Problem: When install Windows 7 from the flash and Bios from type UEFI

gregrocker · 01 Jun 2014

We would see this here as we have more traffic than any other tech support forums including MS. I can't recall seeing one that infected the BIOS. Last time I asked in our Security section I was told the same.

And not one of the Security MVP's I queried at the past few Global MVP Summits had seen confirmed BIOS infections. I'll ask again on our communications channel.

But I am not a Security specialist so maybe I am not looking in the right places? Can you direct me to the active BIOS infection cases in Win7?

Anshad Edavana · 03 Jun 2014

But I am not a Security specialist so maybe I am not looking in the right places? Can you direct me to the active BIOS infection cases in Windows 7?

Greg, a Rootkit won't infect BIOS ( either UEFI or legacy ). Rather it uses the limitations of legacy BIOS to execute malicious code even before OS loader is called.

Legacy BIOS as we know is originally designed for 8086 CPU and it can address only 1024 KB of memory. Also it don't know about any file systems such as FAT ,NTFS etc. All it can do is to execute POST, initialize plug and play and execute whatever code is written on the sector 0 of HDD. Usually it is the MBR which is supposed to be reside on sector 0 but poor BIOS don't have the capability to check what code is written there. A Rootkit/Bootkit utilize this limitation of BIOS and will replace MBR code with it's own custom code to load malware programs. This allows Rootkits to take control of low level OS components and hide from security softwares.

On the other hand a UEFI firmware is written in high level language and can read/write to FAT32 volumes. This allows the use of GPT partitioned disks as boot drive which doesn't rely on MBR and VBR. OS can put it's loader on a FAT32 formatted special partition named "EFI System Partition" and the firmware will call the loader directly when powering on. Theoretically a malware can replace the original loader with a patched one but UEFI allows "SecureBoot" which will validate and load only legitimate signed OS loaders. This will prevent a Rootkit from executing malicious code at early boot stage. Although "Windows 7" is not "SecureBoot" compatible, nobody so far attempted to make a UEFI based Rootkit as the number of "Windows 7" users who uses GPT disks as boot drive is very low.

Although "Sevenforum" is great site providing technical support, you don't see much malware infection cases here. There are sites which specialized in malware removals and provides assistance with trained malware helpers. I have seen hundreds of "Rootkit" infection cases in those sites.

It is true that UEFI requires several improvements - especially in dual booting support. Currently legacy mode is the best choice for multi-booting.