BIOS Virus Verification

There are no bios viruses.  There ARE viruses that can damage the bios and brick the machine.  The urban legend about bios viruses involves ready boost storage and or flash storage that is not the actual bios but does have fat32 storage diags.  There is no such thing as bios backup utility.  Dell bios for quite a few years is more than just a simple rom.  SMBIOS tables and the bios itself are embedded with security certificates in Serial EEPROMs and other Non flat file systems.Less than one per cent of SERVER boards shipped have the issue. Systems using an iDRAC Express or iDRAC Enterprise card will not be damaged. In fact systems will only be hit if you run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.

Speedstep, sorry to tell you, but yes, there are indeed BIOS viruses out there.  No, the virus does not brick the system (it wouldn't do the hacker any good if it did). Kits for Chinese-made computers (like Lenovo) and Dell systems are currently in the wild. I had 2 VERIFED infected Lenovo BIOS viruses from this attack. It appears from the way the BIOS was altered that the kits include a library of BIOS images. Once a system is determined to match one in their library, the BIOS is flashed in. In addition, it is not possible to just reflash the BIOS to remove the virus. The system has to load the BIOS before it can boot anything (even if it's just a BIOS recovery CD or even a floppy), which loads the virus along with it. During the flash process, it reattaches to the BIOS and stays in the system.

I am also not saying this type of attack is easy. I ran a web/mail server under VMWare. The attackers broke into that, used an exploit in VMWare 3 that allowed them to run privileged arbitrary code on the host system. Once they were there, they had free run of my LAN.  Every system I had active on the LAN was infected with some kind of virus. 2 Lenovo systems (the same model) had their BIOS patched with the virus. I did not trust the Dell server motherboard at this point, but it was cheaper to replace the motherboard than the time it took to verify the BIOS (again, this is not an easy thing with Dell). At least for now, since the average home user doesn't run a server, this attack isn't possible.  My fear is that sometime in the near future, they will figure this out.

While it's true that Dell does not provide a BIOS backup utility, Many other manufacturers' BIOS flash utilities do include the option of saving the current BIOS to a file (and I have been using them to compare the system BIOS to the BIOS file from the manufacturer).

And to be clear, we are not talking about modern UEFI BIOS. The 2 Dell systems I want to verify are a Precision 530 MT and an Optiplex GX280.

No one from Dell to chime in on this?

I was able to extract the running BIOS from 2 systems in question as well as extract the BIOS image file from the BIOS updater, but without assistance from Dell, it is difficult to determine if the BIOS is clean or not. There are differences between a BIOS update image and the running BIOS in a system (system configuration, serial number, express code, etc) so the files will never match 100%, but the question is where are the normal differences and what would constitute tampering?

There are not and have never been ANY Bios Viruses.  There have been viruses that killed bios but not viruses that reside in bios.

"I had 2 VERIFED infected Lenovo BIOS viruses from this attack."

This is the Dell Forum not Lenovo forum.

The one instance where this was reported was malware on flash storage used for diagnostics on a power edge server board.

The proof question is on you to prove that it exists at all and if it does you would have to explain the exact model and the nature of the code.The BIOS can only be corrupted,damaged not infected. And there are no vectors into modern GPT UEFI bios.

US CERT and Dell have no such instance of BIOS virus. References to the Service Tag being written into the bios are also bogus. This is not where that information resides. Hint I2C bus.

http://www.atmel.com/Images/doc0180.pdf

Speedstep, I can only agree with you on one thing: You are correct, this is not a Lenovo support board.  I mentioned the 2 Lenovo systems because they in fact were hit by a hackers that altered the BIOS. I have since discovered that 2 HP systems (one desktop, one laptop) and an IBM system also had their BIOS altered.

You also seem to not understand I am NOT talking about UEFI BIOS, nor Windows 8, which I mentioned in my post. And what is your point about placing a photo of the physical chip pinouts?  US CERT and Dell have no instances of a BIOS "virus"? Did you ever think of the possibility this is a new kind of attack?

You are also focusing on the word INFECTED. You say they can only be corrupted or damaged (isn't that really the same thing?), but you say nothing about ALTERING, which, again, is my question.

