[coreboot] Del firmware malware

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Thu Jul 22 15:13:48 CEST 2010

On 22.07.2010 08:29, ron minnich wrote:
> Wow, top hit on google. But I'm confused.
> http://www.infoworld.com/t/malware/dells-response-motherboard-malware-causes-confusion-176?page=0,1
> "The W32.Spybot worm was discovered in flash storage on the
> motherboard during Dell testing. The malware does not reside in the
> firmware."
> Er, um, the firmware is in Flash I thought. OK, there's more than one
> Flash part I assume.

Yes. Admittedly the press doesn't know enough to get a clear picture across.

> OK, what's that mean? In the Flash in the case the Flash file system
> used by EFI? Why is there flash storage on the motherboard? As you can
> guess, getting some information out of Dell or the journalists is
> essentially impossible.

Board manufacturers noticed that NOR flash (for BIOS) is way too
expensive and you can get 128 MB NAND flash for the price of 1 MB NOR
flash (rough numbers). So they use small NOR flash which hosts the
firmware and a small NAND controller driver. Once firmware has run, the
NAND controller driver (which lives in NOR flash) is used to load a
payload (e.g. Splashtop/whatever) from NAND. That NAND flash is
essentially a USB flash drive soldered onboard, and it often is attached
directly without USB.

Admittedly the explanation above is an educated guess. It could easily
be worse.

> I like this one: "Systems running non-Microsoft Windows operating
> systems cannot be affected.". Which won't stop IT departments
> everywhere from continuing to mandate Windows :-) (yes, I realize I'm
> being unfair :-)
> This one is even stranger: "Remaining systems can only be exposed if
> the customer chooses to run an update to either Unified Server
> Configurator (USC) or 32-bit Diagnostics.""
> Eh? Why would that expose remaining systems? And why would this worm
> be run anyway? In other words, why is a worm on a Flash part on the
> mainboard being run? What other software is in that part that is also
> being run that we don't know about? This is very curious.

This is Dell. The company which blocks all attempts to reflash from
userspace. You run a BIOS/whatever update by loading the image in
memory, rebooting and waiting for the BIOS to use that image to reflash
itself. Now if the in-BIOS (or in-NAND-flash) updater executes code in
NAND flash which is infected with malware, you are royally screwed.
Basically the only way to kill the malware (by updating the flash chip)
is to execute the malware and hope for the best.

I'd like to summarize the situation with a soundbite for the press:
"You're infected with HIV. Please take medication which will trigger a
full AIDS outbreak because that medication has a chance to heal you."



More information about the coreboot mailing list