Definition

BIOS rootkit attack

A BIOS-level rootkit attack, also known as a persistent BIOS attack, is an exploit in which the BIOS is flashed (updated) with malicious code. A BIOS rootkit is programming that enables remote administration.

The BIOS (basic input/output system) is firmware that resides in memory and runs while a computer boots up. Because the BIOS is stored in memory rather than on the hard disk drive, a BIOS rootkit can survive conventional attempts to get rid of malware, including reformatting or replacing the hard drive.

Originally, the BIOS firmware was hard-coded and read-only. Now, however, manufacturers generally use an erasable format, such as flash memory so that the BIOS can be easily updated remotely. The use of an erasable format that can be updated over the Internet makes updates easier but also leaves the BIOS vulnerable to online attack.

A BIOS attack does not require any vulnerability on the target system -- once an attacker gains administrative-level privileges, he can flash the BIOS over the Internet with malware-laden firmware. On ars technica, Joel Hruska describes one BIOS rootkit attack:

The aforementioned attack consists of dumping the new BIOS into flashrom (a BIOS read/write/modify utility), making the necessary changes, adjusting all of the checksums to ensure the hacked BIOS will verify as authentic… and flashing. Voila! One evil BIOS.

Some researchers fear that a BIOS rootkit poses a special threat for cloud computing environments, in which multiple virtual machines (VM) exist on a single physical system.

Methods of preventing BIOS rootkit attacks include:

 

  • Making the BIOS non-writeable
  • Burning a hardware cryptographic key into the BIOS at manufacture that can be used to verify that the code has not been altered.

If an unauthorized BIOS-level rootkit is detected, the only way to get rid of it is to physically remove and replace the memory where the BIOS resides.

 

See also: authentication, virtualization, CloudAV, blue pill rootkit, RAT (remote access Trojan)

This was last updated in February 2011
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchCloudSecurity.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: