Mebromi is World's First BIOS Rootkit Running Wild

10

Comments

+ Add a Comment
avatar

thetechchild

Very, very powerful. If it was made to be 64-bit compatible and a few privilege escalation exploits added in (by some adventurous hackers), as well as the Chinese AV check being removed, then this could be the next big malware pandemic. It'd be a huge hassle to go through the entire process of cleaning the BIOS, MBR, and OS, all before booting and making sure any storage coming in contact with those are completely cleaned. This would probably be something not many users could go through, and I don't think a more convenient option is available.

avatar

L0rDT1On

So, suppose I get infected by this, how would I go about cleaning the mess? ...or, would swapping motherboards be my only and last resource?

avatar

thetechchild

You could probably A) load a read-only (as in hardware-based read-only, via a switch, or one of those write-once-read-many SD cards) storage device with a BIOS flasher on it or B) use a mobo that has built-in dual BIOS chips that check each other for integrity.

After taking care of the BIOS rootkit:

The MBR & kernel mode rootkits are a bit more troublesome, but in theory one could also clean them out given a backup of an earlier hard drive IMAGE (not files, the entire image), along with the PE file infector & Trojan. This would have to be accomplished with a bootable CD from a backup software or a Linux live CD with some built-in backup image readers. If no backup is available, then there'd have to be an AV that could detect and remove Webromi, and be run from BartPE or some similar environment.

Note that this has to be done directly after cleaning the BIOS, without booting up Windows (I also note that Windows was not mentioned, but I assume it's the OS being targeted), so that the MBR and kernel mode rootkits, perhaps in conjunction with the Trojan, do not reinfect the BIOS. Similarly, do not use a non-read-only drive with PE files for any step in the process, because it may have already been infected or may become infected, thus keeping you from cleaning everything out.

avatar

L0rDT1On

Crazy and wild stuff, thanks, I had no idea! :)

avatar

DasHellMutt

Who else thinks this is likely to work of the chinese government spying on its own people?

avatar

thetechchild

Nah. I think the Chinese government has better places to invest their resources, especially considering that the Great Firewall gives them all the spying power they need.

EDIT: But this might just be the beginning of a cyber attack, if you're inclined to think that way.

avatar

noobstix

At least this virus gives you something awesome to look at (if that is indeed the image of the result).

avatar

Paul_Lilly

Sadly, it's not. That image is a mashup of a BIOS screenie from our "Ultimate BIOS Guide: Every Setting Decrypted and Explained!" article, Lego's crazy-expensive Monster Dino, and a Super Mario fireball.

avatar

praack

awww - I would have put together a system using old parts just to get infected to see that screen!

 

nice mashup!

avatar

iceman08

d'awww its a dragonrex!

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.