Author Topic: Infecting BIOS from within the Windows  (Read 1909 times)

0 Members and 1 Guest are viewing this topic.

Offline Infinityexists

  • Peasant
  • *
  • Posts: 78
  • Cookies: 1
    • View Profile
Infecting BIOS from within the Windows
« on: March 11, 2012, 05:24:45 pm »
Hello Everyone,


I wonder if there is any way that i could infect bios or change its setting from within the Windows environment,


I got a clue that it can be done using mssmbios.sys or bios.sys files but I am not able to find out more details about it,
I tried to execute mssmbios.sys to find more about it but i am getting an error,


The C:\Windows\System32\drivers\mssmbios.sys application cannot be run in Win32 mode




also I got this ,





this might me of somebody's interest.


if there is any way please help me out.
I am eager to know about it

Online ande

  • Owner
  • King
  • *
  • Posts: 2460
  • Cookies: 222
    • View Profile
Re: Infecting BIOS from within the Windows
« Reply #1 on: March 11, 2012, 05:43:13 pm »
Not quite sure how it is done, but it for sure is possible. You could disassemble some bios update executable and see how it does it. I am also sure you can find something existing if you google enough.

EDIT: I guess this is interesting enough: http://www.phrack.org/issues.html?issue=66&id=7&mode=txt
EDIT2: Perhaps this too http://www.securelist.com/en/analysis/204792193/MYBIOS_Is_BIOS_infection_a_reality
« Last Edit: March 11, 2012, 05:47:06 pm by ande »

Offline Axon

  • VIP
  • Legend
  • *
  • Posts: 1777
  • Cookies: 237
    • View Profile
Re: Infecting BIOS from within the Windows
« Reply #2 on: March 11, 2012, 06:49:45 pm »
What are the benefits behind this? Could this method allows you to change the privileges from user to admin?

Online ca0s

  • VIP
  • Sir
  • *
  • Posts: 426
  • Cookies: 52
  • Gender: Male
  • ca0s@ka0labs #
    • View Profile
    • ka0labs #
Re: Infecting BIOS from within the Windows
« Reply #3 on: March 11, 2012, 07:06:54 pm »
If you get to the ring 0 you can write anywhere anything you want. But maybe the BIOS is not the best place to infect. There are a lot of different BIOS and you will probably need to do specific things in each one, if you want to keep the system working normally.

@Axon: at that point there are not users and admins. But yes, if you get your code there, you can make Windows do whatever you want.

Has anyone tryed to do this? How do AV's react? It must be hard for them to detect those write operations made from kernel. You don't use any of the things they hook.

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 5161
  • Cookies: 406
  • Gender: Male
  • Motherflipper
    • View Profile
    • My blog
Re: Infecting BIOS from within the Windows
« Reply #4 on: March 11, 2012, 08:21:53 pm »
I remember older BIOS versions had an option for Virus protection - never understood what it does and how it works...
« Last Edit: March 11, 2012, 08:22:04 pm by Kulverstukas »

Offline ARC_rapture

  • NULL
  • Posts: 3
  • Cookies: 0
    • View Profile
Re: Infecting BIOS from within the Windows
« Reply #5 on: March 12, 2012, 08:29:04 am »
There are a dew vanrabilities via windows to BIOS due to the BIOS is very much in contact with the main current OS running, There was a vanrability with Ring 0 but i think that's for older BIOS. Finding it on google may be challenging but give it ago, If i find anything else i will keep in contact.

ARC_rapture

Online ca0s

  • VIP
  • Sir
  • *
  • Posts: 426
  • Cookies: 52
  • Gender: Male
  • ca0s@ka0labs #
    • View Profile
    • ka0labs #
Re: Infecting BIOS from within the Windows
« Reply #6 on: March 12, 2012, 08:57:25 am »
There are a dew vanrabilities via windows to BIOS due to the BIOS is very much in contact with the main current OS running, There was a vanrability with Ring 0 but i think that's for older BIOS. Finding it on google may be challenging but give it ago, If i find anything else i will keep in contact.

ARC_rapture


Lolwut? A "vanrability" in ring 0?

Offline Infinityexists

  • Peasant
  • *
  • Posts: 78
  • Cookies: 1
    • View Profile
Re: Infecting BIOS from within the Windows
« Reply #7 on: March 12, 2012, 07:46:21 pm »
Not quite sure how it is done, but it for sure is possible. You could disassemble some bios update executable and see how it does it. I am also sure you can find something existing if you google enough.

EDIT: I guess this is interesting enough: http://www.phrack.org/issues.html?issue=66&id=7&mode=txt
EDIT2: Perhaps this too http://www.securelist.com/en/analysis/204792193/MYBIOS_Is_BIOS_infection_a_reality


second link might come handy :)
Thankyou

Offline Infinityexists

  • Peasant
  • *
  • Posts: 78
  • Cookies: 1
    • View Profile
Re: Infecting BIOS from within the Windows
« Reply #8 on: March 12, 2012, 07:48:31 pm »
What are the benefits behind this? Could this method allows you to change the privileges from user to admin?


benefits -> like setting a Bios Password so if the victim is completely noob he'd never be able to break into it :|
or changing the Boot Device setting (always boot with Floppy Rom/Removable Disc)
the possibilities are endless once you're get into it , but how to get into it this is the question

Offline ARC_rapture

  • NULL
  • Posts: 3
  • Cookies: 0
    • View Profile
Re: Infecting BIOS from within the Windows
« Reply #9 on: March 28, 2012, 05:25:03 am »
By vulnerability i mean to get with Ring 0 :P

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 5161
  • Cookies: 406
  • Gender: Male
  • Motherflipper
    • View Profile
    • My blog
Re: Infecting BIOS from within the Windows
« Reply #10 on: March 28, 2012, 01:52:40 pm »
By vulnerability i mean to get with Ring 0 :P
... and what is Ring-0?

Online ca0s

  • VIP
  • Sir
  • *
  • Posts: 426
  • Cookies: 52
  • Gender: Male
  • ca0s@ka0labs #
    • View Profile
    • ka0labs #
Re: Infecting BIOS from within the Windows
« Reply #11 on: March 28, 2012, 04:03:15 pm »
... and what is Ring-0?
The most privileged execution level of the microprocessor.

 



Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Bluechill or Kulverstukas on the forum or at IRC.