Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43438
  • Total Topics: 16532
  • Online today: 3056
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 3
Guests: 2934
Total: 2937









Author Topic: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)  (Read 9289 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Researchers have discovered one of the first pieces of malware ever used in the wild that modifies the software on the motherboard of infected computers to ensure the infection can't be easily eradicated.

Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add malicious instructions that are executed early in a computer's boot-up sequence. The instructions, in turn, alter a computer's MBR, or master boot record, another system component that gets executed prior to the loading of the operating system of an infected machine. By corrupting the processes that run immediately after a PC starts, the malware stands a better chance of surviving attempts by antivirus programs to remove it.

In addition to posing a threat to end users, Mebroot could create serious obstacles to antivirus developers in producing products that scrub computers clean of detected threats without harming the underlying system.

"Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect(s) and clean(s) the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again," Webroot researcher Marco Giuliani wrote in a blog post published Tuesday. "Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all": http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

He went on to say the job of ridding malicious instructions added to the BIOS ultimately should be left to the makers of the motherboards that store the startup code. Because the BIOS is stored on a ROM, or read-only-memory chip, modifications have the potential to render a computer largely inoperable.

The discovery represents one of the only times researchers have documented malware used in the wild that modifies the BIOS. In the late 1990s, malware known as CIH/Chernobyl did much the same thing on machines running Windows 9x by exploiting a privilege escalation bug in the Microsoft operating systems. In 2007, proof-of-concept software known as IceLord also reportedly made changes to the BIOS of infected machines, but there are no reports it has ever been used in actual attacks.

Mebromi is able to attack only BIOS ROMs made by Award, a manufacturer that was purchased by Phoenix in the late 1990s. The malware checks the BIOS ROM each time the PC boots up. If it's made by Award and the malicious instructions aren't found, Mebromi adds the code by reflashing the chip on the motherboard. According to Giuliani, it was first documented by the Chinese security company Qihoo 360: http://bbs.360.cn/4005462/251096134.html , and primarily infects computers in that country.

Symantec researchers have more about Mebromi here: http://www.symantec.com/connect/blogs/bios-threat-showing-again

(ElReg)

Samker's Computer Forum - SCforum.info


Fintech

  • SCF VIP Member
  • *****
  • Posts: 367
  • KARMA: 49
  • Gender: Male
Re: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)
« Reply #1 on: 14. September 2011., 23:05:05 »
Wooah..  :o  this is a really dangerous malware!(RootKit..Trojan) It is difficult to detect and very difficult to remove!  :-\
Even anti-virus did not notice it! Am I right? Phuh! ??? I think I am?

jheysen

  • SCF Global Moderator
  • *****
  • Posts: 879
  • KARMA: 121
  • Gender: Male
Re: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)
« Reply #2 on: 14. September 2011., 23:51:45 »
Now this is a really dangetous attack :s
Desinfection would be a real risk... dang :S

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)
« Reply #3 on: 15. September 2011., 07:56:05 »
Quote
"Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, given the fact that even if antivirus detect(s) and clean(s) the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again,"

Here is a real problem...  :-\


hazedaze

  • SCF VIP Member
  • *****
  • Posts: 85
  • KARMA: 19
  • Gender: Male
Re: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)
« Reply #4 on: 18. September 2011., 14:30:33 »
That is some clever sh!t  :o

Mind you what is'nt clear is if it just flashes a generic AWARD bios or if the payload actually download's a Specific moded BIOS for your specific machine via a comand and control server, If it's the latter then that is some Tech savy coders at work mind you a simple way for AV manufacturers and OS manufacturers of course would be the ability to MASK the BIOS/Motherboard manufacturers from the Windows Enviroment why does windows need to know what system it's running on withing the GUI enviroment this could so easily be done at boot time, this would still ensure the ability for OEM's to get the OS to activate via the SLIC tables e.t.c and by masking this info from the System it should ensure the payload cant work out what System it is trying to infect rendering the Virus inert (Sort of) okay that rules out BIOS flashing from windows but Im sure a simple Signature/Encryption routine used by PC makers in there Bios files would get round this provided they work with Microshaft so there software can perform efectivly a handshake with the system befor flashing takes place???

If they are using a generic AWARD Bios then the infection HEX string it has to be in a BLANK area of the Bios that is not used in any of there boards and I mean ANY or the Virus wold fall over or your System would!

Just a thought.... P,s Microsoft and PC makers If oyu liek my sugestion above you can make the check payable to IMustNotTellLies account No:  xx-xx-xx-xx  ;D ;D

HD

Samker's Computer Forum - SCforum.info

Re: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)
« Reply #4 on: 18. September 2011., 14:30:33 »

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)
« Reply #5 on: 18. September 2011., 18:53:15 »

IMO, "DeepSafe" is something for these kind of problems: http://scforum.info/index.php/topic,6904.0.html

What do you think guys??




Just a thought.... P,s Microsoft and PC makers If oyu liek my sugestion above you can make the check payable to IMustNotTellLies account No:  xx-xx-xx-xx  ;D ;D

HD

LOL :up:

Fireberg

  • SCF Advanced Member
  • ***
  • Posts: 176
  • KARMA: 22
Re: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)
« Reply #6 on: 21. September 2011., 22:44:12 »
it seems a real problem!!

Thanx

Samker's Computer Forum - SCforum.info

Re: Rootkit "Trojan.Mebromi" reflashes the BIOS... (CIH/Chernobyl)
« Reply #6 on: 21. September 2011., 22:44:12 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023