Attacks by insiders and corporal data theft can be throughout harder to detect when malicious code can be hidden inside the Basic Input/Output System (BIOS) of the computer.
APCI (Advanced Configuration and Power Interface) has a language of its own that can be misused for this purpose. BlackHat researchers have investigated the possibilities for rootkit techniques there.
Rootkits are a growing threat, BIOS rootkits will be just a logical next step. Is the 1986 Chernobyl Virus now given rootkit wings?
Most of better boards have flash protection. CMOS clearing can be done by changing CMOS_CLR jumper or by removing battery. There is no other place to store any kind of info as far as i can tell (leaving RAM and HDD aside).
eEye BootRoot was a project presented at Black Hat USA 2005 by Derek Soeder and Ryan Permeh of eEye Digital Security. Sought was to explore andimplement technology that custom boot sector code could use to subvert the Windows NT-family kernel as it loads. To their knowledge, such technology had not previously been publicly demonstrated.
eEye BootRootKit is a manifestation of this technology – a
removable-media boot sector that situates itself to regain execution later, as Windows is loading, and then seamlessly continues the boot sequence from hard drive 0. The basic concept employed is to hook INT 13h and “virtually patch” the Windows OS loader as it’s read from disk, then leverage this patch to hook into NDIS.SYS after it has been loaded into memory and validated.
The hook function’s purpose is simple: scan all incoming Ethernet frames for a signature in a specific location, and execute code (with kernel privileges) from any matching frame. The RSoD2 demo gives a very simple display of this capability, by patching NTOSKRNL.EXE in memory and causing a “red screen of death” kernel crash. Try sending the packet to
a closed UDP port on a firewalled machine running BootRootKit, or use the broadcast address!
source of info: www.governmentsecurity.org