+Andrew Daviel +Dragos Ruiu
Well I think the BIOS itself is the wrong place to look for - as manipulating the BIOS in such a way, that it still does what it is supposed to do and get own code within and fit that all into the flash - well, maybe possible - as usually there is space left too to do that.
As mentioned in another comment - the much easier way to get code within the pipeline at system initialisation would be the usage of extension bios images within hardware attached to the bus systems.
What happens at systems initialisation?
The bios gets awake and initialises the core system, than it scans the bus (certain rom->ram memory locations) for extinsion bios images. Usually this is used for custom code to initilise hardware like grafic cards or network interfaces with special functionality. The bios checks within the extension bios header for the hardware ids and a checksum and length of the image. Of those matches - the code gets control. After it is finished it returns to the bios.
So building a valid extension bios image and dropping that on a eeprom/flash of maybe the network card - which may have that but usually don't use it - is easy and you don't even have to touch a bit within the bios image to get that up and running - straight forward.
So it would be more quite interesting to have a look at those locations too or in the first place. As like it looks right now, this get's ignored easely... and therefore missed out.
In 2000 we used that within an intel eepro 100 network interface card, that provided 64k of space - for your own code, (with packing the code this could most probably scale up to 128 or more in space for the image).
Second note: It is also possible to have more than one of such images within one flash to get called by the bios during system startup. Therefore you set a pointer to the next image within the header of the first one fix the checksum and are done (yes you have to push that back on the chip but that is a solved problem, look at nowadays gfx special bios updates - that just run while your on windows -> that shows also possible infection paths) next boot and your done
TCP/IP Stacks are available with reduced functionality within a few kbytes - so that easily fits on beside still quite some space for other functionality.
So I'm keen to see those extension bios images droped and analyzed of the affected systems - are they clean? is there fancy code hidden?