"BIOS is updating" when I switched on my machine/BIOS rootkit???

graysky

Gawd
Joined
May 6, 2007
Messages
620
Just experienced something very odd. I switched on my workstation and was presented with an unfamiliar and simple black screen/white text which read something like:
Code:
BIOS is updating.
Do not shut down or reset the system to prevent system bootup failure.

xx% complete

Board is an Asus P8Z77-V Pro. The pic in this thread is EXACTLY what I saw: http://forums.whirlpool.net.au/archive/1902684

This was accompanied by a percent complete timing that went from 0 to 100 % in 30-45 sec. The machine rebooted and my bootloader [rEFInd] was present. I see no evidence that by BIOS was touched; the date and version on the BIOS were as they were before.

Googling the "Do not shut down ... failure" message shows that others have seen this as well but no definitive causes of it... flashing the BIOS to a previous version and then back to the current version from the vendor's website is all I can think to do without more information. I am concerned to say the least. Any thoughts are welcomed.
 
Did you have any external drives plugged in?

I would re-flash from the manufacturer website using a freshly formatted flash drive
 
Very, very suspicious. Personally, I'd virus scan from a linux bootable disk using different virus scanners.
If nothing found, I'd image the disk and wipe the system, MBR included. Probably use a disk wipe utility to kill the beginning sectors of the drive. Then I'd load the image into vmware and see what outbound traffic it generates, if any.

There's no need to flash back to a previous version and then up, just flash to latest. I seriously doubt there's working code out in the wild that would modify people's BIOSes without borking the machine, but it can't hurt to be careful.
 
@radgoos - Nothing connected. I did flash to the latest BIOS on a fresh USB.
@CacaSapo - This machine has never seen windows; it only runs Linux. Not sure what kind of virus scanner to use... any recommendations?

EDIT: http://www.clamav.net/lang/en/
 
Last edited:
Trinity Rescue Kit has a few antivirus engines on it. I've used it a few times and I think all but one of the scanners worked. ClamAV seems to be the best on there.

AV manufacturers also offer downloadable boot disks, but I believe the bulk will be for NTFS systems.
 
It wouldn't detect anything if something came in before the defs were updated with the malware's signature, though. Once the rootkit is active, assuming it is a rootkit, then it could hide its presence from the AV.

Scan the machine from the outside (boot cd/usb drive) with as many engines as you can. Not being able to trust a computer makes me twitchy.
 
Ha, me too.

ClamAV Virus Databases:
main.cvd ver. 55 released on 17 Sep 2013 10:57 :0400 (sig count: 2424225)
daily.cvd ver. 18317 released on 02 Jan 2014 07:01 :0500 (sig count: 636260)
bytecode.cvd ver. 235 released on 12 Dec 2013 17:14 :0500 (sig count: 44)
safebrowsing.cvd ver. 41411 released on 06 Jan 2014 03:00 :0500 (sig count: 1222556)

Nothing from rkhunter either.
 
I would like to say this is normal when there has been a BIOS failure... this happened to me twice this past week while obsessively configuring overclocking settings on my ASUS M6H. I did have my USB drive plugged in when it happened both times I believe. Were you messing with any settings at all or is this completely random?
 
Last edited:
@Bluesun - OK! So you can confirm the "bad blocks in BIOS" hypothesis? When your overclocking some how triggered a bad condition in your BIOS, you saw exactly the same message as I did?

Code:
BIOS is updating.
Do not shut down or reset the system to prevent system bootup failure.

xx% complete
 
My dual BIOS Gigabyte board has reflashed the primary when overclocking settings jacked things up
 
@Ehren - Yes, but did it look and say exactly what mine did? I would have expected to see the Asus branded, colorful flash util but these was black and white as I described making me think that it was not a vendor thing, but something external.
 
Does anyone else remember reading that cryptography article from earlier this year regarding BIOS hijacking and spreading of the infection via speakers plugged into the PC? It all seemed really fishy to me but apparently the guy who caught onto it was quite respected in his field. That also leads me to believe he could be a target for something like that. I can't remember the article name but I'll do some googling.

Edit: Found an article on it. Seems terribly terribly far fetched but I find it hard to say that it's completely impossible.
http://arstechnica.com/security/201...erious-mac-and-pc-malware-that-jumps-airgaps/

In your case I would think it's simply a corrupted bios being restored. If you want to be sure wipe the whole system, flash a new bios and start from fresh.
 
Last edited:
@Bluesun - OK! So you can confirm the "bad blocks in BIOS" hypothesis? When your overclocking some how triggered a bad condition in your BIOS, you saw exactly the same message as I did?

Code:
BIOS is updating.
Do not shut down or reset the system to prevent system bootup failure.

xx% complete

EXACTLY the same.
It didn't concern me really, especially when I saw it twice within the span of an hour.
 
@Ehren - Yes, but did it look and say exactly what mine did? I would have expected to see the Asus branded, colorful flash util but these was black and white as I described making me think that it was not a vendor thing, but something external.

I don't remember, sorry
 
@Blue - Thanks for the confirmation. It is likely something intrinsic in the BIOS then that occurs when it detects bad blocks. Mine is an Asus P8Z77-V Pro... what is your board?
 
Does anyone else remember reading that cryptography article from earlier this year regarding BIOS hijacking and spreading of the infection via speakers plugged into the PC? It all seemed really fishy to me but apparently the guy who caught onto it was quite respected in his field. That also leads me to believe he could be a target for something like that. I can't remember the article name but I'll do some googling.

Edit: Found an article on it. Seems terribly terribly far fetched but I find it hard to say that it's completely impossible.
http://arstechnica.com/security/201...erious-mac-and-pc-malware-that-jumps-airgaps/

In your case I would think it's simply a corrupted bios being restored. If you want to be sure wipe the whole system, flash a new bios and start from fresh.

He was paranoid just a bit. Or missed the real infection and thought it infected BIOS.

I, for example, don't store viruses in BIOS, and now you know why, 30 seconds arouses suspicions.
 
I've downloaded the BIOS for the Asus P8Z77-V Pro and opened it in Winhex.
That text doesn't appear anywhere in the file... I guess it could be there and compressed, though.
lol paranoia.
 
The BIOS is the BIOS, so there's nothing else, but perhaps it's in the booblock and compressed. Would take disassembly to look into it, which is outside my skillset.
 
Back
Top