4

I'm looking for a detailed list of locations that viruses can "hide" in modern hardware even after a reboot.

Some things that come to mind include

  • Boot BIOS/Firmware
  • CPU Microcode
  • Connected PCI components that have a reprogrammable BIOS
  • Some keyboards
  • Hard coded directly into hardware
  • ??Some graphics cards?? <-- speculation
  • BIOS of locally attached printer?? <-- speculation
Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    Anything with ROM or EEPROM; anything with ASICs that have not been meticulously checked? Would rely on vulnerabilities in drivers and OS to spread, for sure. I would v.much like to see the list of locations where the malware **cannot** hide, though. A nightmarish thing would be malware in HSMs (cue evil cackling and camera zooming to a hand with a fat white cat) – Deer Hunter Dec 15 '12 at 21:00
  • 1
    Don't forget they can hide in plain sight if they have had a chance to edit your kernel. You wouldn't even see a change in disk space usage. – lynks Dec 16 '12 at 21:59

1 Answers1

2

How about Firewire DMA? Firewire (a.k.a. "IEEE 1394") allows direct memory access by at least some kinds of devices. People have writte lots of attack tools for lots of devices over the years, so it should be possible to hide in a Firewire device.

To confirm your PCI device hypothesis, it looks like John Heasman implemented a PCI rootkit, which pretty much has all the properties you'd need to write a virus.

Another place: the ACPI BIOS. John Heasman also seems to have implemented an ACPI rootkit. The presentation gives example code fragments for other evil things.

Bruce Ediger
  • 4,552
  • 2
  • 25
  • 26