Boot Sector and BIOS Viruses Explained
A virus is a type of malware that that usually either steals or destroys data, but that's not the limit of what virus authors can get their software to do. Most viruses live in the same place as all your other files do.
However, two particularly nasty types of virus target parts of the computer system that are usually very secure. These are boot sector and BIOS viruses. They're both relatively rare, but if your system does get infected by them, it can be especially tricky to get rid of them.
Intersting Read: How to Detect, Prevent and Remove Botnet Malware
The BIOS in a Nutshell
The BIOS or Basic Input Output System is a piece of firmware that lives in non-volatile memory on your motherboard. This is the hardwired software instructions that get your computer up and running and allows the operating system to communicate with the computer's low-level hardware.
Today, most computers use the BIOS successor, referred to as UEFI or Unified Extensible Firmware Interface. The big difference between these two types of motherboard firmware is that the UEFI stores configuration information on your hard drive as a file rather than in the firmware itself. UEFI is much more modern, can support large disk sizes, and offers a graphical interface similar to Windows or Linux.
Viruses that affect the BIOS are very rare, but they do exist. Of course, viruses that were written to affect the legacy BIOS system don't mean all that much now, and for a long time, there were no credible threats to the newer UEFI system. That's all changed with UEFI malware out in the wild.
It seems that most UEFI malware these days comes in the form of ransomware, but that doesn't mean other types couldn't exist. UEFI malware hasn't been around for long, so only time will tell what malware authors come up with.
The Boot Sector Explained
The boot sector is the very first part of your boot hard drive. It contains the instructions for starting up the computer's operating system. The BIOS executes the boot sector's instructions, and it is how the computer pulls itself up by its own "boot" straps. Hence the term "boot"!
A boot sector virus rewrites the boot sector code so that the BIOS also loads the virus into memory, usually before it loads the operating system. This is why boot sector viruses have been tricky to detect in the past. The operating system and any software that's running within that operating system can access and scan for these viruses, giving the malicious software the run of your PC.
However, various countermeasures have been developed over the years. Even early IBM compatible machines from three decades ago would issue a BIOS-based alarm if any software tried to change or overwrite the boot sector.
These days you may also have the options of "secure boot" with UEFI motherboards, where the boot sector code has to be digitally signed, or the system will refuse to execute it.
Detecting BIOS and Boot Sector Viruses
The main reason these two virus types are such a pain is simply that they can be hard to detect. When it comes to boot sector viruses, the good news is that most good antivirus software packages can now actually scan the boot sector for malicious code. Alternatively, you can boot from an external drive and run antivirus software from there, just to be sure.
Recommended: How To Permanently Remove Antivirus Software
Detecting a BIOS virus, on the other hand, may not be so simple. Of course, since the majority of extant BIOS viruses now seem to be ransomware, you're bound to notice that the virus comes back immediately after completely wiping your drive.
If it's a virus with a different payload that's no so blatant, however, you might never realize anything is wrong unless the virus damages your data somehow. Booting from a portable live operating system and still seeing the same behavior or a ransomware message despite having none of your regular drives connected is also a sure sign that your computer has been compromised at a low level.
Removing BIOS and Boot Sector Viruses
When it comes to boot sector viruses, the good news is that removing them should be pretty straightforward. Most good antivirus packages these days can detect a boot sector virus. It may even be able to remove it for you without much effort.
However, these viruses come in a variety of variants, and some might need a dedicated removal tool, one which you might have to run after a cold reboot of the computer from a flash drive to prevent the boot sector code from running in the first place. Why a cold reboot? Because with a hot reboot, the virus might remain resident in RAM. It never hurts to be too careful in cases like these.
BIOS malware is a different kettle of fish altogether. Getting rid of them generally involved reflashing your motherboard firmware. However, you need to do more than just boot up the BIOS update utility in Windows. Creating a read-only bootable disc with bios recovery software on it may be the only way. It may even be better simply to replace the bios chip in extreme cases, send it in for replacement and repair, or scrap the motherboard altogether. Professional help is recommended.
Preventing BIOS and Boot Sector Viruses
Of course, it would be best if you simply didn't have to deal with either of these nasty virus types to begin with. The most effective way to do that is the same as for just about any virus type:
- Have an up-to-date antivirus package
- Don't download and run dubious software
- Scan any media you connect to your computer
- Don't click on unsolicited links
Because these viruses can be hard to detect in other ways than by circumstantial evidence of their presence, good computer habits are probably the best option you have.