Researchers can create hardware backdoors to replace BIOS intrusion.

Security researcher Jonathan Brossard created a conceptual verification hardware backdoor called Rakshasa, which is said to be able to replace the computer's BIOS (Basic Input/Output System) and endanger the operating system at startup, but it does not leave any trace on the hard disk.
 
Brossard is the CEO and security research engineer of Toucan systems, a French security company. He demonstrated how the malware works at the Defcon hacking conference on Saturday. On Thursday's Black Hat conference, he also demonstrated the same content.
 
Rakshasa is the name of the Devil ro in Indian mythology. It is not the first malware to target BIOS (underlying motherboard firmware, mainly used to initialize other hardware components. However, unlike other similar malware, it uses new spoofing techniques to avoid detection and continue to reside.
 
The Rochelle brake can replace the BIOS on the motherboard and infect the PCI firmware of other peripherals, such as NICs or CD-ROM, to achieve high redundancy.
 
Robrake is developed with open-source software. It can replace the BIOS of the manufacturer with a combination of Coreboot and SeaBIOS to complete various motherboard work of different manufacturers. Brossard also compiled an open-source network boot firmware called iPXE for the computer Nic.
 
All these components have been modified, so nothing is displayed and no trace is left during startup. Coreboot can even imitate the customized boot screen in the replaced BIOS.
 
The existing computer architecture provides each type of peripherals with the same permissions to Access RAM, Brossard said. "So the CD-ROM drive can also perfectly control the NIC ."
 
That is to say, even if someone wants to recover the original BIOS, the rogue malware residing on the NIC or on the CD-ROM can refresh it as a rogue BIOS again, Brossard said.
 
The only way to make this malware malfunction is to turn off the computer and manually refresh every peripheral, but this method does not work for most users because it requires professional equipment and advanced skills.
 
Brossard creates a ro to prove that the hardware backdoor actually exists and can be added somewhere in the entire supply chain delivered by a computer to the end user. He pointed out that most of today's computers, including Mac machines, come from China.
 
However, If attackers use different malware to infect or exploit vulnerabilities to gain system privileges on the computer, they can theoretically erase the BIOS and deploy the ro.
 
However, Brossard admitted that this remote attack method does not work every time, because some PCI devices have a physical switch to erase new firmware, and some BIOS still have digital signatures.
 
However, Coreboot has the priority to upload a PCI extended firmware before the NIC is erased, so it can bypass the physical switch problem.
 
Brossard said that if you can enter the computer in reality, the attack can be performed at any time, but if you can only remotely, it will only take 99% of the time.
 
The iPXE firmware running on the NIC is configured to upload a bootkit-a piece of malicious code that can be destroyed before the operating system is loaded and before any security software is loaded.
 
Some famous malware programs store bootkit code in the hard drive Master Boot Record (MBR), which makes it easy for Computer Inspection experts and anti-virus software to discover and remove it.
 
The reason for the difference is that it uses the iPXE firmware, which allows you to remotely download the bootkit and load it into RAM every time the computer starts.
 
"We never touch the file system," Brossard said ." If you leave the hard disk to a company for analysis, they will not be able to find the existence of the malware.
 
In addition, after the bootkit completes its work, that is, after the kernel is maliciously modified, it can be detached from the memory. This means that the computer RAM kernel check cannot find it.
 
Brossard says it is very difficult to detect such threats because these programs reside in the operating system and the operating system needs to obtain information from the kernel. Bootkit can well disguise this information.
 
The iPXE firmware can also communicate over Ethernet, Wi-Fi, or Wimax and supports multiple communication protocols including HTTP, HTTPS, and FTP. This also provides various options for potential attackers.
 
For example, you can download bootkit from any blog post with a suffix. You can also send IP addresses of infected computers and other network information to a preset mailbox.
 
Attackers can directly communicate with the NIC firmware over encrypted HTTPS connections, Push configuration upgrades or new versions of malware, And the servers that receive commands and control can cycle back and forth between different websites, this makes it more difficult for law enforcement and security researchers to clear it.
 
Brossard has not publicly released the anti-DDoS software. However, because most of its components are open-source, people with sufficient knowledge and resources should be able to copy them. A Research Paper has been published on the Internet to explain in detail the implementation of this malware.