I got infected with this kind of malware:
https://www.blackhat.com/presentations/bh-usa-09/WOJTCZUK/BHUSA09-Wojtczuk-AtkIntelBios-SLIDES.pdf
It is able to reflash my bios with an infected one if I try to update the BIOS to a safe distribution. Anyone have advice on how to remove something like this? I have tried reflashing via external spi flasher and it still reboots twice to reflash malicious BIOS, I checked checksums of safe bios, vs the one after reboot to verify it was reflashed with a malicious image.
The code is hooked from the bios image parser, since that section of the bios code is unsigned you can run whatever you want there. As posted in this article on page 54 https://www.blackhat.com/presentations/bh-usa-09/WOJTCZUK/BHUSA09-Wojtczuk-AtkIntelBios-SLIDES.pdf. In the BMP Image parser section of code you can hook your bios comparison and reflasher code, meaning that before the flashing locks and everything are applied to bios it can continue to reflash itself and bypass all these security protections. Its a vulnerability in the way the executable bios flashers you run from Windows, how else would the executable flashers work from Windows if they didn't have to reboot and utilize this vulnerability? I took a video showing that it reboots 3 times to reflash the bios, the first reboot is with the safe bios code, then it reboots again to reflash it, then reboots again to confirm the malware is in place. Here is the video: https://youtu.be/CdpAXuSkI9o
