Mebromi is World's First BIOS Rootkit Running Wild
Mebromi is World's First BIOS Rootkit Running Wild
Posted 09/16/2011 at 6:53am
| by Paul Lilly
10
Comments
Print
Security firm Webroot is taking great interest in a new BIOS rootkit discovered by a Chinese company called Qihoo 360. It's called "Mebromi" and it's a particularly nasty piece of code that targets Award BIOSes, but that's not all. It also contains an MBR rootkit, a kernel mode rootkit, a PE file infector, and a Trojan downloader all rolled into one.
Webroot says Mebromi isn't capable of doing harm to 64-bit operating systems, nor can it worm its way into a system if run with limited privileges. And at least for the time being, anyone outside of China needn't worry about Mebromi mucking around their system BIOS.
"The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it's going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus," Webroot explains. "To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory instead of virtual memory."
Mebromi isn't the first malware to target the BIOS. Back in 1998, a virus called CIH/Chernobyl worked its malicious mojo by exploiting a privilege escalation vulnerability in Windows 9x OSes ultimately giving it the ability to execute in kernel mode. According to Webroot, Mebromi uses no such privilege escalation trickery and only needs to load its own kernel mode driver to weasel into the BIOS.
Webroot says Mebromi is the first real BIOS rootkit incident discovered in the wild, but that's not reason to panic. BIOS rootkits are difficult to code and require "a level of complexity that is simply unasked for writing a good persistent infection."
Read all the gory details here.
More like this
10
Comments
Comments are closed on this article
thetechchild
September 17, 2011 at 1:08am
Very, very powerful. If it was made to be 64-bit compatible and a few privilege escalation exploits added in (by some adventurous hackers), as well as the Chinese AV check being removed, then this could be the next big malware pandemic. It'd be a huge hassle to go through the entire process of cleaning the BIOS, MBR, and OS, all before booting and making sure any storage coming in contact with those are completely cleaned. This would probably be something not many users could go through, and I don't think a more convenient option is available.
L0rDT1On
September 16, 2011 at 4:30pm
So, suppose I get infected by this, how would I go about cleaning the mess? ...or, would swapping motherboards be my only and last resource?
thetechchild
September 17, 2011 at 1:05am
You could probably A) load a read-only (as in hardware-based read-only, via a switch, or one of those write-once-read-many SD cards) storage device with a BIOS flasher on it or B) use a mobo that has built-in dual BIOS chips that check each other for integrity.
After taking care of the BIOS rootkit:
The MBR & kernel mode rootkits are a bit more troublesome, but in theory one could also clean them out given a backup of an earlier hard drive IMAGE (not files, the entire image), along with the PE file infector & Trojan. This would have to be accomplished with a bootable CD from a backup software or a Linux live CD with some built-in backup image readers. If no backup is available, then there'd have to be an AV that could detect and remove Webromi, and be run from BartPE or some similar environment.
Note that this has to be done directly after cleaning the BIOS, without booting up Windows (I also note that Windows was not mentioned, but I assume it's the OS being targeted), so that the MBR and kernel mode rootkits, perhaps in conjunction with the Trojan, do not reinfect the BIOS. Similarly, do not use a non-read-only drive with PE files for any step in the process, because it may have already been infected or may become infected, thus keeping you from cleaning everything out.
DasHellMutt
September 16, 2011 at 3:29pm
Who else thinks this is likely to work of the chinese government spying on its own people?
thetechchild
September 17, 2011 at 12:56am
Nah. I think the Chinese government has better places to invest their resources, especially considering that the Great Firewall gives them all the spying power they need.
EDIT: But this might just be the beginning of a cyber attack, if you're inclined to think that way.
noobstix
September 16, 2011 at 8:52am
At least this virus gives you something awesome to look at (if that is indeed the image of the result).
Paul_Lilly
September 16, 2011 at 9:19am
Sadly, it's not. That image is a mashup of a BIOS screenie from our "Ultimate BIOS Guide: Every Setting Decrypted and Explained!" article, Lego's crazy-expensive Monster Dino, and a Super Mario fireball.
praack
September 16, 2011 at 9:27am
awww - I would have put together a system using old parts just to get infected to see that screen!
nice mashup!
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy1 day 19 hours ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj1 day 19 hours ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E3 days 17 hours ago
