BIOS Mod Viruses?

Discussion in 'BIOS Mods' started by luke123, Oct 6, 2013.

  1. luke123

    luke123 MDL Novice

    Sep 27, 2013
    18
    2
    0
    #1 luke123, Oct 6, 2013
    Last edited: Oct 7, 2013
    Hi, all

    Just read the article "BIOS Threat is Showing up Again!", and wonder whether a modded BIOS infected with a virus or rootkit is a real possibility.

    If the threat is genuine, will a procedure like the avast boot scan detect such a virus?

    Your input, please!
     
  2. luke123

    luke123 MDL Novice

    Sep 27, 2013
    18
    2
    0
    #2 luke123, Oct 7, 2013
    Last edited: Oct 7, 2013
    (OP)
    I found and read through two relevant MDL threads entitled "Bios Virus' -- How do you know what you're installing?" and "Could this be used as a rootkit vector?".

    Suppose an SLIC-modded BIOS is flashed and then Windows 7 is activated. What would happen to the Windows activation status if the previous, unmodded BIOS (without SLIC) is re-flashed back?

    Can someone familiar with the subject kindly provide a few pointers?

    Thanks in advance for any feedback.
     
  3. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    221
    652
    10
    ASUS has UPX-packed DLLs in BIOS image, that are unpacked and used by software utilities like Ai Suite and ASUS Update. There is no pretection from BIOS flashing on manz boards, and SPI chip has like 2 Mb free space nowadays, so infection is definitely possible, but I haven't seen any related reports and with SecureBoot enabled it's very hard to impossible to flash BIOS from OS, so I don't think there is a big threat.
     
  4. luke123

    luke123 MDL Novice

    Sep 27, 2013
    18
    2
    0
    Thanks for your feedback, CodeRush.

    I found an online discussion headed "Meet 'Rakshasa,' The Malware Infection Designed To Be Undetectable And Incurable".

    Excerpt:

    This is not theory, it is already happening, and has been for a couple of years, with the advent of windows seven and the culture of wanting operating systems for free, people were willing to visit a site and download a revised slic table and bios update that made your pc appear as though it had come from any one of the OEM builders.

    The installation of the slic table then allowed you to introduce a crack for windows seven, that made it look as though the copy was a pre installed OEM version.

    The crack was encrypted and contained within it was a bootkit that was bios resident, i was unfortunate to buy a second hand machine that contained this virus, as far as i know it is still on the bios, after multiple attempts to clean it by installing a new bios and overwriting the virus, it will not allow it to happen.

    A copy of the virus i have also found in the host protected area of any of the disks i have used on this motherboard.

    Even after a complete format, removing the ram and letting it charge dissipate, removing the bios battery, replace, reformat the drive, and begin again with a clean install, it still survives.

    If anyone wants a copy of this for research purposes u2u me, ill give you the link where it is resident as a 3mb program, don't go and get it out of curiosity, only get it if you are serious about researching it.
     
  5. P.J

    P.J MDL ☂

    Jul 30, 2009
    267
    42
    10
    Anyway to scan the bios? :eek:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. LatinMcG

    LatinMcG Bios Borker

    Feb 27, 2011
    5,354
    1,446
    180
    #6 LatinMcG, Oct 7, 2013
    Last edited: Oct 7, 2013
    dload similar bios from OEM and compare modules of the backed up bios is my only theory
     
  7. luke123

    luke123 MDL Novice

    Sep 27, 2013
    18
    2
    0
    #8 luke123, Oct 13, 2013
    Last edited: Oct 14, 2013
    (OP)
    Hi, all

    Thanks everyone for your helpful contributions and input.

    Please allow me to take a step back. Suppose the BIOS is indeed infected, but the intention isn't to cause damage to the mobo or the computer itself. What is the worst case scenario?

    The virus or trojan will be stealth. Perhaps network traffic can be monitored. What more can it do? For instance, can a keylogger be run stealthily, trying to steal and transmit passwords, and, if so, will this not be detected by a decent anti-virus program in real-time?

    Your feedback, please!