Skip to content

Identifying flashed BIOS rootkits.

Rootkits suck. :(

BIOS malware is even worse. This is the serious stuff.

Persistent "obfuscation-ware"-type behavior of a machine, weirdness that goes on from one OS to another,,,all symptoms

I bring this up b/c I scan regularly (AVG) and watch the processes.  I use sandboxes when I can.

So I thought simple rootkit. BUT--this morning my machine auto-flashed the BIOS from the second ROM BIOS after having issues starting, dealing with I/O, etc. It said the flash BIOS was corrupted.

Why did this not get found before?! This behavior has gone on longer than just today.

What is the check that's performed? Is it CRC or something that the malware gets around with junk chars? Why did it get found now?

Anyone know of a way to dump the BIOS chip data? It would also be useful to (1000x) a day check the pristine dump from the ROM chip against the flashable chip, if your (physical) system has two BIOS chips.

Comments

  • andrzejekandrzejek Polska
    edited January 2018
    We cant hide from rootkits... don't worry...
    What is your CPU? https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

  • DeeeeeeeeDeeeeeeee the Americas
    This machine affected is an AMD FX 8320
  • SvenSven www.GSA-Online.de
    be advised that whenever someone want to get into your system, he can. A virus scanner is a risk itself as they have numerous bugs as well. They just have good PR to make you believe that all those hyper-cloud-anti-xyz-tecnic is something revolutionary. In the end all they do is protect you against the majority of known virus/trojans. And something not even that.

    As we have a heavy protection on our tools (at least I think so, real crackers might not agree) we also have a lot false detection and constantly have to deal with the inproper virus scanners. Its a pain and you better rethink about how you surf the web, what you click and how you are online. Thats a better protection than a scanner.

    Anyway, back to your rootkit problem. Do you really think its one? I got that as well some months ago and all it was was a weak battery on my motherboard corrupting things. No big thing (at least so I think).
  • DeeeeeeeeDeeeeeeee the Americas
    edited January 2018
    First, I should definitely check the battery. :p

    And check for loose power cables that may have vibrated partially out, or are pulling.

    I think it may well have been a rootkit b/c my machine has been acting weird. And this is even pre-Windows loading.

    I don't visit any sites that are malicious...or at least that's what I had thought. AVG does flag many as malware infested, but I do think it can miss something.

    By that, I don't visit p**n sites, ever.

    But I do read news and ideas, and I guess I am open-minded and so the range of ideas I am willing to read is the full spectrum of people's thoughts. Just b/c I read something doesn't mean I agree, anyway!  Maybe some of such sites are themselves of issue?

    I use a sandbox, but I do not use proxies to browse.

    AVG is OK. I know it gives false positives, as well as I've had some legit files (text files, personal pics of my family(!?), and more) moved to quarantine.  :o But the routine scan would never even find a rootkit, and their rootkit scanner probably does little to detect anything, either. lol
Sign In or Register to comment.