Members
  • Total Members: 12813
  • Latest: Rono
Stats
  • Total Posts: 28517
  • Total Topics: 8240
  • Online Today: 867
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: ‘Bioskits’ Join Ranks of Stealth Malware  (Read 1420 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
‘Bioskits’ Join Ranks of Stealth Malware
« on: 08. June 2012., 09:20:28 »

‘Bioskits’ Join Ranks of Stealth Malware

We have seen many discussions of the MyBios “Bioskit” discovered at the end of 2011. MyBios was the first malware to successfully infect the Award BIOS and survive the reboot. It was first discovered by a Chinese security company; many other security vendors published detailed analyses after that.

We have seen a lot of samples targeting the master boot record (MBR) to survive a reboot and reinfect a system. We found a sample in our collection that infected the MBR. Further investigation showed that the next variant of the malware was a Bioskit. The first variant of the malware was an executable that infected the MBR; the second was a DLL with the Bioskit component. We will discuss the second variant in this blog.

DLL Analysis

The malware’s main dropper is a DLL that is responsible for the MBR infection. It reads the original MBR from Sector 0 and writes it to Sector 15.


Larger picture

MyBios code writes the malicious MBR.

The malware overwrites the original MBR in sector 0 and writes the file to be dropped (the downloader) in hidden sectors. The DLL copies itself to the Recycle folder and deletes itself. The downloader is dropped and executed every time the system is started.


Larger picture

The malicious MBR

The next two screens show the malicious MBR code, which reads the original MBR from Sector 15 into memory at location 0000:7c00. Control passes to the original MBR at this location and the system boots in the normal way.

Usually the boot sector is read to this memory location in a clean system after the power-on self-test and INT 19 jumps to location 0000:7c00.


Larger picture

The malicious MBR at 7c00 before the interrupt


Larger picture

The original MBR at 7c00 after the interrupt

All the components dropped will be present in the DLL, including the utility cbrom.exe from the BIOS manufacturer, which the malware uses to flash the BIOS.

Dropped System File

The sys file responsible for flashing the BIOS is similar to the one seen in MyBios. Unlike bios.sys, the code to check the BIOS manufacturer and the BIOS size is present in the DriverEntry. However, the functionality of both the drivers remains the same.


Larger picture

Code to check for Award BIOS

The rest of the code responsible for backing up and flashing the BIOS is present in the driver dispatch. A graph showing the code flow of both MyBios and the Niwa rootkit can be seen below.


Larger picture

MyBios code flow


Larger picture

NIWA code flow

What’s interesting is that the strings observed in both malware are almost identical.

MyBios:
This is not an Aword BIOS!

NIWA:
This not an Aword BIOS!

Identical strings:
Flash Aword BIOS form disk c bios.bin success.
SMI_AutoErase Aword Bios Failed.
ExAllocatePool read file NonPagedPool failed.
Backup Aword BIOS to disk c bios.bin success.
MmMapIoSpace physics address:0x%x failed.

It cannot be a coincidence that almost all of the strings are identical (including misspellings and bad grammar). This suggests the same individual or group is behind both of these BIOS-flashing malware.


Larger picture

McAfee detection and cleaning

McAfee detects this infection as “Niwa!mem” and successfully cleans the MBR infection and deletes all other malicious dropped components.

Conclusion

We have now seen two Bioskit malware in the wild within a couple of months. When the first Bioskit was identified, we did not know how soon we would see another. Now it appears we should expect to see more in near future. It’s not hard to detect and clean the MBR, but cleaning BIOS infections will be a challenge for security vendors.


Orginal article: Thursday, June 7, 2012 at 11:08am by Arvind Gowda
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

‘Bioskits’ Join Ranks of Stealth Malware
« on: 08. June 2012., 09:20:28 »




Fintech

  • SCF Advanced Member
  • ***
  • Posts: 329
  • KARMA: 41
  • Gender: Male
Re: ‘Bioskits’ Join Ranks of Stealth Malware
« Reply #1 on: 08. June 2012., 18:31:41 »

Wow..  ??? Very clever virus!  Fortunately, I have AMI's BIOS! ::)  :thumbsup:
I'm old man but still alive as well :)

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Re: ‘Bioskits’ Join Ranks of Stealth Malware
« Reply #2 on: 11. June 2012., 09:25:41 »
This is probebly just the first version thay have done. If the BIOS manufacture don't protect ther BIOS thier propebly gone to bee more of this.
I suppose this is just the begining and this is probebly one way to get a good hard infection in the future OS like Windows 8 and UEFI.
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising