The Snowden leaks revealed many secrets regarding the efforts of the United States National Security Agency to snoop on unsuspecting individuals and one of their projects involved infecting BIOS firmware. Infecting the BIOS is not just something the NSA are interested in as there are examples of other attempts to inject malware into this part of the computer – and the industry has not made detecting malware in the BIOS anything of a priority. The reason for this is that the BIOS is software, or firmware, that is loaded into memory at the very start of a boot process. This code resides on a memory chip that is usually soldered onto the mainboard. As such, the BIOS represents something of a juicy target for malware authors: code on the BIOS is loaded before the operating system, and anything present on the chip will survive reboots, system wiping and reinstallations and is independent of the operating system installed. The computer security industry has largely ignored the threat of malware on the BIOS but Google’s VirusTotal may well change this.
VirusTotal, as of today, is being used to scan system BIOS and categorize this into either a legitimate or a malicious BIOS image. The new tool is able to scan a Windows or Apple Mac BIOS and obtain relevant information about the code on the Flash tool. VirusTotal uses heuristic detection to try to identify suspect code as well as looks up executable applications built into the BIOS. Sometimes, manufacturers use legitimate executables within the BIOS, for example the Computrace application, which is embedded into many BIOS in order to help track a computer system should it be stolen. By keeping the Computrace code in the BIOS, it survives wiping and reinstalling an operating system onto the computer. VirusTotal extracts these executable files and submits them to the service, such that the user is able to see details about the contents of the BIOS, which should give insight into anything untoward buried in the code.
The VirusTotal blog also invites readers to submit their own BIOS into the VirusTotal website, to allow further inspection. The source details a number of resources that can be used to upload the BIOS code, but as a word of warning, it should be remembered that a suitable compromised BIOS may detect that it is being inspected and take steps to disguise any malware embedded into the unit. Ultimately, the only sure way of knowing if the BIOS is compromised is to dump the memory contents of the BIOS chip direct from the circuits themselves. VirusTotal also encourage users to remove all private information from the submitted data, such as Wi-Fi passwords, which some manufacturers store in the BIOS to simplify the process of setting the computer up after a wipe and reinstall.