Pre-Boot Malware Prediction

The National Institute of Standards and Technology (NIST) has released a draft version of their security guidelines for locking down the Basic Input/Output Systems (BIOS).  Exploitation of this and other Non-Volatile RAM and EEPROMs are my prediction for 2012.  I’ve seen a couple of malware reports from the lab and a sample that tried to hide its existence by writing to hard to reach areas, like the GPU and video RAM, and have been holding my breath hoping that these areas remain free of mainline cruft.  APT anyone?

Imagine a rootkit, but instead of writing its bootstrap code into the Master Boot Record of your hard drive, it flash updates your BIOS.  Who scans their BIOS?  Who wants to?  Soon you may need to scan every single chip and component in your system in order to ensure that these code monkeys haven’t tapped your keyboard.  The BIOS is initialized and loaded well before the Operating System, and any code that was written there would be potentially invisible to A/V products.

The BIOS Integrity Measurement Guidelines aim to help detect changes to system configuration and changes to BIOS code that could be used to let malware execute during the boot-up process.  NIST is welcoming comments on the draft document through January 20, 2012.  This guidance is directed more at developers than end-users.  Like most NIST guidance, it is recommendation, and not mandatory.