How to experiment and learn about BIOS malware

While trying to make VMWare Workstation work with new kernel in Fedora 20, on the link where I found solution there is a section about extracting BIOS. This section has a subsection in which it is shown how to use custom BIOS for some virtual machine. Because lately I'm all in malware analysis stuff, it occurred to me that this is actually a great opportunity to experiment with BIOS malware for educational and research purposes. Using real hardware for that purpose would be very problematic because it's not easy to modify BIOS just like that. So, in essence, what we would like to do is:

1. Extract BIOS used by VMWare.
2. Decompile it.
3. Modify.
4. Compile.
5. Install and use.

So, while searching how to do that I stumbled on PHRACK magazine's article that describes just that, how to infect BIOS. It also describes how to instruct VMWare to stop in BIOS and allow gdb to be attached for BIOS debugging! In the end, it turned out that this topic is well studied already. Here are some interesting resources I found:

1. http://www.exfiltrated.com/research.php
2. http://www.endeer.cz/bios.tools/bios.html
3. https://www.blackhat.com/presentations/bh-usa-07/Heasman/Presentation/bh-usa-07-heasman.pdf
4. https://sites.google.com/site/pinczakko/pinczakko-s-guide-to-ami-bios-reverse-engineering-1
5. http://stackoverflow.com/questions/1737095/how-do-i-disassemble-raw-x86-code
6. http://duartes.org/gustavo/blog/post/how-computers-boot-up/
7. http://duartes.org/gustavo/blog/post/motherboard-chipsets-memory-map/
8. PHRACK: Persistent BIOS infection
9. https://www.bios-mods.com/downloads/
10. https://www.kraxel.org/repos/
11. https://www.kraxel.org/blog/
12. https://www.wimsbios.com/forum/depth-high-tech-bios-section-f37/

So, I stopped there with old BIOS stuff. It is clear that everything needed is there. So, I started to think about UEFI.

Lately, UEFI is much more interesting to experiment with because gradually all the manufacturers are switching from old BIOS to a new boot method that has additional protections. It turns out that VMWare Workstation, starting with version 8 supports UEFI boot, too. All that is necessary is to add the following line to vmx configuration file of a virtual machine:

firmware="efi"

So, this is a great research and learning opportunity. Yet, it is very hard to find information on how to manipulate UEFI BIOS. One reason might be that it is relatively new and not many people know what it does and how it works.

While searching for information on how to infect and manipulate UEFI, I found the following URLs to be interesting:

1. http://www.projectosx.com/forum/index.php?showtopic=3018
2. http://wiki.osdev.org/UEFI
3. http://uefi.org/learning_center/presentationsandvideos
4. http://linuxplumbers.ubicast.tv/videos/uefi-tutorial-part-1/
5. http://tianocore.sourceforge.net/wiki/Welcome
6. http://vzimmer.blogspot.com/2012/12/accessing-uefi-form-operating-system.html

Stuxnet... the origin... and implications...

Wow! I was reading Jeffrey Carr's post in which he admits being wrong about Stuxnet origin, and he references this article that made him change is minde. It is definitely a fascinating read about Stuxnet, how it was conceived, developed and used. I recommend that you take a time and read it! Namely, for several years now you'll find all over the Internet accusations that Chinese government is attacking western companies and governments. But this shows that other governments aren't sitting and doing nothing. Moreover, this article shows that malware has been brought to a new level of use in which it is used as attack weapon, to cite the article: Somebody crossed the Rubicon.

I suppose this will have a huge impact and lot of implications:

1. Russia is pushing towards some kind of international treaty that would regulate use of cyberweapons. One of the advocates of this is Kaspersky, but there are also critiques. Anyway, this article gives a push to Russian government intentions.
2. What impact will this have to closed source software? Because, no one can never be sure what's in there, especially if the company producing this software is under control of foreign country. Now, Microsoft already gave access to source code of, I think India among others, but this also means that Indian secret services can find bugs and use it against other countries? Sounds like Games without frontiers...
3. Antivirus software, NIDS, HIDS and usual protection doesn't help here! They relay on a mass, i.e. someone gets infected but this allows anti virus companies to analyze threat, to create signatures and to update anti virues software so that huge majority is protected. These are, in a way, custom made attack programs.
4. With a backup of government agencies, these attacks can be very sophisticated. But note that anyone with enough resources (i.e. reach enough) can do the same.

All in all, very interesting and far reaching developments...