A pair of Argentinean researchers has demonstrated a BIOS-level exploit that allowed the duo to potentially run a great deal of invisible code—which could remain installed even if the hard drive was wiped. Much has been made of this last bit, but malware attacks against the Basic Input Output System are anything but new.

The CIH (Chernobyl) virus that first appeared in 1998 was capable of bricking a system by rewriting critical boot information in the computer's BIOS with garbage output. Even if you dodged this bullet, CIH's primary payload rewrote the first 1MB of the hard drive. If Chernoybl successfully activated on D-day, the best outcome a user could hope for was an apparently wiped hard drive. At worst, system repair involved physically pulling the BIOS chip and installing another.

The advent of write-protected BIOSes, partly in response to CIH, put a damper on firmware-munching malware, but the inherent attractiveness of the BIOS as an attack vector has never vanished. The exploit demonstrated by Anibal L. Sacco and Alfredo A. Ortega, both of Core Security Technologies, is noteworthy and important, but it's not the game-changer some have made it out to be.

The duo presented the details of their BIOS incursion at ConSecWest last week; their presentation is available here (PDF). I haven't seen the full text of their presentation, but the attack as laid out within the document is quite straightforward and relies on the simple fact that a system BIOS can be flashed (upgraded) with a new version. These new versions are installed through several methods—some motherboard companies have utilities that will flash a BIOS within Windows now—but one commonality is that the BIOS must be switched to write-allow mode before the attack can be executed. The aforementioned attack consists of dumping the new BIOS into flashrom (a BIOS read/write/modify utility), making the necessary changes, adjusting all of the checksums to ensure the hacked BIOS will verify as authentic (the two credit Pinczakko here), and flashing. Voila! One evil BIOS.

Establishing one's secret evil layer in BIOS, as previously mentioned, is a darned good idea. From here, the attacker can theoretically install rootkits, infect any virtual machines running on the main rig, and perform any number of dastardly deeds—all below the OS kernel level. As dangerous of a problem as an attack of this nature presents, however, there's one overriding factor that makes it unlikely that we'll ever see an attack of this sort in the wild. The duo's BIOS hack isn't a bug you can catch by opening the wrong e-mail—it must be installed, either by someone with physical access to the system, or remotely by a person with root-level access.

This is not the sort of exploit that anyone bothers with on a grand scale. Not only is it highly impractical, it's also pointless—why go to so much trouble to infect a PC running at a Ma and Pa store if you can spend a hundredth of a cent and send them an infected e-mail they'll open and run? If an organization is genuinely vulnerable to this type of attack, it means one of two things: Either the business's IT security is absolutely horrible and has failed on multiple levels, or it's an inside job. Either way, a number of gates have been left open to leave a system vulnerable to a BIOS-level assault.