Mebromi, a bios-flashing trojan

Discussion in 'malware problems & news' started by Hungry Man, Sep 8, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    These are so few and far between it seems worth mentioning.

    http://blogs.norman.com/2011/malware-detection-team/mebromi-a-bios-flashing-trojan
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yeah rare indeed, & someone was just asking about such a thing the other day in here !

    Thanks for posting :thumb:
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Nice. So we need to hunt for a smple of it now!!
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Damn, that is dangerous.
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Indeed. :ouch:
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Nah, 64bit users have KPP to prevent this.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Either way it can't just go straight for the BIOS. If the files it uses were blacklisted by your AV you'd be fine. And there's plenty of ways to protect outside of blacklisting, as everyone knows.

    Removal would be to reflash your BIOS.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I meant when infected, but good points.
     
  9. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I had that Win98 virus they mentioned in the article. It was fun fixing it LOL :D
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
  11. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    Let's assume all other protections fail. Does password-protecting the BIOS defeat this threat?
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    IDK. I doubt it, you odn't need a password to flash your BIOS just Admin access.

    I have mine password protected though.
     
  13. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    motherboard makers just need to implement a bios 'write' switch similar to some USB's and job done :thumb:
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There's a million ways to mitigate this. The deeper a virus wants to implant itself the more specific it has to be, the more complex it has to be, and the more rights it needs to have.
     
  15. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,075
    Return of the BIOS trojans

    Even survives a hard drive swap if it is an Award BIOS.

    Article
     
  16. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    BIOS Trojan Chinese AV vendor 360 has discovered a virus in the wild that makes its home in a computer's BIOS, where it remains hidden from conventional virus scanners. The contaminant, called Mebromi, first checks to see whether the victim's computer uses an Award BIOS. If so, it uses the CBROM command-line tool to hook its extension into the BIOS. The next time the system boots, the BIOS extension adds additional code to the hard drive's master boot record (MBR) in order to infect the winlogon.exe / winnt.exe processes on Windows XP and 2003 / Windows 2000 before Windows boots.

    The next time Windows launches, the malicious code downloads a rootkit to prevent the drive's MBR from being cleaned by a virus scanner. But even if the drive is cleaned, the whole infection routine is repeated the next time the BIOS module is booted. Mebromi can also survive a change of hard drive. If the computer doesn't use an Award BIOS, the contaminant simply infects the MBR.

    The idea of hooking a malicious routine into the BIOS is not new and offers attackers the advantage of keeping hidden from the virus scanner. In 1999, the CIH virus attempted to manipulate its victim's BIOS, but it had only destructive effects: the BIOS was overwritten, and the computer would no longer boot. In 2009, security researchers presented a scenario in which a rootkit was anchored in the BIOS. But so far, no BIOS contaminant has managed to become widespread, possibly because there are simply too many different motherboards – and therefore too many different ways of flashing the BIOS.


    http://dereferer.ws/?http://www.h-on...s-1341421.html
     
  17. Repne movsb

    Repne movsb Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    13
    http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
     
  18. BIOS rootkit found in the wild

    I was hoping this would never happen but;


    http://www.net-security.org/malware_news.php?id=1837
     
  19. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
    Merged Threads to Continue Same Topic!
     
  20. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Can an infector be traced to PC-zero (patient-zero)?

    I believe there is a write block switch, but it is within the BIOS, a part of the code to disable further flashing attempts though. Other BIOS malware papers have discussed it.

    Ways to tell if you are infected:
    Clean the MBR and you get reinfected on next boot I guess.

    What rootkit or techniques is it using?
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
Loading...
Thread Status:
Not open for further replies.