Tuesday, June 21, 2016

security - How to detect Bios Rootkits on a server mainboard?



I recently read about a talk by Corey Kallenberg and Xeno Kovah given at the CanSecWest-conference which describes how the firmware of a server mainboard can be reprogrammed to include malicious software. This has left me really worried! I'm now seeking for a method how to make sure that some given hardware has not been tempered with in such regard. How can I do this?


Answer



Well, the obvious answer would be to compare the BIOS you have with the BIOS released by the manufacturer... of course, that only works if the BIOS released by your manufacturer doesn't contain a rookit to begin with.



Failing that, you're left with a topic you could literally write several books on... or parlay into millions of dollars worth of IT security consulting, so it a subject that's much too broad to cover here, but it's not all that different than detecting any other rootkit - you examine logs and memory contents at a low level and look for evidence of the system doing something it shouldn't be doing. John Heasman did an interesting talk on ACPI BIOS rootkits at Blackhat Europe in 2006, which seems relevant here. (PDF)




The bottom line, though, is that this is still a technically advanced and relatively rare type of malware that's used against high value targets, which probably doesn't include you. If you actually do have reason to be worried about being targeted by this kind of attack, you need to hire some dedicated security resources and be directing your questions about BIOS malware at them. And remember, security is a type of insurance. There's no sense in buying a $10,000 wall safe to protect a stack of 1 dollar bills, just like there's no point in spending hundreds of thousands of dollars on a security team unless the data you're protecting is very valuable.



The information Security site is probably better suited to any further queries you have on the topic, and there are a number of existing questions and answers about BIOS malware already that might be of some interest to you.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...