such threat discovered - but one is already too many, and it does add to possible infection vectors.

Being the first thing to run within your system - long before any antivirus solution you might have can even be loaded into memory - BIOS-borne malware can be exceedingly difficult to remove. It can evade most antivirus applications, can't be deleted by a fresh OS install, and it also naturally survives storage wipes, three of the most common ways of getting rid of security threats such as these.
Click to expand...
 
It's very possible that threat actors have since designed far stealthier versions of this malware. What's even more troubling is what if this malware is coming pre-installed from Chinese mobo factories of the various Taiwanese manufacturers? Foxconn makes a huge percentage of the world's mobos in OEM computers. The implications are astounding, to say the least.

God bless America, for empowering China enough to allow them to inject Trojan Horses into products used by the whole world.
 
You have no real way to audit a Motherboard Firmware in a 100% safe way from within the same computer since you have no idea about whenever a potential rootkit can be stealthy enough when you dump it via Software means to provide a clean image. Most likely you want to use an external USB Flash EEPROM reprogrammer to fully dump the Firmware image and analyze it in another computer. Also remember than a full dump of a Firmware image contains unique data like Serial Numbers, UUIDs and MAC Address, plus some user NVRAM (Firmware settings, boot settings that can be directly modified by Software as per UEFI specification, etc), so dumps from multiple units of the same Motherboard will never be the same.
Things like Intel Boot Guard or AMD Platform Secure Boot are intended to deal with these by fusing an OTP (One Time Programmable) key into some major component (Chipset in Intel, Processor itself on AMD) that the Hardware uses very early to validate than the Firmware image is signed. This of course can be used for both allowing the Hardware to validate than the Firmware wasn't tampered with, but also serves as a lock-in mechanism. Of course, these protects you from external malware, so if the logistic chain is compromised because you have a mole in a Motherboard vendor Firmware development team and is intentionally backdooring or leaving exploits open, you got another problem...

If what you're looking for is open source Firmware alternatives, check this one. And also this Thread I make 2 years and half ago.
 
Another reason to hold off hardware updates to my Skylakes for Win 11 compatibility until there is more research and info available.

I've been using PrimoCache for eight years, which is a product of Romex in Shanghai. One could worry about these threats, but there's never been a problem.
 
BoomerD said:
if this is in the BIOS and loads before the OS or any kind of Anti-virus/Malware software...how the hell can it be dealt with?
Click to expand...
If I had the slightest hint my board was infected I'd drill holes in it and tech recycle it. Probably physically nuke the storage and recycle too. Only way to be sure. Don't want anyone trying to pick it and rehab it.
 
I still have motherboards make in Taiwan here, although they are decade + ago in design. Could come in handy one day soon....
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top