25-09-2011, 05:14 PM
BIOS rootkits making a come back?
A new BIOS rootkit that goes by the name Mebromi was detected by a Chinese security company while actively targeting users in the wild.
Apparently, the malicious package contains a BIOS rootkit, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader.
With it targeting the BIOS, this makes the infection harder to detect and eradicate, and persist even if the hard drive is wiped or physically replaced.
It works by when it's first downloaded it checks which BIOS is being used, if it's Award BIOS it dumps a copy of the BIOS and then adds an ISA ROM that will rewrite the MBR at each bootup. From there, it infects the winlogon.exe (Windows XP/2003) or winnt.exe process (Windows 2000), which will be used to download a Trojan.
Mebromi is currently targeting Chinese users, which is obvious by the security software it tries to find and block. And even if the victim's computer isn't using Award BIOS, the threat isn't thwarted - it simply omits the first step and goes directly for the MBR.
The reason why Mebromi only targets Award BIOS ROM is because it has been modeled after the IceLord rootkit - a PoC that was made public in 2007 and did the same thing.
A new BIOS rootkit that goes by the name Mebromi was detected by a Chinese security company while actively targeting users in the wild.
Apparently, the malicious package contains a BIOS rootkit, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader.
With it targeting the BIOS, this makes the infection harder to detect and eradicate, and persist even if the hard drive is wiped or physically replaced.
It works by when it's first downloaded it checks which BIOS is being used, if it's Award BIOS it dumps a copy of the BIOS and then adds an ISA ROM that will rewrite the MBR at each bootup. From there, it infects the winlogon.exe (Windows XP/2003) or winnt.exe process (Windows 2000), which will be used to download a Trojan.
Mebromi is currently targeting Chinese users, which is obvious by the security software it tries to find and block. And even if the victim's computer isn't using Award BIOS, the threat isn't thwarted - it simply omits the first step and goes directly for the MBR.
The reason why Mebromi only targets Award BIOS ROM is because it has been modeled after the IceLord rootkit - a PoC that was made public in 2007 and did the same thing.