Peter's z80.eu site blog
The perfect virus ? NSA's "barnfire" program and implications [offtopic] 
Monday, January 19, 2015, 07:00 PM
Posted by Administrator
The german magazine Spiegel published new infos about some (meanwhile old but still valid) NSA programs in their latest >article<. They also mentioned "barnfire", which is a codename for a BIOS modification to bypass all virus scanners and other (local) detection mechanisms.
Bruce Schneider offers also infos about at, although it does not contain much more infos, see >here<.
His blog points to http://cryptome.org/2015/01/spiegel-15-0117.7z , inside the 7z archive is also a file named media-35661.pdf which mentions "BARNFIRE"
A year ago news were published about a >BadBIOS super trojaner<, but not found yet in a real example.
Also, in January 2014, infos were published about >a similar NSA project named DEITYBOUNCE<, which describes that DELL server were hacked and manipulated by NSA also.

A modified BIOS (it must be a modified one, not a new one, because otherwise it can be easily discovered) does not help if hard disks are encrypted. May be you can "chain/hook" into Windows API after Windows is already booted (and encryption is active), but this seems to be a much more sophisticated approach. It has to be possible to extend functions while they are loaded in memory, because even Windows API will use in its driver BIOS calls (at least in drivers, but may be in some basic parts of the OS too).
You can't modify directly files on disk unless you "know" the encryption keys/encryption algorithm, but you don't need to have the knowledge about it, if your "base" is the BIOS itself.
It's like placing a virus on your harddisk, but the virus is located in the BIOS itself and can't be detected by scanning files or even memory.
But your PC's BIOS flash memory does not have to be write protected. Fortunately new computers only protects the firmware flashing "entry" of the BIOS, but this is SOFTWARE, so unless your PC is not protected by "jumper", it can be bypassed. The function "Flash BIOS" is also just a piece of software.

So the possible attack sequence might be:
1 - try to use a zero day exploit
2 - if successful, identify the used firmware
3 - load the appropriate but modified BIOS
4 - flash the BIOS
5 - delete all traces
6 - reboot (or just wait)

Remember, you will be still protected by external IT security components like http-Proxy servers, unless you analyze also the network traffic with your backdoor code. But this will make the BIOS modifications almost impossible, because you need much more code.

I guess the simpler variation of the BIOS mod is already existing, made by smart programmers @NSA ...
add comment ( 111 views )   |  permalink   |  related link   |   ( 3.1 / 3184 )

<<First <Back | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | Next> Last>>