Possible? Sure. I know there have been “proof of concept” demonstrations,
and I’m certain it’s happened in the wild as well.
Is it likely?
I don’t believe so. Further, I believe that when faced with a virus
infection you’re probably wasting your time worrying about the BIOS.
I’ll explain why.
(Background: What’s a BIOS?)
The reason that Microsoft Windows has more viruses that any other operating system isn’t so much about its vulnerabilities as it is about it’s success. People will argue which is more of a contributing factor, but there’s no denying that the fact that Windows runs on a gazillion machines is a huge factor.
By writing a single virus that targets Microsoft Windows, a virus writer can potentially infect more computers on the planet than by writing it to target any other system. It’s no secret that virus and malware writers regularly target the greatest potential audience so as to get the greatest number of infections for their malicious intent.
Now, while Windows is relatively standard across PCs, BIOS’s are not.
The BIOS used in a PC built by one manufacturer may be radically different than that from another company. A virus that attempts to target a BIOS vulnerability or to somehow “hide” within a BIOS has to, essentially, be rewritten for or at least be customized and aware of every different BIOS that it might want target.
It’s easier to simply rely on user apathy and target unpatched vulnerabilities in Windows. One virus per vulnerability, and all unpatched machines become malware’s playground.
That’s potentially a lot. A gazillion, even.
So just like Mac or Linux malware, there may be a few BIOS targeting viruses out there, but they’re not even close to being as common as the more standard Windows-based malware.
Now, that’s not to say that there’s zero risk.
As you point out, a virus that manages to embed itself into the BIOS or BIOS’s flash memory has one extremely unique characteristic: it’ll survive even if you completely reformat and erase everything on your hard disk.
However, even that is easily remedied, either by resetting your BIOS to it’s factory image – which most modern motherboards support – or often simply by updating or re-flashing your BIOS.
My take: it’s not something I’d worry about at all just yet. In a rare case where malware appears to have survived a reformatting … well, I’d first look at all the other ways that a machine can get immediately reinfected as you rebuild it from scratch (lack of firewall, infected external hard drives and the like). Only after eliminating those might I think about checking or resetting the BIOS.
It’s just not that common a problem right now.