Webroot Discovers BIOS Rootkit
Security software company Webroot says a BIOS rootkit has been found in the wild.
Called Mebromi, the malware is reminiscent of the IceLord proof of concept BIOS rootkit in 2007, was a late 1990s virus that was able to erase the motherboard software. This new rootkit is a different caliber as it is appears to be one of the most persistent malware programs we have heard so far.
According to Webroot, Mebromi targets Award BIOS and attaches itself to it so it can infect a client computer over and over again. The malware then infects the master boot record to be able to infect winlogon.exe or winnt.exe to be able to use Windows to download additional malware. There is no easy way to get rid of Mebromi at this time as traditional anti-virus software won't reach down to the BIOS level.
Webroot said that the rootkit is targeting Chinese users and seems to be modeled closely after IceLord, which was demonstrated in 2007. The company stated that "storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, given the fact that even if an antivirus detects and cleans the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again."
Webroot's Marco Giuliani noted that "developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all." He added: "The job of handling with such specific system codes should be left to the developers of the specific motherboard model, who release BIOS updates along with specific tool to update the BIOS code."
- Windows 8 Has a Slightly Friendlier Blue Screen of Death
- Microsoft Hands Out 5000 Win 8 Tablets to Developers
- Same-Gender Love Coming to SW: TOR After Launch
- Tribes: Ascend Closed Beta Now Accepting Applicants
- Intel and McAfee Reveal DeepSAFE Tech
- Would You Pay $1000 For A Pixel Qi Screen Tablet?
- Deals Sept 14: Crysis 2 & AC: Brotherhood on Sale
- Netgear Intros Dual-Band 450Mbps Router, NeoTV
- SanDisk Vault Holds Photos for 100 Years
- Deals Sept 15: Sony Alpha NEX3K/B Black 14.2 MP $434
- MSI Reveals Voice-Activated Motherboards at IDF
- Archos G9 Tablet Available for Pre-Sale on September 20
- Thunderbolt Heading to Windows PCs in 2012
- Original Portal Free on Steam for Limited Time
- Deals for September 16: 30% Percent Off Dell Printers
- Obama Signs Dramatic U.S. Patent Reform Into Law
- An Apple Worth $39.3 Billion
- Corsair Launches New Line of PC Gaming Peripherals
Remember..... The best line of defense is you. Be careful of what you open and click on.
Remember..... The best line of defense is you. Be careful of what you open and click on.
+over 9000. No antivirus will help you if you're stupid and careless.
Blah blah blah blah blah... flash the BIOS, format the hard drive, problem solved... /facepalm
Flash the bios.... poof gone
this would suck if it started spreading, imaging all the bricked machines that need their BIOS chips replaced. Thank god for UEFI
Webroot discovers BIOS rootkit in the wild!
Webroot uses tackle!
Webroot uses growl!
Webroot uses tackle!
BIOS rootkit faints..
Flash the bios.... poof gone
I don't really think the issue should be considered that simple. Can you imagine how long it would take you to find out that you had an infected BIOS? And if there's one thing I don't like to mess with on my PC it's the BIOS. BIOSes are perfect example of: if it ain't broke don't fix it". If I had an infected BIOS it would prbably be one of the last places I would look. Also: even though this virus is targeted towards the Chinese any person who has a virus on his/her computer affects us all.
Blah blah blah blah blah... flash the BIOS, format the hard drive, problem solved... /facepalm
And you're going to do that with a BIOS flash utility, running on an infected OS, connecting to an infected BIOS, and you think the malware writers didn't plan for that? The only program that has more control over your system than the BIOS is the CPU microcode (which the BIOS can also patch to fix CPU bugs). I think it's also possible to infect the BIOS boot recovery block so unless you have a system with a dual BIOS (like some server MBs), then you're not going to get rid of it. It's also possible to infect the system through the CMOS.
In the old days the solution was to pull the BIOS ROM, reprogram it on a PROM burner with a clean BIOS copy, clear the CMOS, then reinstall the ROM. Not so easy to do on today's systems.
