Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Researcher's proof-of-concept malware infects BIOS, network cards without trace

New Rakshasa hardware backdoor is persistent and hard to detect, researcher says

Article comments

Security researcher Jonathan Brossard created a proof-of-concept hardware backdoor called Rakshasa that replaces a computer's BIOS (Basic Input Output System) and can compromise the operating system at boot time without leaving traces on the hard drive.

Brossard, who is CEO and security research engineer at French security company Toucan System, demonstrated how the malware works at the Defcon hacker conference on Saturday, after also presenting it at the Black Hat security conference on Thursday.

Rakshasa, named after a demon from the Hindu mythology, is not the first malware to target the BIOS - the low-level motherboard firmware that initialises other hardware components. However, it differentiates itself from similar threats by using new tricks to achieve persistency and evade detection.

Rakshasa replaces the motherboard BIOS, but can also infect the PCI firmware of other peripheral devices like network cards or CD-ROMs, in order to achieve a high degree of redundancy.

Rakshasa was built with open source software. It replaces the vendor-supplied BIOS with a combination of Coreboot and SeaBIOS, alternatives that work on a variety of motherboards from different manufacturers, and also writes an open source network boot firmware called iPXE to the computer's network card.

All of these components have been modified so they don't display anything that could give their presence away during the booting process. Coreboot even supports custom splashscreens that can mimic the ones of the replaced BIOSes.

Existent computer architecture gives every peripheral device equal access to RAM (random access memory), Brossard said. "The CD-ROM drive can very well control the network card."

This means that even if someone were to restore the original BIOS, rogue firmware located on the network card or the CD-ROM could be used to reflash the rogue one, Brossard said.

The only way to get rid of the malware is to shut down the computer and manually reflash every peripheral, a method that is impractical for most users because it requires specialized equipment and advanced knowledge.

Brossard created Rakshasa to prove that hardware backdooring is practical and can be done somewhere in the supply chain, before a computer is delivered to the end user. He pointed out that most computers, including Macs, come from China.

However, if an attacker would gain system privileges on a computer through a different malware infection or an exploit, they could also theoretically flash the BIOS in order to deploy Rakshasa.

The remote attack method wouldn't work in all cases, because some PCI devices have a physical switch that needs to be moved in order to flash a new firmware and some BIOSes have digital signatures, Brossard said.

However, Coreboot has the ability to load a PCI extension firmware that takes precedence before the one written on the network card, therefore bypassing the physical switch problem.

The attack "totally works when you have physical access, but remotely it only works 99 percent of the time," Brossard said.

The iPXE firmware that runs on the network card is configured to load a bootkit - malicious code that gets executed pior to the operating system and can infect it before any security products start.

Some known malware programs store the bootkit code inside the Master Boot Record (MBR) of the hard disk drive. This makes it easy for computer forensics specialists and antivirus products to find and remove.

Rakshasa is different because it uses the iPXE firmware to download the bootkit from a remote location and load it into RAM every time the computer boots.

"We never touch the file system," Brossard said. If you send the hard drive to a company and ask them to analyse it for malware they won't be able to find it, he said.

In addition, after the bootkit has done its job, which is to perform malicious modifications of the kernel - the highest-privileged part of the operating system - it can be unloaded from memory. This means that a live analysis of the computer's RAM won't be able to find it either.

Detecting this type of compromise is very hard because programs that run inside the operating system get their information from the kernel. The bootkit could very well fake this information, Brossard said.

The iPXE firmware is capable of communicating over Ethernet, Wi-Fi or Wimax and supports a variety of protocols including HTTP, HTTPS and FTP. This gives potential attackers a lot of options.

For example, Rakshasa can download the bootkit from a random blog as a file with a .pdf extension. It can also send the IP addresses and other network information of the infected computers to a predefined email address.

The attacker can push configuration updates or a new version of the malware over an encrypted HTTPS connection by communicating directly with the network card firmware and the command and control server can be rotated among different websites to make it harder for law enforcement or security researchers to take it down.

Brossard did not release Rakshasa publicly. However, since most of its components are open source, someone with sufficient knowledge and resources could replicate it. A research paper that explains the malware's implementation in more detail is available online.



Share:

More from Techworld

More relevant IT news

Comments

Asterix said: So basically my ancient 80486 system which uses UV EPROM to store the BIOS is immune from this attackAint progress great I suspect that some older systems using discrete EEPROM devices can easily be modified to disconnect the write enable line as well

amanfromMars said: And all of that is basically a virtual attack against which there is no known nor any possible defence And an abiding weakness and exploitable zeroday vulnerability in both human and binary systems administration Jonathan Brossard Thanks for the confirmation and positive reinforcement of the corrective vectorAnd it is a quite perfect tool and immaculate weapon for generation and distribution of Danegeld in sympathetic handshearts and minds which if denied andor queried perversely and subversively can easily be converted into a flow of catastrophically destructive information sensitive highly guarded and regarded self-centred intelligence for arrogant fools and their ignorant tools which is spontaneously broadbandcast worldwide to reveal and expose such users to a supernatural justice they have never imagined is possible and therefore exceedingly likely and most probableAnd those and that which would find itself and themselves in such a precarious position are most welcome to test the veracity of the proposition and reality



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *