New
#30
I thought this same issue was brought up by Kaspersky a few years back. I thought it started around the rootkit era, or am I wrong?
While not wanting to ever declare something "impossible", just how is it "possible" for malware to survive a firmware flash? Surviving a firmware "patch"...yes, definitely possible...but a "flash"?
Regardless of the boot source for the machine, the currently installed firmware will "always" be read. That always presents a vector for the malware to load to RAM - to the best of my knowledge, there is no way to avoid this possibility. However, if the code for flashing the firmware is written correctly... again that darn "if"...that code can explicitly control access to specific RAM memory locations and thus effectively lock and prevent "any" other loaded code from executing. Thus, preventing RAM loaded malware from injection execution between completion of the flashing operation and rebooting. Thus, allowing the reboot to flush the RAM loaded malware and thus, preventing backwashing the newly flashed firmware.
Again, "if" the flashing code is written correctly...
"If" is not acceptable in security or in this case there is no way to be safe except removing chip and flushing with EPROM:
EPROM - Wikipedia
See "The firmware dilemma" section here:
Can Malware Survive If I Reset My PC? - Ask Leo!
Thanks for posting the two references...they rather explicitly prove my point!
A: Malware "can" be removed - including BIOS/UEFI/firmware - the second article apparently concurs.
B: EPROM's are precisely the vehicle through which flashing is performed on - the first article explains this.
EPROM chips DO NOT need to be removed to be flashed - yes, if not soldered, they certainly "can" be removed and flashed from outside the motherboard...but, that is not a "necessary" requirement for flashing an EPROM.
On the other hand, one cannot "flash" a chip that is not in some way "programmable" - thus how can any malware "infect" non-programmable chips...that seems to defy physics to wit: if the lid of a box cannot be opened then one cannot change its contents. Yet on another hand (...how many hands do we have here...), there may be some chips that are one-time programmable thus, malware could use that one-time re-programmability to infect that chip - or perhaps there are chips which could permit a flashing code to effectively "lock" the chip after flashing thus preventing any further flashing access. In these two cases, without a doubt, the chips would absolutely require removal and replacement with entirely new chips. I cannot speak to the existence of either of such chips but, it would seem rational to expect that military, government, and intelligence organizations would be *VERY* interested in such hardware.
The reference to "if" is NOT a reference to how to address the "security" of one's system. It IS rather a reference to the fact that certain things ARE achievable. "If", in this case, is not about end-users taking chances, it is rather about devs paying attention to good practices when coding things that affect security. Some sources of code are well written and some are not...hence, "if" relates to whether or not the dev paid attention to what can, or should, be done to enhance safety e.g. "if" the dev does the job right not "if" the end-user rolls-the-dice so to speak.
Has it been stated/discuss if this malware can be identified with a scan by AV ?
Hi folks
This thread is basically a 3 pronged thing
1) Self advertisment for kaspersky
2) "Project fear" for some really improbable occurrence on a Home computer system
3) Solution to the Schrödinger's cat paradox.
There's probably more chance of a piece of meteor hitting your computer than getting it infected by this type of attack.
Apply your brain cells to more rewarding topics !!!!
Cheers
jimbo