[LACNIC/Seguridad] Return of the BIOS trojans
fernando en gont.com.ar
Mar Sep 13 09:48:34 BRT 2011
Return of the BIOS trojans
BIOS Trojan Chinese AV vendor 360 has discovered a virus in the wild
that makes its home in a computer's BIOS, where it remains hidden from
conventional virus scanners. The contaminant, called Mebromi, first
checks to see whether the victim's computer uses an Award BIOS. If so,
it uses the CBROM command-line tool to hook its extension into the BIOS.
The next time the system boots, the BIOS extension adds additional code
to the hard drive's master boot record (MBR) in order to infect the
winlogon.exe / winnt.exe processes on Windows XP and 2003 / Windows 2000
before Windows boots.
The next time Windows launches, the malicious code downloads a rootkit
to prevent the drive's MBR from being cleaned by a virus scanner. But
even if the drive is cleaned, the whole infection routine is repeated
the next time the BIOS module is booted. Mebromi can also survive a
change of hard drive. If the computer doesn't use an Award BIOS, the
contaminant simply infects the MBR.
The idea of hooking a malicious routine into the BIOS is not new and
offers attackers the advantage of keeping hidden from the virus scanner.
In 1999, the CIH virus attempted to manipulate its victim's BIOS, but it
had only destructive effects: the BIOS was overwritten, and the computer
would no longer boot. In 2009, security researchers presented a scenario
in which a rootkit was anchored in the BIOS. But so far, no BIOS
contaminant has managed to become widespread, possibly because there are
simply too many different motherboards – and therefore too many
different ways of flashing the BIOS.
e-mail: fernando en gont.com.ar || fgont en acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Más información sobre la lista de distribución Seguridad