Investigating Possible Motherboard BIOS Malware

[gnome]

Is there such a thing? Some kind of malware that attacks the motherboard bios?

This afternoon I rebooted one of my computers (an Asus A7N8XE mb) -- some program, I don't remember exactly which, was "acting up" -- and it took way too long to boot. It seemed to be hanging even before Grub loaded (while the nvidia splash screen that shows up during post was still displayed). Tried a few times with the same effect; it was taking almost a minute before I would get my grub boot menu.

I was thinking that maybe my boot sector was corrupted, or one of my memory sticks went bad, but I didn't have time to play with it & just left it running while I went to school.

Tonight, before screwing around with the memory, just for the hell of it I flashed the bios and, voila, it seems to be working fine again.

Could anything from the internet have caused that, or is it just indigestion?

 

[chroot]

I suppose a BOIS could get trashed somehow, but I believe on most motherboards it's stored in Flash.

And yes, there are BIOS viruses. The purpose of the viruses is to make your computer unable even to boot, so it's impossible to fix without taking out the BIOS chip and reprogramming it.

- Warren

 

[gnome]

It is stored in a flash rom. But it seems as if something corrupted it. It didn't prevent the computer from booting, but it definitely slowed down something in the booting process dramatically.

After I re-flashed it, it seems to be back to normal.

 

[eNathan]

How can there be a BIOS V!rus? I though that one of the main purposes of the BIOS is to make it where H@X0Rz cannot access it. Hmn, but if you think about it, there must be a way to access the bios data becase when you set a new Windows password, it stores it there. hmn...Does anybody know how to access the BIOS then?

 

[chroot]

How can there be a BIOS V!rus? I though that one of the main purposes of the BIOS is to make it where H@X0Rz cannot access it. Hmn, but if you think about it, there must be a way to access the bios data becase when you set a new Windows password, it stores it there. hmn...Does anybody know how to access the BIOS then?

The BIOS is the lowest level of software in your computer. It has no purposes of being "hack-proof," and it's hackable like any other piece of software. All motherboards can be updated interactively. You can download a new BIOS image off a motherboard manufacturere's website, and reprogram the BIOS. A virus can modify the BIOS in the same way, but for a malicious purpose.

- Warren

 

[soeren]

I think the data of the viruses are saved in CMOS-Memory.

And gnome acknowledged it...

When you reset that by using the CMOS-Jumper or by taking away the battery, the virus must be away, or not?

I think that'll be not that big problem, if i undertands you right...

Greets
Soeren

 

[master_coda]

I think the data of the viruses are saved in CMOS-Memory.

And gnome acknowledged it...

When you reset that by using the CMOS-Jumper or by taking away the battery, the virus must be away, or not?

I think that'll be not that big problem, if i undertands you right...

Greets
Soeren

No, a BIOS virus would overwrite the BIOS itself, not just the memory the BIOS uses to store data.

 

[Anttech]

I would argue that a "virus" that prevented a PC from Booting by trashing the BIOS is not a virus...

A Virus per definition uses its Host to "reproduce" its self... If the virus kills its host it can't reporduce and thus kills itself...

 

[master_coda]

I would argue that a "virus" that prevented a PC from Booting by trashing the BIOS is not a virus...

A Virus per definition uses its Host to "reproduce" its self... If the virus kills its host it can't reporduce and thus kills itself...

Of course, it's entirely possible that it really is a virus which replicates itself for a while and then trashes the BIOS.

 

[eNathan]

I would argue that a "virus" that prevented a PC from Booting by trashing the BIOS is not a virus...

A Virus per definition uses its Host to "reproduce" its self... If the virus kills its host it can't reporduce and thus kills itself...

I think you are talking about a 'worm'

 

[Anttech]

Actually I am not. A virus (thus its name) has to reproduce and spead...

virus

Worm

A worm is the same but doesn't need to attach to an executable code and is self contained, for example the Slammer worm

 

[Anttech]

Of course, it's entirely possible that it really is a virus which replicates itself for a while and then trashes the BIOS.

Well errm yeh good point ;-)

 

[Nemesis]

BIOS Code is flashed at production. It is written in low level C machine code. If a worm can replicate this low level C code and flash itself into BIOS memory at boot time before POST, then yes, you can corrupt a system to a point of unbootable state. These kind of worms are however very rare nowadays with the advent of Dual BIOS, dynamic flashing on the EPROM and so forth.

There is also little point to this, as your BIOS only really stores system information related to the motherboard and IC itself. All other devices are loaded during the POST process, and then the bootstrap loader.

 

[master_coda]

BIOS Code is flashed at production. It is written in low level C machine code. If a worm can replicate this low level C code and flash itself into BIOS memory at boot time before POST, then yes, you can corrupt a system to a point of unbootable state. These kind of worms are however very rare nowadays with the advent of Dual BIOS, dynamic flashing on the EPROM and so forth.

There is also little point to this, as your BIOS only really stores system information related to the motherboard and IC itself. All other devices are loaded during the POST process, and then the bootstrap loader.

Dual BIOS is probably the only thing that can protect you from this sort of problem, and it isn't is universal use yet.

The fact that you can flash your ROM is actually the cause of the problem, not a solution. If your BIOS couldn't be rewritten then it couldn't be overwritten with garbage. unfortunately, once your BIOS is overwritten by a virus, it's unlikely you'll be able to restore it. I've never seen a system that provided a way for you to flash to BIOS without booting the system first, and if your BIOS is trashed then you'll be unable to boot.

 

[gnome]

Maybe it was just an allergy.


As it turns out, that's exactly what it was -- a dust allergy. I rebooted it a little while ago (as you can see I don't often turn this thing off) & found that the POST was again way too slow. So I went into setup & turned off the logo so I could watch the POST messages; the long delay in booting was actually occurring even before the memory test started. So I opened up the case & found that my oversized ThermalTake Silent Boost heatsink was choked - REALLY choked - with dust. Blew it out, let it cool for a few minutes, & now it boots like a champ.

Apparently the slow startup was caused by the motherboard's thermal protection waiting for the choked heatsink to cool the cpu down to an acceptable temperature. With a standard heatsink & fan it probably wouldn't have been able to run at all.

Oh well ...