Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)

Custom Search

Hack in The Box
Experts Galaxy
UK Cheapest Hosting
DJ Software
Scanpst.exe
A3 Multifunction
Electricity Prices
Texas Electricity
Electricity Rates in Texas
Electric Companies in Texas
Web Design Geelong
SellSimple
MSN
Wallpapers
NewsApp Portal
Recover files from recycle bin

[Welcome to SCforum.info - Security [CENTRAL] Forum]

Welcome to SCforum.info - Security [CENTRAL] Forum, a home of the SCF Community devoted to provide Computer related News, Alerts, Downloads and FREE Help in such a way that even the novice computer user can understand.

Getting started using our community is extremely easy, check the two steps below:

Step 1: Create an account by clicking here and wait for approval from Administrator. It's completely free with no hidden strings attached.

Step 2: If you have a computer problem and need some help, or just want to take part in opened discussions, simply browse Forum. Once you *Register an account, you can quickly post your questions and comments.

(*Registered Members get: free support, also, they can communicate privately with other members via PM, removal of this message, see fewer ads and much more...)

[Samker]

Researchers have discovered one of the first pieces of malware ever used in the wild that modifies the software on the motherboard of infected computers to ensure the infection can't be easily eradicated.

Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add malicious instructions that are executed early in a computer's boot-up sequence. The instructions, in turn, alter a computer's MBR, or master boot record, another system component that gets executed prior to the loading of the operating system of an infected machine. By corrupting the processes that run immediately after a PC starts, the malware stands a better chance of surviving attempts by antivirus programs to remove it.

In addition to posing a threat to end users, Mebroot could create serious obstacles to antivirus developers in producing products that scrub computers clean of detected threats without harming the underlying system.

"Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect(s) and clean(s) the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again," Webroot researcher Marco Giuliani wrote in a blog post published Tuesday. "Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all": http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

He went on to say the job of ridding malicious instructions added to the BIOS ultimately should be left to the makers of the motherboards that store the startup code. Because the BIOS is stored on a ROM, or read-only-memory chip, modifications have the potential to render a computer largely inoperable.

The discovery represents one of the only times researchers have documented malware used in the wild that modifies the BIOS. In the late 1990s, malware known as CIH/Chernobyl did much the same thing on machines running Windows 9x by exploiting a privilege escalation bug in the Microsoft operating systems. In 2007, proof-of-concept software known as IceLord also reportedly made changes to the BIOS of infected machines, but there are no reports it has ever been used in actual attacks.

Mebromi is able to attack only BIOS ROMs made by Award, a manufacturer that was purchased by Phoenix in the late 1990s. The malware checks the BIOS ROM each time the PC boots up. If it's made by Award and the malicious instructions aren't found, Mebromi adds the code by reflashing the chip on the motherboard. According to Giuliani, it was first documented by the Chinese security company Qihoo 360: http://bbs.360.cn/4005462/251096134.html , and primarily infects computers in that country.

Symantec researchers have more about Mebromi here: http://www.symantec.com/connect/blogs/bios-threat-showing-again

(ElReg)

[Fintech]

Wooah..    this is a really dangerous malware!(RootKit..Trojan) It is difficult to detect and very difficult to remove! 
Even anti-virus did not notice it! Am I right? Phuh! I think I am?

[jheysen]

Now this is a really dangetous attack :s
Desinfection would be a real risk... dang :S

[Samker]

"Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, given the fact that even if antivirus detect(s) and clean(s) the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again,"

Here is a real problem... 

[hazedaze]

That is some clever sh!t 

Mind you what is'nt clear is if it just flashes a generic AWARD bios or if the payload actually download's a Specific moded BIOS for your specific machine via a comand and control server, If it's the latter then that is some Tech savy coders at work mind you a simple way for AV manufacturers and OS manufacturers of course would be the ability to MASK the BIOS/Motherboard manufacturers from the Windows Enviroment why does windows need to know what system it's running on withing the GUI enviroment this could so easily be done at boot time, this would still ensure the ability for OEM's to get the OS to activate via the SLIC tables e.t.c and by masking this info from the System it should ensure the payload cant work out what System it is trying to infect rendering the Virus inert (Sort of) okay that rules out BIOS flashing from windows but Im sure a simple Signature/Encryption routine used by PC makers in there Bios files would get round this provided they work with Microshaft so there software can perform efectivly a handshake with the system befor flashing takes place???

If they are using a generic AWARD Bios then the infection HEX string it has to be in a BLANK area of the Bios that is not used in any of there boards and I mean ANY or the Virus wold fall over or your System would!

Just a thought.... P,s Microsoft and PC makers If oyu liek my sugestion above you can make the check payable to IMustNotTellLies account No:  xx-xx-xx-xx 

HD

[Samker]

IMO, "DeepSafe" is something for these kind of problems: http://scforum.info/index.php/topic,6904.0.html

What do you think guys??

Just a thought.... P,s Microsoft and PC makers If oyu liek my sugestion above you can make the check payable to IMustNotTellLies account No:  xx-xx-xx-xx 

HD

LOL

[Fireberg]

it seems a real problem!!

Thanx