Virus.Org

Security researcher Jonathan Brossard has created a proof-of-concept hardware backdoor called Rakshasa that replaces a PC’s BIOS (Basic Input Output System) firmware that can compromise the operating system at boot time without leaving any traces on the hard drive.

BIOSIn essence the backdoor that is stored in the non-volatile memory normally used for the BIOS on a PC motherboard, this is typically used to initialise the hardware during boot. In this case it replaces the BIOS of the system and it can infect the PCI firmware of other peripheral devices such as network cards or similar to achieve a degree of redundancy. Rakshasa will also disable NX permanently and remove Pentium System Management Mode (SMM) fixes as well as take other measures to reduce the security of backdoored system.

Rakshasa is named after a demon in Hindu mythology can be installed by anyone with physical access to a system, such as during manufacturing, in an office or data centre as long as they can connect a USB stick and run the software. At this time Brossard hasn’t released the code for Rakshasa so it isn’t quite in the wild just yet.

The concept exploited here isn’t new and there have been malware and similar released in the past that does some elements of what has been demonstrated here. As a result Rakshasa has been developed using this combined knowledge and knowledge of several legitimate open-source efforts for altering firmware such as Coreboot, Seabios and iPXE. As a result the backdoor code works on around 230 different models of motherboard.

The only way to clean up after Rakshasa is reflash every peripheral and motherboard, while ensuring that none of the backdoor code has been able to run. This is not a trivial task and would likely be impractical for most users as some specialised equipment would be required for the procedure.

So why are these types of backdoors so interesting?

  • Firstly, they cannot be removed by conventional means, such as the use of Anti-Virus or just formatting or wiping a system
  • Secondly, they sit at such a level they can bypass other types of security controls
  • Finally, they can be injected during manufacturing or when undergoing maintenance and leave little trace