9

Steve Gibson of Security Now fame claims that viruses can attack a video card and infect it. I assume that he means it can infect the Video BIOS. However I'm skeptical. BIOSes are so numerous and different, what are the chances of someone writing a virus to infect the Video BIOS?

Any clues?

nealmcb
  • 20,693
  • 6
  • 71
  • 117
SineWave
  • 91
  • 1
  • 2
  • 9
    It wouldn't surprise me much to learn of viruses on video cards. But it would help if you could provide a link to the story you're referring to, and provide key quotes so we don't have to wade thru podcasts. Note also that he doesn't have the best reputation: [Steve Gibson: a "fringe charlatan"](http://attrition.org/errata/charlatan/steve_gibson/) who *"seems to know enough buzzwords and ideas to be dangerous to his clients."* – nealmcb Jul 20 '11 at 19:25
  • 5
    Since he posts transcripts (this one should be up in a day or so) why not examine what he said before the reference to charlatan on this site yet again. There is a similar question on StackOverflow with a different, more positive, take on the question. He also addressed the issue episode 292 quoting an Al Jazeera claim.http://www.grc.com/sn/sn-292.htm Let's review today's transcript before slamming the dude. Then let's talk about the history of attrition.org both good and bad since they are the source of the charlatan listing. – zedman9991 Jul 20 '11 at 20:25
  • Without a proper context, my guess is that he is referring to attacking the GPU and it's associated memory. It is possible, but that depends on what qualifies as an infection. – Steve Jul 20 '11 at 19:19
  • 1
    @nealmcb, No one can be right all the time. Those who don't ever make wrong assertions likely have made none. Steve Gibson has real skills; the programs on his site are all written by him alone. – Pacerier Nov 11 '15 at 00:02
  • @Pacerier No, he is wrong most of the time. – forest Mar 16 '18 at 06:40
  • nVidia, with a bad firmware, fried many of a specific model of their cards just because incorrect setting. It's that easy to accomplish. – Overmind Jul 27 '20 at 07:22

4 Answers4

15

It is certainly conceptually possible for a virus to attack firmware such as video BIOSes. The virus would have to be tailored for each firmware, so there would have to be a large variety, but that's only an economic argument, not a technical argument. The economics means that you're only likely likely to see firmware viruses in targeted attacks (where at least part of the virus development is specific to one target) or in attacks against popular, standardized hardware platforms (iPhone attacks technically count here).

For an example of a real firmware vulnerability, try CVE-2010-0104: Broadcom NetXtreme management firmware ASF buffer overflow. This is a bug in some Ethernet firmware that allows a remote attacker to take control of the network firmware (and so at the very least actively attack all network traffic), and potentially of the whole computer (I don't know if there's an exploit for that, but once you have access to the PCI bus, I doubt that much is barred). Interestingly, the bug is in a remote management protocol parser, which in particular handles wake-on-LAN — so a computer is more likely to be vulnerable when it's switched off.

At Black Hat USA 2012, Jonathan Brossard presented “a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards”. The proof-of-concept (not publicly released) infects many BIOSes and common peripherals including network chips. It's only a matter of time until someone adds support for video cards.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • So what are the ways to "fully reformat" the system to ensure that it's virus free after it has been infected by bios viruses and video card viruses? – Pacerier Nov 10 '15 at 23:57
  • @Pacerier Reflash all firmware that can be written to a flash memory. It's difficult to be confident that you got it all. Depending on the device it may well be that the infected firmware can arrange to pretend a successful reflash but the malware stays behind, in which case replacing the hardware would be the only solution. – Gilles 'SO- stop being evil' Nov 11 '15 at 00:08
5

My first question to you is, what are the chances of someone writing a virus to infect SCADA systems? And then there was stuxnet....

As for your question, it is possible. The normal call back for this issue is the 2007 blackhat demonstration about hardware hacking. Here are a couple articles that hit on that demonstration... eweek, zdnet.

Frankly, when it comes to video cards in particular, i have no solid evidence either way. I would not think of it as a major threat at this time. Personally i have no doubt that video cards could be used for persistance, the only question is when will we find the first one in the wild?

Also, if anyone knows of an actual case of this in the wild, i would love to hear of it.

At the moment, i'm more afraid of a technology company being compromised that produces memory sticks than one that produces video cards. If you're looking for money, then you're going to go after the easiest route, and that seems like an easy choice at this point. If i remember correctly there was a sandisk incident similar to what i just mentioned, though i haven't done any research to back that up.

Ormis
  • 1,940
  • 13
  • 18
  • 4
    http://research.microsoft.com/apps/pubs/default.aspx?id=70147 also discusses malicious use of a video card EEPROM – Ormis Jul 20 '11 at 19:40
  • Re SCADA, we've been saying for YEARS that it is highly likely. I've heard laments re the state of SCADA systems since I began being aware of security as an industry... I'm actually more suprised that it took so long. – AviD Jul 21 '11 at 10:01
  • I guess it wasn't the best example, i was simply trying to make a point that those type directed attacks are a reality. – Ormis Jul 22 '11 at 13:36
  • Fair enough, it's not like many listened. :). For all intents, what you said is correct, and explains your premise well: just because you dont expect there to be a virus on a "niche" platform, doesn't mean there wont be one soon enough... – AviD Jul 22 '11 at 13:37
2

IHVs extend BIOS by hooking interrupts and providing new code, via Option/Expansion ROMs, a blob stored on the IHV's flash ROM. On UEFI, they don't use BIOS blobs, they use UEFI drivers (PEI Modules, DXE Drives, UEFI Drivers). Malware authors can target BIOS Option ROMs and UEFI drivers. LegbaCore recently said they're working on an Option ROM verification tool: http://firmwaresecurity.com/2015/07/21/legbacore-option-rom-integrity-checker-in-the-works/ HTH, Lee http://firmwaresecurity.com/feed

Lee Fisher
  • 114
  • 2
0

nV GPU vulnerabilities

Just look at the link and amazed.

  • NVIDIA GPU Display Driver contains a vulnerability in the NVIDIA Control Panel component, in which an attacker with local system access can corrupt a system file, which may lead to denial of service or escalation of privileges.

  • NVIDIA CUDA Driver contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.

  • NVIDIA GPU Display Driver contains a vulnerability in the service host component, in which the application resources integrity check may be missed. Such an attack may lead to code execution, denial of service or information disclosure.

  • NVIDIA GPU Display Driver contains a vulnerability in the DirectX 11 user mode driver (nvwgf2um/x.dll), in which a specially crafted shader can cause an out of bounds access, leading to denial of service.

  • NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, in which a NULL pointer is dereferenced, leading to denial of service or potential escalation of privileges.

  • NVIDIA Linux GPU Display Driver contains a vulnerability in the UVM driver, in which a race condition may lead to a denial of service.

The nVidia Frying GPU update

And that's from a software point of view. If we take hardware BIOS and firmware into account, the mess can be way higher.

Since there are modding tools that can alter BIOS parameters for a video card, you can always go just a little deeper to allow code that does not suppose to exist there to run from it.

Full security CVEs already found here.

Overmind
  • 8,829
  • 3
  • 19
  • 28