And you're going to do that with a BIOS flash utility, running on an infected OS, connecting to an infected BIOS, and you think the malware writers didn't plan for that? The only program that has more control over your system than the BIOS is the CPU microcode (which the BIOS can also patch to fix CPU bugs). I think it's also possible to infect the BIOS boot recovery block so unless you have a system with a dual BIOS (like some server MBs), then you're not going to get rid of it. It's also possible to infect the system through the CMOS.In the old days the solution was to pull the BIOS ROM, reprogram it on a PROM burner with a clean BIOS copy, clear the CMOS, then reinstall the ROM. Not so easy to do on today's systems.
Why not? You should be flashing the bios from either a bootable CD, thumbdrive or floppy. Windows shouldn't be in the way just for such reasons and more. Bios FLash - 5 minutes, tops.
Haven't had any antivirus software in 4+ years and never had a single problem.
If you stay away from sketchy sites and know what you are doing, you don't need antivirus.
Anyway, I'll get a dual-BIOS Gigabyte MB next year.
Can't the BIOS be infected to the point it prevents a CD/DVD from being booted upon launch though?
...thereby making a bootable CD with a BIOS flash utility on it worthless?
...same with bootable USB Drives and any other device that the BIOS has boot-control over?
And you're going to do that with a BIOS flash utility, running on an infected OS, connecting to an infected BIOS, and you think the malware writers didn't plan for that? The only program that has more control over your system than the BIOS is the CPU microcode (which the BIOS can also patch to fix CPU bugs). I think it's also possible to infect the BIOS boot recovery block so unless you have a system with a dual BIOS (like some server MBs), then you're not going to get rid of it. It's also possible to infect the system through the CMOS.
In the old days the solution was to pull the BIOS ROM, reprogram it on a PROM burner with a clean BIOS copy, clear the CMOS, then reinstall the ROM. Not so easy to do on today's systems.
I knew someone is gonna say that!
1) The quote I listed in my original post said
I was referring to that (HDD format after cleaned BIOS = rootkit pwnd)
2) You can also flash the BIOS on boot
3) Try GETTING that rootkit... it's not like it's running around the internets and storms every computer it sees... I actually WANT to find and isolate it, then test (use old Celeron 500 MHz rig with XP for that) - add it to my virus zoo after that, if it's functional
4) It's possible to infect the system through the CMOS, maybe. It's also possible to break your PC with a hammer, short the motherboard or throw it out of the window, but the article doesn't say that this particular rootkit does any of these things apart from infecting winlogon.exe, wininit.exe and BIOS. And CMOS can always be reset.
This speculation can go on, but you catch my drift... nothing is as scary and dangerous as they describe it. Just know what you're doing, don't panic, and you'll always triumph over any BS malware.
...thereby making a bootable CD with a BIOS flash utility on it worthless?
...same with bootable USB Drives and any other device that the BIOS has boot-control over?
It probably can, but I think the mobo makers aren't that stupid and planned for it, too. However, in this case I will flash from OS, then take out the HDD and flash on boot again. If, however, the rootkit screwed up the system so much that you cannot boot ANYTHING, I applaud the malware writer and wonder why didn't he just fry my hardware instead of leaving me an easy route out: replace BIOS chip.
How does it infect the bios in the 1st place? Looks like there is a big gaping security hole if the BIOS can be touched during normal PC operation.
This is why my room is filled with mostly computers and a few old antiques. I personally know to be more careful than the average users and that no anti virus program out there is idiot proof. I have found that such programs have their shortcomings that can and often really make things all to easy for an infection to take place.
Any college level firewall and network security class is worth the money.
@LORD_ORION
modern mobos allow flashing through windows using specially crafted software, im guessing it doesn't take someone with exceptional talent to reverse engineer one of these. The role of the bios is to enable the system to boot into the OS, once the OS is up and running the BIOS literally hands over control of the system to the OS
I guess its a good thing Intel is putting antivirus into the cpu's. Maybe Intel made the virus to take out AMD computers.
