A BIOS-level rootkit attack, also known as a persistent BIOS attack, is an exploit in which the BIOS is flashed (updated) with malicious code. A BIOS rootkit is programming that enables remote administration.
The BIOS (basic input/output system) is firmware that resides in memory and runs while a computer boots up. Because the BIOS is stored in memory rather than on the hard disk drive, a BIOS rootkit can survive conventional attempts to get rid of malware, including reformatting or replacing the hard drive.
Originally, the BIOS firmware was hard-coded and read-only. Now, however, manufacturers generally use an erasable format, such as flash memory so that the BIOS can be easily updated remotely. The use of an erasable format that can be updated over the Internet makes updates easier but also leaves the BIOS vulnerable to online attack.
A BIOS attack does not require any vulnerability on the target system -- once an attacker gains administrative-level privileges, he can flash the BIOS over the Internet with malware-laden firmware. On ars technica, Joel Hruska describes one BIOS rootkit attack:
The aforementioned attack consists of dumping the new BIOS into flashrom (a BIOS read/write/modify utility), making the necessary changes, adjusting all of the checksums to ensure the hacked BIOS will verify as authentic… and flashing. Voila! One evil BIOS.
Methods of preventing BIOS rootkit attacks include:
- Implementing digital signature technology to prevent unauthorized access
- Making the BIOS non-writeable
- Burning a hardware cryptographic key into the BIOS at manufacture that can be used to verify that the code has not been altered.
If an unauthorized BIOS-level rootkit is detected, the only way to get rid of it is to physically remove and replace the memory where the BIOS resides.