12

Could it be possible that a virus rewrites my BIOS with some malicious code? If so, how could I protect against it, or at least how can I check that the BIOS hasn't been modified?

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
LanceBaynes
  • 6,209
  • 12
  • 60
  • 92
  • Assuming this is a PC do you know the motherboard make and version? They often have utilities to check on the BIOS. – zedman9991 May 13 '11 at 16:06
  • and for the initial question, Konboot is very good at checking the integrity of your bios...you can either get it at their site or download it with a host of other utility software from Hirens boot disk on the web –  Oct 26 '16 at 04:38

1 Answers1

14

It is certainly possible. See this presentation for example: http://www.coresecurity.com/files/attachments/Persistent_BIOS_Infection_CanSecWest09.pdf

One way to achieve protection is by requiring a flash bios password that some implementations support.

Another way is by using a TPM which does almost exactly what you are suggesting: It creates a SHA-1 hash of the BIOS image before loading it - and if Secure Boot is enabled it compares it to a stored value.

Now, how to check if the BIOS is compromised:

The general idea is that you can take a BIOS backup image at any time and compare the hash of that image to the hash of a previous one - maybe one you took after flashing.

But, in theory, if the BIOS modification is malicious enough, it will serve you something that won't be suspicious - so you won't actually be able to check but only just re-flash (and this may not be enough if the flash procedure itself uses bios functions that are hooked). Generally to check the integrity of anything, you have to perform the checking operation at a level lower that the level of the object you check. With BIOS this is pretty hard - and this is one of the reasons TPMs were invented.

john
  • 10,998
  • 1
  • 36
  • 43