-1

Are there any known instances of malware persisting past a drive wipe and reinstall, through modified bios, or firmware on one of the machine components?

Phillip Nordwall
  • 1,024
  • 9
  • 13
  • 2
    Sorry, I'm too knackered to write a proper answer (4:30am here LOL) so a comment with a link to an IMO [interesting article](http://www.theverge.com/2012/8/1/3212820/persistent-undetectable-malware-black-hat-2012) will have to do for the time being. It's about a _Black Hat 2012_ presentation by Jonathan Brossard, and includes some additional links and a complete 70 slides long _Def Con 20_ presentation. A small _antipasto_ before someone drops a proper answer. Cheers! ;) – TildalWave May 26 '13 at 02:32
  • 1
    [Yes](http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). – Adi May 26 '13 at 06:09
  • Actually, I'm rather curious whether it makes sense to make such malware - both for APTs and kiddies. Even as a way to inflict financial losses it may be not really successful. – Deer Hunter May 26 '13 at 08:21

1 Answers1

3

Yes, there are at least several instances of lab based malware which is capable of infecting firmware and BIOS and at least one rootkit in the wild (Mebromi as Adnan pointed out in his comment.) They are still pretty rare, but they do exist.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Any examples of these? – Cybergibbons May 26 '13 at 07:52
  • 2
    There's some [new research that shows the TPM can be used to rootkit the BIOS](http://www.darkreading.com/vulnerability/bios-bummer-new-malware-can-bypass-bios/240155473), and [Mebromi](http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/) as AJ and Adnan alreaday mentioned. – Polynomial May 26 '13 at 11:57
  • @Polynomial - ok, now that's officially scary (that the TPM can rootkit the bios) – AJ Henderson May 26 '13 at 18:05