Question Can BIOS Virus be transmitted outside of BIOS update?

[Justcicia]

İyi günler. BIOS virüsü hakkında bilgi edinmek istiyorum ve bu yüzden bana bu forumu önerdiler. Şimdi birkaç sorum var:
-Can BIOS viruses be transmitted outside of a BIOS update?
And if this BIOS virus infects disks or usb or connected devices from BIOS:
-Can it jump directly to the BIOS of the devices?

-Can it infect the BIOS without an update?

-Can it throw itself into the BIOS with an update?

-Can it update the BIOS when it looks like a normal file and opens it?

-Ya da normal bir dosyaya rastladığımızda ve o dosyayı çalıştırdığımızda, çalıştırmasak bile, o dosyayı çalıştırdığımız için BIOS'u güncelleyerek virüs bulaşabilir mi? En doğru bilgiyi almak istiyorum, bu yüzden bu işte gerçekten uzman biri yardımcı olabilirse sevinirim.

 

[Colif]

translation:
Have a nice day. I want to know about BIOS virus and that's why they suggested me this forum. Now I have a few questions:
-Can BIOS viruses be transmitted outside of a BIOS update?
And if this BIOS virus infects disks or usb or connected devices from BIOS:
-Can it jump directly to the BIOS of the devices?

-Can it infect the BIOS without an update?

-Can it throw itself into the BIOS with an update?

-Can it update the BIOS when it looks like a normal file and opens it?

- Or when we come across a normal file and run that file, even if we don't run it, can we get a virus by updating the BIOS because we are running that file? I want to get the most accurate information, so I would appreciate if someone really expert can help in this business.

 

[hotaru.hino]

The basic answer to all of this is a so-called "drive by" infection, where a virus can just sneak in and do things without you knowing, is mostly impossible. BIOS is behind a protected system that can only be accessed if a program is running with elevated privileges. There may be other things, but that's the basic requirement. So don't launch random apps that you don't know where they came from or what they do. Especially if they ask for elevated privileges (in Windows, it triggers a UAC prompt, in Linux or macOS, it asks for a root password).

I say "mostly impossible" because there may be a security vulnerability that can be exploited. But as long as you update your OS regularly, this should be a non-issue.

 

[Justcicia]

Which exactly did you answer? And if it helps, my motherboard was a PK motherboard (I think) @hotaru.hino

 

[hotaru.hino]

Which exactly did you answer? And if it helps, my motherboard was a PK motherboard (I think) @hotaru.hino

I answered everything in a general manner.

I guess the only thing that I could add is if you had a virus that modifies the BIOS update file before you have a chance to update it since you're free to modify whatever files you download without elevation. You could run an MD5 hash (https://infosecscout.com/md5-checksum-on-windows/) on the file itself, not the ZIP file if it came in one. Though unless you have an MD5 value from the manufacturer or some trusted source to compare it against, it doesn't really mean much. But honestly, attacking the BIOS file itself would require the virus to scan the entire drive periodically for the file and even then, know exactly what to look for. It's not impossible, but it's very impractical. It's just easier to give someone a compromised file to begin with.

 

[Justcicia]

Ok, but you talked a bit technically, so I couldn't quite understand 😅 can you summarize it in a simpler language? @hotaru.hino

 

[hotaru.hino]

Basically you can generate a fingerprint of a file called a hash. MD5 is one way to generate one, which generates a string of 32 hexadecimal characters. If you change any part of the file, the fingerprint changes drastically. For example:

• "1234567890" generates: e807f1fcf82d132f9bb018ca6738a19f
• "1234587890" generates: d8c1753f7e38be6983c3508462dee52b

While technically you could change the file in such a way that generates the same MD5 value, it's incredibly hard to do so. As in, there's a 1 in 2^128 (which is about 3.4 * 10 ^38) chance it'll happen. So this makes using MD5 useful as an anti-tamper mechanism. If I say the MD5 value of a file is a certain value, when you download the file, you can run the MD5 function against it. If you get the same value that I said was the value of the file, you can be assured the file was not tampered with.

But in any case, as I said, for someone to specifically target the BIOS of your file is kind of impractical anyway. Any virus that's looking for a BIOS update file would need to be scanning the entire drive which is an obvious tell something isn't right.

 

[Justcicia]

I got it, so the BIOS entries are based on codes and there is very little chance of changing them. Is it correct?


But I'm considering all possibilities. Because of this

-Bios viruses only spread with a BIOS update?


-Can the BIOS viruses leave the BIOS open, move to disks such as C-D, etc., and then use the vulnerability to enter the BIOS without updating the BIOS? @hotaru.hino

 

[hotaru.hino]

I don't know the exact security mechanisms behind a BIOS update. You can update BIOS from the OS, which implies there's a way to do it while in the OS. But this mechanism requires elevated privileges to run.

In any case, the answer to all your concerns is just don't any suspicious programs. A virus can't do anything unless you actually run it.

