BIOS rootkit found in the wild
Security researchers have recently discovered a new rootkit that targets computers’ BIOS, making the infection harder to detect and eradicate, and persist even if the hard drive is physically replaced.
Called Mebromi, the rootkit was first detected by a Chinese security company while actively targeting users in the wild. Subsequently, other researchers have managed to get their hands on the malware and perform an analysis.
According to Webroot, the malicious package contains a BIOS rootkit, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader.
Once it downloaded on a computer, the malware first checks which BIOS it uses. If it’s Award BIOS – used by motherboards developed by Phoenix Technologies – it hooks itself on it so that every time the system is restarted it can infect it all over again if the need arises.
Once it’s there, it proceeds to add code to the hard drive’s master boot record (MBR) in order to infect the winlogon.exe (Windows XP/2003) or winnt.exe process (Windows 2000), which will be used to download an additional file and execute it. It is another rootkit, and this one aims at preventing the MBR code being cleaned and restored to normal by a AV solution.
Mebromi is currently targeting Chinese users, which is obvious by the security software it tries to find and block. And even if the victim’s computer isn’t using Award BIOS, the threat isn’t thwarted – it simply omits the first step and goes directly for the MBR.
Webroot’s Marco Giuliani speculates that the reason why Mebromi only targets Award BIOS ROM is because it has been modeled after the IceLord rootkit – a PoC that was made public in 2007 and did the same thing. To make Mebromi a major threat, its creators must make it fully compatible with all major BIOS ROM out there – and that is a difficult feat.
“Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giving the fact that even if an antivirus detects and cleans the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again,” he also adds.
“Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all. The job of handling with such specific system codes should be left to the developers of the specific motherboard model, who release BIOS updates along with specific tool to update the BIOS code.”