What is the Difference Between BIOS Virus and Bootkit Virus?

[just 1]

İyi günler, Bu BIOS virüsü ile Bootkit arasındaki fark nedir? Bildiğim kadarıyla Bootkit, UEFI ve mbr virüsleri aynı şeydir ve çoğu şeyi yapabilir. Peki, BIOS virüsü yapabileceklerini yapabilir mi?

 

Machine translation:

What is the difference between this BIOS virus and Bootkit? As far as I know Bootkit, UEFI and mbr viruses are the same thing and can do most things. So, can the BIOS virus do what it can do?

Edited October 22, 2022 by Marcos
Machine translation added

[itman 1,659]

Note that forums rules state that you must post in the English language. Use Google translator as I did;

Quote

Good day, What is the difference between this BIOS virus and Bootkit? As far as I know Bootkit, UEFI and mbr viruses are the same thing and can do most things. So, can the BIOS virus do what it can do?

[itman 1,659]

Quote

The difference between a bootkit and a rootkit

Bootkits are often confused with rootkits A rootkit is a program (set of programs) for concealing the presence of malware in the system. . The main difference is that bootkits start operating even before the OS boots. They have the same level of control as legitimate loaders (Master Boot Record (MBR), Volume Boot Record (VBR), or UEFI) and interfere with the OS boot process, allowing them to monitor and alter the boot process, as well as introduce, for example, malicious code, bypassing security mechanisms. Bootkits often create the environment for the stealthy introduction of kernel-level rootkits.

The Master Boot Record (MBR) contains information and code needed to properly boot the device. It is stored in the first sectors of the hard drive.
The Volume Boot Record (VBR) or Initial Program Loader (IPL) loads data needed to boot the OS. It is stored in the first sector of a partition on the hard drive.

https://www.ptsecurity.com/ww-en/analytics/bootkits-evolution-and-methods-of-detection/

Additional ref.: https://thetechrevolutionist.com/2013/02/technical-overview-of-uefi-boot-vs.html

Edited October 22, 2022 by itman

[just 1]

I'm sorry, but I didn't quite understand because of the translation. Can you open a little more?

 

 

Also, you explained mbr viruses. I'm not asking what is the mbr virus. I'm asking what is the difference between BIOS virus and mbr virus? @itman

[itman 1,659]

5 minutes ago, Yusuf Alp said:

I'm asking what is the difference between BIOS virus and mbr virus?

MBR viruses are classified as both BIOS and bootkit viruses.

Ref.: https://usa.kaspersky.com/resource-center/definitions/boot-sector-virus

[just 1]

However, as far as I know, mbr viruses infect the virus as soon as the system is started. I know BIOS viruses are different. In other words, I know that while mbr viruses are located in the boot area, BIOS viruses are directly in the BIOS.

 

But can ESET Smart Security's advanced threat protection detect all types of these BIOS viruses?

 

 

 

 

And what exactly can all types of these BIOS viruses do? @itman

[itman 1,659]

3 hours ago, Yusuf Alp said:

But can ESET Smart Security's advanced threat protection detect all types of these BIOS viruses?

Eset can detect UEFI/BIOS and MBR malware. It can't remove them. Removal must be done manually.

 

3 hours ago, Yusuf Alp said:

And what exactly can all types of these BIOS viruses do?

Read the linked articles I posted in this thread.

Edited October 22, 2022 by itman

[just 1]

Well, can eset DEFINITELY detect all bios viruses you can think of (rootkit, mbr, uefi and whatever you can think of)? With very small chances, or according to the coding of the virus, or something like all the BIOS viruses will be found, but only 1 of them is not found, or there are some known ones, but there is a possibility that unknown BIOS viruses are not found? @itman

[itman 1,659]

5 hours ago, Yusuf Alp said:

Well, can eset DEFINITELY detect all bios viruses you can think of (rootkit, mbr, uefi and whatever you can think of)?

Eset can detect all like malware that has been previously detected by it. Obviously if the malware has never been seen previously by Eset and deemed malicious, it won't be able to detect it.

[just 1]

Well, advanced threat protection (I think it was Liveguard) rather than scanning, it used to detect viruses that had not been seen before. Can't detect it? @itman

[itman 1,659]

2 minutes ago, Yusuf Alp said:

Well, advanced threat protection (I think it was Liveguard) rather than scanning, it used to detect viruses that had not been seen before. Can't detect it? @itman

I believe you are  referring to LiveGuard protection.

Yes, it submits suspicious newly created files to Eset's cloud servers for further analysis. If the file is determined to be malicious, it is deleted and quarantined. Is this processing 100% effective against 0-day malware? It is not as is the case with all security software that currently exists.

[just 1]

TRUE.

 

But with advanced threat protection or adding it to the database or something, if not instantly, is it definitely not found one day? @itman

[itman 1,659]

1 minute ago, Yusuf Alp said:

But with advanced threat protection or adding it to the database or something, if not instantly, is it definitely not found one day?

I already answered this. If the malware is known to Eset, it can detect it. Additionally, Eset can detect limited suspicious activities and notify the user of those.

