When have you patched your BIOS last time? Malware nightmare revealed..

When it comes to Malware the question is not will you get infected but when.

There are so much possibilities to get infected that it is only a question of time a user or system administrator will be pointed to the problem of an infected system.

BIOS malware is nothing new – it exists since years and the problem with such malware is to detect and then get rid of them. For the attacker instead – and that’s the reason why it is not widespread – need to create several binaries to infect a PC. The reason for this is that each BIOS vendor has it’s own standards and that makes it harder to attack.

Then UEFI was released and it standardized many things which makes it more generic for all. The good ones and the bad ones.

Now a proof of concept malware was presented at CanSecWest which can affect millions of computers with 1 malware binary. That said such an attack has the potential to infect with ease it is “cheap” and has the “advantage” that it is hard to detect and also can overlive even BIOS flashes. A nightmare.

Well so how to protect against such attacks? First of all it is the same like it is with every wide spread malware: the human is the door.
To be able to flash malware to the BIOS you need an infected PC first. So it is easy: you need to ensure your users are sensitized with opening Email attachments and URLs and surfing in general. So patch your users! This is possible and needed today more then ever. Read more about it here.

The other thing is to think about a strategy of patching your BIOSes like you do with your operating system on top. I believe that some time later the big ones within OS patching solutions integrate such an update process in their suites but I wouldn’t count on that. If so it may take too much time and need heavy testing as well. Btw: would you trust such a solution?
So better think about a workflow suitable for you and your users and integrate a patching process as well.

Read the full documentation and details directly from the discoverers:
http://www.legbacore.com/Research.html

Publications:
HowManyMillionBIOSWouldYouLikeToInfect_PPT
HowManyMillionBIOSWouldYouLikeToInfect_PDF

At this point I want to remember that IPMI on ILO (Integrated Lights In and Out) is affected by such heavy attacks, too. That said when you have HP servers using ILO interfaces you should better ensure to be protected, too. This goes back to January this year you can find more details about it here (including the exploit, of course): http://www.cvedetails.com/cve/CVE-2013-4784/
Do you use Nagios? Icinga, op5 whatever based on it? Do you use Whatsup Gold, Paessler Monitoring or similar? Keep in mind that those systems are often used to monitor your hardware, too. That said such a system is a perfect target for attackers!

That means normally you need to have at least a 2 step attack:

  1. Infect a user PC (well that isn’t such hard as you know)
  2. attack / find out the type and version of the monitoring system and use one of the hundreds of exploits to get into it. From here it is easy to infect ILO systems as well others, of course.

Again entry point number 1: The human.
If you fix this (continuously like you do for other patches) you should be safer than ever!