Yes, this is not a Lenovo, HP, or IBM support board, yet you want proof of this virus.  I can provide you copies of the BIOS from those systems as proof, but this isn't a non-Dell board, right? My question was to ask if someone could help with VERIFYING my DELL BIOS to DETERMINE if they had been altered. Yet, you want to make this a flame about BIOS viruses (or the non-existence of them). But if I have 3 other manufacturer's system with altered BIOS, what makes you think Dell is immune?

If you can help, GREAT! I really do appreciate it.  If you can't, turn your flame off and go do some research on infected (I guess I should be clear and say altered) BIOS.

running such old outdated hardware is a bad guy's dream ... especially if you are running XP or even older o/s on them.

if bios updates are still available for such old machines why not just download them and flash them to be "safe"

Your claims of BIOS Virus are false. There also does not exist a one size fits all bios for all chipsets and all processors and all Dell Models.

I have yet to see a Dell Model number for example that you want confirmation on. 

"You are also focusing on the word INFECTED. You say they can only be corrupted or damaged (isn't that really the same thing?)"

No its not the same thing.  Corrupted Damaged bios will not POST nor will it Boot. There is a specific reason why But I'm not going to entertain the existance of said "Virus" without code Examples.  I have written Bios for machines and do know the code involved.   Your claims seem to go as far as infected bios that allows tcp/ip internet access to the Hard drive and OS.  All of that however is unproven and False.  You completely glossed over the service tag NOT being saved in the bios.  The BIOS for a specific model is ALWAYS the same regardless of the Service Tag because that information is not in the BIOS its elsewhere as are Hard drive Passwords and other parameters.  This is also why you cannot move a hard drive that has a bios password to another machine because it too will insist that you provide the password before booting. 

Providing copies of the bios is not the issue.  What code are you referring?  The actual Bytes in the bios line by line that comprise the supposed "Virus"  as well as the Address Locations of the Virus in the bios.

You would also need to provide confirmation from HP or LENOVO etc of said "Virus" which they would have in a security report.

You will not however get this from Any vendor because it does not exist.

Instead of debating the existence or non-existence of bios virus, thought should be given to correcting the issue.

We cannot analyze your bios files or back them up. We do not have the tools to do this. All I can say is from a working system, download the latest Bios for the specific model from our File Library to a bootable disk or USB drive. Then attempt to boot from them and flash the Bios.

Precision 530
BR88830.exe
This file contains a compressed (or zipped) set of files. Download the file to a folder on your hard drive, then double-click it to unzip the set of files. Follow the instructions to complete the installation.

Optiplex 280
GX280A08.EXE
This file format consists of a BIOS-executable file. To use it, download the file and copy it to a DOS-bootable USB flash drive, then boot the system to the USB flash drive and run the program.

Thank you, Chris, for bringing some sanity to this question.

To Eternalozzle, unfortunately, it isn't possible to just reflash the BIOS. Since you need to boot with something to get the BIOS flashed, and so the "virus" gets loaded and reattaches itself during the flash process. Not only have I found this in my searches, I watched first-hand it happen when I tried to reflash a Lenovo system in hopes that would solve the issue. There were actually error messages displayed during post of BIOS unauthorized alterations be attempted and then succeeding.  Yes, using older systems (non-UEFI) is apparently more dangerous than thought. It wasn't like these systems were running XP though. Fully patched Windows 7 with running antivirus software. Before this happened, I too would have thought it highly unlikely for the BIOS to be altered in a way that didn't leave the system bricked.

I am aware Dell neither has nor supports backing up the BIOS (but unlike a statement made, other manufacturers do backup the current running BIOS to a file before flashing).  I did however locat tools to allow me to do just that, so I do have a BIOS image available for analysis. I have also extracted the BIOS file from the Dell flash utilities you listed and did a binary comparison.  There are somewhere in the neighborhood of 300 bytes different between the files. My hope was that someone at Dell could verify those differences were part of normal BIOS areas that are different from machine to machine and not due to an alteration.

I have a Sony VAIO system that is using a 3rd party customized BIOS. I was able to track down the author who not only gave me instructions on how to extract it from the system, but analyzed it to verify it was not altered (this also had around 300 bytes difference). It was explained that the differences were due to system configuration, serial numbers, BIOS user settings, etc.  He did find this system was not altered. We both agreed had it been altered, because it was a 3rd party BIOS, it would either have bricked the system due to nearly the entire flash BIOS area being used, or there would be an indication the BIOS would have reverted to a factory version.