 

[Justcicia]

Ok, I understand, but there was a computer man who had access to my computer while I was away. if he infected, he has already infected this virus. Therefore, it may have taken permission or installed the virus. @hotaru.hino

 

[hotaru.hino]

Ok, I understand, but there was a computer man who had access to my computer while I was away. if he infected, he has already infected this virus. Therefore, it may have taken permission or installed the virus. @hotaru.hino

Are you actually experiencing some issue that makes you think you have a virus?

 

[Justcicia]

So actually it didn't exist, then I heard that BIOS virus can infect disks from BIOS. That's why I thought of this:

Normally, when the BIOS virus is in the BIOS, we have problems opening and it becomes obvious. However, the last time I shut down the computer, the BIOS virus went to the disks and on the next startup, there would be no problem in opening the system's BIOS, since there was no BIOS virus. Therefore, after the computer was turned on normally, it would switch to the BIOS again, and there would be no problem in the system and my antivirus would not find that virus because it did not wait long on the disks.


So I may not have explained it fully, but I was obsessed with something like this. Otherwise, if it only stayed in the BIOS, the vulnerabilities would be closed as I update and the virus would become deactivated after a while because I had secure boot on. Or my antivirus would catch up after a while if it infected the disks and never returned to the BIOS. However, I've been worried about this issue ever since I remember what I said. @hotaru.hino

 

[hotaru.hino]

A virus in BIOS can mess with the system in ways that you describe, but it wouldn't move from the BIOS itself to a storage drive. There's no need, as BIOS is often assumed to be safe and so most malware scanners don't even bother with it (if it can do it at all).

I don't think what you're describing is a virus. You just have a quirk with the system. Besides that, ever since the CIH computer virus, I'm pretty sure system designers made sure you couldn't just walk up and update the BIOS on a whim

 

[Justcicia]

1. A virus in the BIOS can break the system as you say, can it jump as I said? Or will it cause problems at startup?


2. I asked 2 people who I thought were seriously knowledgeable about this issue (they were cyber security guards), and they said that this virus could jump on the discs even if it was on the internet and with a small probability. Are you sure that this BIOS virus won't jump to disks? With small chances or according to the coding, or no BIOS virus can jump, but there can be no such thing as 1 BIOS virus that is different from them, right?


3. "Since the CIH computer virus, I'm pretty sure the system designers made sure you wouldn't come and update the BIOS on a whim."
I couldn't understand a little bit because of the translation, but what exactly are you trying to say here? @hotaru.hino

 

[hotaru.hino]

1. The probems that come from a virus depends on what the virus is doing. It may not even do anything visible, like open up a backdoor so someone or something else can do something with it.

2. What I meant to say is while a virus in BIOS can probably jump to storage device, it has no reason to. Once it's in BIOS, a virus is relatively safe because most antivirus software don't bother to look in there on the assumption the BIOS is fine.

3. Once people realized how easy it is to corrupt or otherwise modify BIOS, they realized that they should probably do something to better protect it. That isn't to say it's not impossible for an attacker to infect BIOS, but it's harder to do so than it was back then.

 

[Justcicia]

1. I don't know the type of virus transmitted, so it can do anything.



2.However, as I said, can't it jump to avoid a problem in the system? @hotaru.hino

 

[hotaru.hino]

2.However, as I said, can't it jump to avoid a problem in the system? @hotaru.hino

If the BIOS is infected and it hasn't bricked the system, then what problem is there to have? Like I said, most antivirus software won't (or perhaps can't) scan the BIOS because it's assumed the BIOS is safe. Even if it causes issues getting inside of the BIOS settings, what can you do? It probably rendered the update system useless so short of soldering on a new BIOS ROM, you can't get rid of it.

 

[Justcicia]

I didn't quite understand because of the translation. @hotaru.hino

 

[hotaru.hino]

I didn't quite understand because of the translation. @hotaru.hino

What part don't you understand?

 

[Justcicia]

"If the BIOS is infected and not systematized"


"the update system was so short of soldering to a new BIOS ROM that it got rid of it."

I was close to these @hotaru.hino

 

[hotaru.hino]

"If the BIOS is infected and not systematized"


"the update system was so short of soldering to a new BIOS ROM that it got rid of it."

I was close to these @hotaru.hino

If the BIOS is infected an the virus hasn't corrupted it to the point where the computer can't boot, then why does the virus need to find somewhere else to go? Once the virus is in BIOS, you can't get rid of it unless you change the BIOS ROM chip, assuming the virus makes the BIOS ignore any updating.

 

[Justcicia]

1. He may be doing it to hide.


What do you mean by changing the chip? Doesn't tech support go to the new BIOS course? @hotaru.hino

 

[hotaru.hino]

1. He may be doing it to hide.


What do you mean by changing the chip? Doesn't tech support go to the new BIOS course? @hotaru.hino

You should assume any virus that infects BIOS is going to disable the update feature, because updating means overwriting the virus. So the only way to get rid of an infected BIOS is to change the chip where BIOS is stored on.

 

[Justcicia]

However, I did the BIOS update and it completed without any problems. @hotaru.hino

 

[hotaru.hino]

However, I did the BIOS update and it completed without any problems. @hotaru.hino

So again, what makes you think you have a virus? What exact problem are you having with BIOS?