http://threatpost.com/blogs/researchers-unveil-persistent-bios-attack-methods

I'd like to have a copy of this P.O.C.

"... you need either root privileges or physical access to the machine in question...", yawn.

https://www.rootkit.com/board.php?thread=13123&did=edge0&disp=13123

I hear so much comments of this theme from:

1)Persons who don't see the presentation
2)Persons who are present in the presentation but don't hear or don't understand the topic.
3)Persons who speak for who others tell (papers, press, etc)

The commentary of this link is obviously from a person who don't hear the presentation (maybe is present but don't understand nothing)

He is disappointed for the unacknowledged of the researchers of previous work in this theme, and don't hear both tell in the presentation "this is not the first approach to this theme there are previous and good approaches, but we make a more general attack, and in our attack works in any OS and in any (or the mayor part) of the BIOS, of different marks, while previously there are more non generic approach.
In the first line of this presentation the researchers tell is necessary root privileges from a previous exploit or physical access, for make the exploitation work.

This is the real points i hear and understand the conference (i hear the conference in spanish hehehe), and is a good work, from alfredo and anibal, making a general attack to the BIOS, from different OS, and marks.

CONGRATULATIONS ANIBAL AND ALFRED
GOOD WORK
ricnar

i see, he only read a little pdf with the basic guidelines, and don't have info at all, and don't hear the conference and have a formed opinion, is not a serious thing.

ricnar

Yes, and what's the matter?, this is a post exploitation technique. Once you have exploited a machine and you have access you want to survive in that machine and installing a BIOS rootkit is the best way because you can't eradicate the BIOS rootkit running an AV, or Anti-Rootkit.

I think this is a new presentation about BIOS Rootkit with a new ingredient: Universal patching for all BIOS around the glob.

Just that!, my 2 cents!.

i not understood, why even bios-rootkit presence in memory can't be found (if R0 access is granted)??
invisible code?? huh..

because, the shellcode runs just one time, in the BIOS, before the OS, and you can patch whatever you want to gain SYSTEM privileges or root privileges.

[EDIT] sorry, the shellcode runs not just once, every time you restart the machine.

and you can disable antivirus and firewalls, previously the OS start.(changing patterns of bytes in HD)

guys! i'm talking other thing..
YOU are talking about what-rootkit-can-do

I'M talking: WHY someones think - BIOS-rootkit (or any) CAN't be found??
incorrect assumption..

ah, ok sorry!

the BIOS rootkit can be found obviuosly, but the rootkit have the first move and can disable any tool made for this, previously the OS boot, only if you make a custom tool or a new tool, unkown for the rootkit, cannot be disabled.

The rootkit can have a table with the patters of antivirus tools. rootkit searchers, etc, and replace the bytes in each one, for disable all this tools, previous the SO start.

ricnar