I do agree with one thing, it's likely a one-size-fits-all BIOS alteration does not exist. The 2 Lenovo systems that were hacked actually had older revisions than what had been present. Additionally, the 2 systems both initally had the same revision levels, but not only had they had older revisions, they were different. My suspicion is that one was for 32bit and one was for 64bit Windows 7 (that was the only difference between the 2 systems). Apparently, the hackers are building a library of BIOS images and when they find a system that fits one, they flash it.  The only anomaly with this was an HP laptop that had over 40K of differences, which on the surface should have bricked the system. But many of the HP systems have 1meg of flash memory, while the actual BIOS images were much closer to 512K, leaving plenty of space to put in a jump vector.

If the engineers at Dell believe that taking a BIOS image from a working system and comparing it to the one used in the flash utility would show a small number of differences (say around 300 bytes), then these are probably clean.

Speedstep, sorry to tell you, but yes, there are indeed BIOS viruses out there.

No, the virus does not brick the system (it wouldn't do the hacker any good if it did). 

Circular logic is used on this because you start out saying you had to replace motherboards.

Kits for Chinese-made computers (like Lenovo) and Dell systems are currently in the wild.

1.  If they are out there how many are there?
There are in fact None.

2.  what are the viruses Names.

They have no names because they do not exist.

3.  what do the viruses do?

They do nothing because they do not exist.

4.  Kits?  For which specific Lenovo and Dell systems?  What model number?

There are no examples or vendor service reports of this because they do not exist.

Hard drives with infected partitions is not Bios virus.  Nor are Bios update executeables infected with Viruses.   There is no virus that resides in bios let alone "comes back" from bios after removal.   Revsion Levels and incorrectly Identifying that service tag is Flashed in bios are also not proof of Bios Virus.   You keep saying Dell With Bios Virus then mixing and matching lenovo systems, HP systems, Sony Vaio systems and then changing again to an HP Laptop virus. You have no service bulletin from any vendor validating that bios viruses are occurring.  You have a lot of buzz words but no actual code and or proof of ANY bios virus.

Nor do you say what the supposed virus does.   "HP laptop that had over 40K of differences, which on the surface should have bricked the system."  Again you don't say what the code is or the location of the code and what it supposedly does.  "while the actual BIOS images were much closer to 512K, leaving plenty of space to put in a jump vector."  "jump vector" to what? that does what?  First you say Lenovo then you say no wait its an HP Laptop. "system configuration, serial numbers, BIOS user settings, etc." are not stored in the BIOS ROM chip."(say around 300 bytes)" 300 bytes of what?  You have yet to post one code example of said virus and or explain what it does.The only reason to keep slogging on about Bios virus is to be the boy who cried wolf.  The underlying reasoning is that if you can convince people that something in bios or some other part of their computer exists when it in fact does not you can then extort money from them to remove that which was never there in the first place. 

All three (of my) laptops were infected on the same day. I believe they may have used some other malware to obtain their directive. I'll have to replace the MOBO's of these three laptops to hopefully prevent another infection. The black hat paper stated that touring lojack off simply prevents the callback. I doubt it stops anything on a BOSS INFECTED machine.

Dagra

Mebromi

Google it!

Dagra

[View:www.tomshardware.com/.../19603395]

[View:www.absolute.com/.../absolute-refutes-claims-of-bios-vulnerability]

I'm here to tell you that BIOS infections occur. I have 2 dell Studio laptops that each have a virus that withstands a complete zero-write of the HDD and flashing the bios.  In my case is due to a vulnerability in Lojack(aka computrace) that allows a hacker to misdirect the ip address of the callback to lojack to a server of their liking, where they can then inject code into the BIOS to insert a keylogger. and patch these vulnerabilities which infected $6,000 of my  laptops!

Dagra

Merombi is a supposed hack of MBR code for 2006 Award Bios. I'm not in china so I have no way to find out if this is true or not. You do not have BIOS infection. There are no Model numbers and Version numbers and code examples to date Because they do not exist Let alone a "vulnerability in Lojack aka computrace" This is also FUD.  False.  Post your code proof including where in the bios said virus exists.   Formatting does not remove partition level viruses. "" ip address of the callback to lojack to a server of their liking, where they can then inject code into the BIOS to insert a keylogger. "  BIOS can be Damaged by malware but it cannot be "infected" with a virus.

http://home.mcafee.com/Store/PackageDetail.aspx?pkgid=336