Basic Input/Output System
|Basic Input/Output System|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1|
|Permissions Required||Administrator, SYSTEM|
|Data Sources||API monitoring, BIOS|
The BIOS (Basic Input/Output System), which underlies the functionality of a computer, may be modified to perform or assist in malicious activity.1
Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
The Unified Extensible Firmware Interface (UEFI) is new specification for the interface between platform firmware and a computer operating system.2
- Trojan.Mebromi performs BIOS modification and can download and execute a file as well as protect itself from removal.3
- Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.4
Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS to determine if it is vulnerable to modification. Patch the BIOS as necessary. Use Trusted Platform Module technology.5
Firmware manipulation may be detected.6 Dump and inspect BIOS images on vulnerable systems and compare against known good images.7 Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.
Likewise, extensible firmware interface (EFI) modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.8910
- Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.
- UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.
- Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014.
- Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
- Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016.
- Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.
- Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.
- Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.
- Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.
- Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.