Is flashing the BIOS and reformatting the machine sufficient to remove any virus that we know of currently? Or are there other hidden components that need to be cleared?
The NSA have been using Hard Drive Firmware exploits for years. Such an attack could hide malware that also survives a format[0] (Which is why I brought up a drive replacement in my prev post). I wouldn't be surprised if the same can't be done with SSD Firmware too (we have already seen people do "bad things" with USB Memory sticks [1])
Also if a full BIOS flash has been performed you might be SOL as after a power cycle the modified BIOS is now the first thing loaded by your system (Or it might be the VBIOS, its been a while.) which could prevent future flashing of the BIOS or fake the flashing process but not actually flash anything. If you have a board that can recovery flash you might be able to recover but how do you trust the system afterwards?
As the BIOS is usually stored on a SPI Flash you could use an external programmer to dump the content of the flash and do a diff on the firmware file.
You have to think about who is your attacker. Are the Kiddies going to go to such lengths to stay persistent on a consumers laptop they use as a facebook machine? Prob not. But is it outside the scope of a determined attacker (or nation state) who managed to get a first stage attack malware inside a large company? IMO it would depend on how valuable they determine access to your network / data is.
EDIT: I've not spoke about VBIOS infections as the GPU Vendors on at least modern cards have been really locking down their GPUS and as far as I've seen, I've yet to see any credible claims of attacks on GPU's in the wild (They could be out there, I've just not come across any.). But such an attack would be scary as hell (imo) as its a black box that has DMA access to the CPU (think like the Mac Thunderbolt attacks of old) and other devices on the PCI-e bus. Its one of the places I would be spending my time researching.
(at least on intel, I’ve no looked into it on AMD’s side)
Intel ME can be neutered. On newer gen’s doing so can be as simple as setting of a single flag. On older systems you can rip so much of it out that all it can do is bring up the CPU.
I would say you can still be concerned by IntelME (as it has been shown to be exploitable) but still purchase Intel/AMD. I mean who else you going to purchase from if you want an affordable x86 system?
ARM is getting more mainstream (in the laptop/desktop/server world.) and we now have fairly decently powerfully desktop/laptop arm powered machines we could actually dev on but the ARM world is still filled with binary blobs needed to get the cpu started.
Power9 has a ton of open source but the CPU’s are not. RISC-V is promising but still pricey as hell atm.
Just saying, you can be worried about ME but in a place where you are stuck with it.
Harddrive firmwares have been reverse-engineered, often are ARM-based and flashable. In principle it can be used for similar payload delivery as lo-jack.
Any PCIe device that has flashable firmware could also be used to perform DMA attacks on systems that don't use the IOMMU for memory isolation.
Also if a full BIOS flash has been performed you might be SOL as after a power cycle the modified BIOS is now the first thing loaded by your system (Or it might be the VBIOS, its been a while.) which could prevent future flashing of the BIOS or fake the flashing process but not actually flash anything. If you have a board that can recovery flash you might be able to recover but how do you trust the system afterwards?
As the BIOS is usually stored on a SPI Flash you could use an external programmer to dump the content of the flash and do a diff on the firmware file.
You have to think about who is your attacker. Are the Kiddies going to go to such lengths to stay persistent on a consumers laptop they use as a facebook machine? Prob not. But is it outside the scope of a determined attacker (or nation state) who managed to get a first stage attack malware inside a large company? IMO it would depend on how valuable they determine access to your network / data is.
[0] https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equa...
[1] https://www.youtube.com/watch?v=nuruzFqMgIw
EDIT: I've not spoke about VBIOS infections as the GPU Vendors on at least modern cards have been really locking down their GPUS and as far as I've seen, I've yet to see any credible claims of attacks on GPU's in the wild (They could be out there, I've just not come across any.). But such an attack would be scary as hell (imo) as its a black box that has DMA access to the CPU (think like the Mac Thunderbolt attacks of old) and other devices on the PCI-e bus. Its one of the places I would be spending my time researching.