[just 1]

"Eset can detect limited suspicious activities and report them to the user."

 

I don't understand here, but when you say limited, do you mean unknown viruses that are not in the database?

 

 

Let's say there is this virus in the database. Could this virus have a situation such as escaping or being encrypted while scanning? @itman 

[peteyt 393]

Eset will protect you from viruses it knows e.g. ones it already has seen and so has signatures for them. 

Eset also has technologies designed to protect the users from malware unseen before e.g. identifying possible malware by looking for suspicious activity.

However this type of detection is never going to be 100 percent. For example some new malware could be spread that is clever at hiding what it does and so the malware may not be detected for a while.

As Itman has mentioned all antivirus software has this problem as without a signature it can be hard to detect unknown malware. It could be begin as in hide what it does while it's being checked out by the AV and abuse  legitimate programs, processes etc. with the goal to mask and hide it's activities. Also the processes used to find new malware can also lead to false positives where something is flagged as malicious but it isn't

 

 

 

 

[just 1]

Ok, I already know it's not 100%. It's just that ESET can detect all types of these BIOS viruses no matter where they are stored in the BIOS or how advanced they are, if not instantly, but after a while (Either with advanced threat protection or inclusion in the database)? @peteyt

[TheStill 29]

If a new virus uses the same techniques as a previous virus, then there is a good chance that it will be detected. If the people who made the virus discover a new exploit, then it wouldn't be detected. But at the same time, they are not going to waste that on attacking a random person's computer. They'll save that for attacking a high-level person's computer e.g., a politician or CEO. As once the anti-virus companies pick up on this then the exploit becomes worthless. 

For regular people this isn't something you will have to worry about. 

[just 1]

However, it is still found with certainty after the time has elapsed, isn't it? @TheStill

[TheStill 29]

19 hours ago, Yusuf Alp said:

However, it is still found with certainty after the time has elapsed, isn't it? @TheStill

Depends on the complexity of the exploit and if the attacker chooses to share it with other attackers. But it is entirely possible for something to go undiscovered for years.

I'm no expert on the matter but my understanding is this would be more likely to be a state backed finding. Which again would really only be interested in high level people. 

[just 1]

Ok thanks

 

As I understand it, new techniques are required for these viruses not to be found in advanced threat protection, and these techniques are often used by senior guys. Ok I know it can take years. Still, it's DEFINITELY found, even years later, right?

 

 

 

 

And I have a question for all of you.

You know that an mbr (including uefi and bootkit) virus can do most things when infected. However, apart from the mbr virus, there are BIOS viruses as far as I know. Regarding these BIOS viruses:

 

 

- Is the BIOS rootkit included in this type of BIOS virus?

 

 

-Can this type of virus do what the mbr-bootkit-uefi virus does? 

@TheStill @peteyt @itman

[Nightowl 202]

Quote

As we briefly mentioned in the beginning, UEFI stands for Unified Extensible Firmware Interface. It does the same job as a BIOS, but with one basic difference: it stores all data about initialization and startup in a . efi file instead of storing it on the firmware.

You can name it however you like , UEFI Virus or UEFI Rootkit , end of the day , they are doing malicious work

Difference between those and normal viruses that go to operating system , that in Operating System you can remove the virus by using an Anti-Virus or by re-installing Windows

When that Virus or Rootkit infects the Firmware , then it can survive formatting the hard disk and stuff like this , and the only way to remove it , is to flash again UEFI/BIOS from Manufacturer website.

Even if ESET or whatever Antivirus you were using detected a BIOS/UEFI Threat , it cannot do anything to do it , you have to flash the firmware again from Manufacturer website

ESET explains about them more here : https://help.eset.com/glossary/en-US/rootkits.html

And about other types

[just 1]

Ok, but I know this. What can they do to me? Can they do what Trojan or other rootkit viruses can do (in short, can they access my data and any place they can access on the computer or on the device we connect them to, can these BIOS viruses?)?

 

 

 

Eset can detect them and notify me, right? @Nightowl

[Nightowl 202]

Just now, Yusuf Alp said:

Ok, but I know this. What can they do to me? Can they do what Trojan or other rootkit viruses can do (in short, can they access my data and any place they can access on the computer or on the device we connect them to, can these BIOS viruses?)?

 

 

 

Eset can detect them and notify me, right? @Nightowl

Yes they can load malware into your PC , no matter how much you format the hard disk , they can come back through the firmware.

and yes ESET can detect UEFI/BIOS threats and alert you about them

[just 1]

When they install malware on my PC, can ESET detect and delete it?

 

 

 

Also, can these viruses access my data, anywhere on the computer or connected devices, without installing malware? @Nightowl

[Nightowl 202]

Depending how is the Rootkit is developed to do so , some of them will drop malware on operating system load , they will load their driver through the firmware or something like this I could be wrong , but someone at ESET or at this forum can be more detailed than me

Eset will detect it , but cannot remove it

You will have for example if your PC was HP , you will need to go to HP website , download UEFI/BIOS , Flash UEFI/BIOS and then the rootkit shall be gone.