How MoonBounce malware demonstrates vulnerability in BIOS storage

26-01-2022 |   |  By Robin Mitchell

Malware has always been a challenge for computer users since its introduction, but a new piece of malware called MoonBounce has demonstrated a particularly nasty vulnerability. What challenges does malware present in computing systems, what is MoonBounce, and how does it fight against hard drive wipes?

What challenges does malware present?

Malware has existed for almost as long as personal computers, with one of the earliest examples being the Morris Worm which unintentionally infected thousands of machines via the internet in 1988. What made the Morris Worm of interest was that the worm's author did not intend to cause harm as he simply wanted to determine the size of the ARPANET. However, instead of using legitimate methods (such as asking permission from a computer user to residing on the system), it exploited vulnerabilities to gain entry and copy itself to the user's system.

Furthermore, checks for previous infections were not done. The result was a worm that spread through the entire ARPANET costing millions of dollars in damage in what was essentially a Denial of Service (DoS) attack.

Fast forward to today, and malware is an ever-growing challenge. The increasing number of devices connected to the internet provide attackers with more entry points, while the increasing amount of stored private information makes attacks more profitable. While security solutions try to counterattack malware with detection algorithms, attackers are generally one step ahead by discovering vulnerabilities and keeping them hidden from the public.

Removing malware can sometimes be impossible when a device is infected with malware. For example, ransomware that infects a machine and encrypts files will unlikely be recoverable due to the strength of encryption used. Another example could be a virus that infects core system files; these files may be irreplaceable, and thus the system can never be fixed practically.

In these cases, a system reset and reinstall can bring a system back to full operation. While such a move does delete all personal files, too, it ensures that all malware, no matter where on the user's storage device, will be deleted.

How MoonBase malware changes this

Recently, new malware called MoonBase has been detected, which operates very differently from typical malware in that it is stored in UEFI flash instead of an external storage device. Simply put, the malware is loaded during the boot process of a computer and can inject itself into the Windows kernel. It can then use a command-and-control URL to receive payloads and run those in memory.

This malware is particularly dangerous because it resides in an area that is not affected during a computer wipe and reinstalls. This means that reinstalling Windows does not remove the malware, and the booting of a new system will again load the malware. Security experts have stated that the only fix around this kind of attack is to ensure that UEFI firmware is kept up to date or to use a trusted platform boot method that ensures the integrity of a booted image.

What does this mean for protection against malware?

The inability to remove the malware by wiping a computers main storage device presents significant challenges for the security industry and computer architecture in general. BIOS firmware has always been located on an external memory device on a computer's motherboard and is the first piece of data to be loaded.

While BIOS chips of the past would be one-time programmable devices, the changing landscape of hardware and the need to upgrade has seen BIOS systems move to reprogrammable flash devices. An upgradeable BIOS can account for new features on CPUs (such as throttling or overclocking), new boot sequences, and specialist features. However, using a reprogrammable BIOS also introduces the potential for malware to reside in memory.

As such, malware detection software will need to start examining the contents of BIOS firmware for the presence of malicious code while simultaneously providing users with an easy fix to apply. Unlike standard operating systems, updating UEFI firmware is not the most straightforward task and almost always requires the user to access the BIOS and apply updates. Furthermore, mistakes in this stage can have major ramifications to the computer, as without a functioning BIOS, a computer simply cannot work.

Trusted platform modules (TPM) can help fight against such malware by ensuring that any loaded software is verified against stored keys. However, such security methods are still yet to be implemented in mass, and older systems will unlikely be upgraded.

Overall, the use of malware residing in UEFI firmware presents a significant challenge for the security industry and raises the question of whether reprogrammable firmware is a good idea.


By Robin Mitchell

Robin Mitchell is an electronic engineer who has been involved in electronics since the age of 13. After completing a BEng at the University of Warwick, Robin moved into the field of online content creation developing articles, news pieces, and projects aimed at professionals and makers alike. Currently, Robin runs a small electronics business, MitchElectronics, which produces educational kits and resources.

Related articles