Researcher creates proof-of-concept malware that infects BIOS, network cards
New Rakshasa hardware backdoor is persistent and hard to detect, researcher says
IDG News Service - Security researcher Jonathan Brossard created a proof-of-concept hardware backdoor called Rakshasa that replaces a computer's BIOS (Basic Input Output System) and can compromise the operating system at boot time without leaving traces on the hard drive.
Brossard, who is CEO and security research engineer at French security company Toucan System, demonstrated how the malware works at the Defcon hacker conference on Saturday, after also presenting it at the Black Hat security conference on Thursday.
Rakshasa, named after a demon from the Hindu mythology, is not the first malware to target the BIOS -- the low-level motherboard firmware that initializes other hardware components. However, it differentiates itself from similar threats by using new tricks to achieve persistency and evade detection.
Rakshasa replaces the motherboard BIOS, but can also infect the PCI firmware of other peripheral devices like network cards or CD-ROMs, in order to achieve a high degree of redundancy.
Rakshasa was built with open source software. It replaces the vendor-supplied BIOS with a combination of Coreboot and SeaBIOS, alternatives that work on a variety of motherboards from different manufacturers, and also writes an open source network boot firmware called iPXE to the computer's network card.
All of these components have been modified so they don't display anything that could give their presence away during the booting process. Coreboot even supports custom splashscreens that can mimic the ones of the replaced BIOSes.
Existent computer architecture gives every peripheral device equal access to RAM (random access memory), Brossard said. "The CD-ROM drive can very well control the network card."
This means that even if someone were to restore the original BIOS, rogue firmware located on the network card or the CD-ROM could be used to reflash the rogue one, Brossard said.
The only way to get rid of the malware is to shut down the computer and manually reflash every peripheral, a method that is impractical for most users because it requires specialized equipment and advanced knowledge.
Brossard created Rakshasa to prove that hardware backdooring is practical and can be done somewhere in the supply chain, before a computer is delivered to the end user. He pointed out that most computers, including Macs, come from China.
However, if an attacker would gain system privileges on a computer through a different malware infection or an exploit, they could also theoretically flash the BIOS in order to deploy Rakshasa.
The remote attack method wouldn't work in all cases, because some PCI devices have a physical switch that needs to be moved in order to flash a new firmware and some BIOSes have digital signatures, Brossard said.
- Platfora Big Data Analytics for Network Security Platfora amplifies the effectiveness of network security analysis, providing Big Data Analytics capability to augment existing security infrastructure for known threats, and advanced...
- SANS: Next-Generation Datacenters = Next-Generation Security This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Safeguarding the Next-Generation Data Center Use of virtual and cloud servers has exploded. Unfortunately, security often lags behind. McAfee recommends looking at innovative solutions in order to erect...
- Is SQL Server AlwaysOn really as powerful? Tips and Tricks from the field With the introduction of AlwaysOn, Windows Clustering Services is now more critical than ever.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center... All Cyberwarfare White Papers | Webcasts