Rakshasa: Hindu demon – and permanent, undetectable backdoor

Jonathan Brossard, CEO of French security firm Toucan System, presented at both Black Hat and Defcon last week. He described malware capable of taking over the BIOS and infecting other peripheral devices. The malware is undetectable in BIOS. The only way to remove it would be to reflash the BIOS – but if additional peripheral devices are also infected, they could re-infect the motherboard. The only way to guarantee cleansing an infected system would be to reflash both the motherboard and all peripherals at the same time – something clearly beyond the average user.

Since the malware sits in, or replaces, the BIOS, it has control over the computer before the operating system is loaded. Anything that is part of the operating system can consequently be negated. Encryption can be turned off while the user is told it is working; firewalls can be silently breached; anti-virus software becomes meaningless. In short, a Rakshasa-infected computer is totally pwned. 

It is also undetectable since it leaves no trace in either files on the hard drive, or RAM itself. Unlike earlier malware that stored bootkit code in the Master Boot Record (MBR) and was consequently easy to detect, Rakshasa downloads the bootkit remotely into RAM every time the computer boots. Once its work is done, it is removed from RAM leaving no trace whatsoever.

The theory is not unknown. “You can actually go back a lot earlier to CIH for an example of real malware with a payload that involved writing to a flash-able BIOS,” ESET senior research fellow David Harley told Infosecurity, “though it didn’t attempt to cover all possible Flash ROM chips. It was claimed to have affected tens of millions of machines, and I guess it influenced the number of machines built subsequently with the BIOS protected by a hardware switch.”

What Brossard has done is prove its feasibility using largely open source software. While infection is technically possible by traditional malware infection routes, it is relatively easy at any stage during the supply chain. The stark reality is that any motherboard manufactured in China could be owned by the Chinese authorities; and any motherboard manufactured in the US could be owned by the NSA. 

But Harley doesn’t want us to panic just yet. “I can see potential for mischief here,” he said, “but it’s not as simple as [Brossard’s] paper makes it sound. It wouldn’t surprise me to hear that covert agencies are looking at this sort of approach, but I don’t think it’s likely to emerge as a global epidemic.” And it’s not as if the AV companies will be ignoring the issue. “It’s a tricky one,” admitted Luis Corrons, technical director at PandaLabs. One of the things he is exploring is writing a program “that from memory could access directly to the computer hardware and obtain the real information.”

Nevertheless, “The x86 architecture is plagued by legacy,” said Brossard. “Governments know. The rest of the industry : not so much. There is a need to discuss the problems in order to find solutions...”

What’s Hot on Infosecurity Magazine?