Rootkits headed for BIOS
ARLINGTON, Virginia — Insider attacks and industrial espionage could become more stealthy by hiding malicious code in the core system functions available in a motherboard’s flash memory, researchers said on Wednesday at the Black Hat Federal conference.
A collection of functions for power management, known as the Advanced Configuration and Power Interface (ACPI), has its own high-level interpreted language that could be used to code a rootkit and store key attack functions in the Basic Input/Output System (BIOS) in flash memory, according to John Heasman, principal security consultant for U.K.-based Next-Generation Security Software.
The researcher tested basic features, such as elevating privileges and reading physical memory, using malicious procedures that replaced legitimate functions stored in flash memory.
“Rootkits are becoming more of a threat in general–BIOS is just the next step,” Heasman said during a presentation at the conference. “While this is not a threat now, it is a warning to people to look out.”