Security software company Webroot says a BIOS rootkit has been found in the wild.
Called Mebromi, the malware is reminiscent of the IceLord proof of concept BIOS rootkit in 2007, was a late 1990s virus that was able to erase the motherboard software. This new rootkit is a different caliber as it is appears to be one of the most persistent malware programs we have heard so far.
According to Webroot, Mebromi targets Award BIOS and attaches itself to it so it can infect a client computer over and over again. The malware then infects the master boot record to be able to infect winlogon.exe or winnt.exe to be able to use Windows to download additional malware. There is no easy way to get rid of Mebromi at this time as traditional anti-virus software won't reach down to the BIOS level.
Webroot said that the rootkit is targeting Chinese users and seems to be modeled closely after IceLord, which was demonstrated in 2007. The company stated that "storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, given the fact that even if an antivirus detects and cleans the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again."
Webroot's Marco Giuliani noted that "developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all." He added: "The job of handling with such specific system codes should be left to the developers of the specific motherboard model, who release BIOS updates along with specific tool to update the BIOS code."