Bios is becoming outdated........butmaybe UEFI will need some virus protection.........
Why not? You should be flashing the bios from either a bootable CD, thumbdrive or floppy. Windows shouldn't be in the way just for such reasons and more. Bios FLash - 5 minutes, tops.
It doesn't matter if you use a bootable CD, thumbdrive or floppy the BIOS still runs first and therefore the virus will be running.
hmm... I usually offer hooking up infected hdd to my system quarentine em pull somebody's files before a windows reinstall... I'm going to start doing that on my old pc
Damn "antivirus" companies creating all these viruses.
Hmmm.... there has been talks that antivirus companies developing their virus just to make their antivirus software sell. So it was announced the intel and macafe has developed an intivirus that would counteract virus that are "deeply-rooted malware that typically embeds themselves outside the OS to evade current security solutions" as seen in this article "http://www.tomshardware.com/news/McAfee-DeepSAFE-malware-rootkit-Paul-Otellini,13436.html" and now webroot detects this kind of virus. Hmmm... coincidence? or marketing?
IF it infects "winlogon.exe or winnt.exe" I think running Linux may help me greatly lol
LORD_ORION has a good point -- there could have been some simple measures taken by mobo makers to avoid this. I can think of a few off hand, such as requiring a user settable password to write to the BIOS or some physical signaling that can't be brute forced by the malware, such as a read-only jumper. Maybe we shouldn't blame vendors just yet though since they never had to worry about this kind of thing until now. Security has always been an evolving landscape and it usually winds up costing lots of money before it gets the attention it deserves.
Also, some people here may not realize that most boards these days don't have removable chips, so if the malware was well written you're basically F'ed in the A with a D prison style, since it could load into RAM before any boot device (BIOS starts before drives or ports are even recognized) and it could make sure that any flash utility that writes to the chip would include itself in the image being written, or just not written at all. Dual bios won't necessarily save you since it could possibly infect that as well (depending on the measures taken by the vendors of course), and how do you select the option to boot to that copy of BIOS without loading the tainted one before making the selection? A well written code could modify your selection right after you make it if that choice is made in software or BIOS itself (i.e. not a jumper). To be clear, I'm not referring the specific malware discussed in this article, but rather that one could imagine these possibilities.
In any case, it seems that vendors could make small modifications to motherboard designs to solve this problem and similar ones going forward. I hope they take notice of the issue.
I knew someone is gonna say that! 1) The quote I listed in my original post said I was referring to that (HDD format after cleaned BIOS = rootkit pwnd)2) You can also flash the BIOS on boot3) Try GETTING that rootkit... it's not like it's running around the internets and storms every computer it sees... I actually WANT to find and isolate it, then test (use old Celeron 500 MHz rig with XP for that) - add it to my virus zoo after that, if it's functional 4) It's possible to infect the system through the CMOS, maybe. It's also possible to break your PC with a hammer, short the motherboard or throw it out of the window, but the article doesn't say that this particular rootkit does any of these things apart from infecting winlogon.exe, wininit.exe and BIOS. And CMOS can always be reset.This speculation can go on, but you catch my drift... nothing is as scary and dangerous as they describe it. Just know what you're doing, don't panic, and you'll always triumph over any BS malware.
Did it perhaps occurred to you that the rootkit may have code to prevent the BIOS from being rewritten?
A lot of motherboards have a jumper to prevent writing to the BIOS I normally don't bother setting this but perhaps I should do so now.
Isn't this problem rendered harmless by any mainboard that has more than one BIOS chip to work from, (i.e DualBIOS)? If an antivirus can detect an infected BIOS EEPROM (assuming the virus somehow had the ability to WRITE to the EEPROM), I should think that a restore from the backup to primary BIOS, after a checksum failure, should make this a non-issue.
"Bios flash write protect: enabled."
Problem solved.
Isn't McCrappy trying to get hardware level AV implemented in all Intel (parent company) chipsets? Gee, I can't imagine who would write such a virus...