Mebromi: new BIOS rootkit
On September 2, the Chinese company Qihoo 360 reported on a new virus with a BIOS rootkit detected on Chinese computers. This news aroused the interest of security specialists, because in the “field” conditions such programs were not registered since the time of the IceLord concept in 2007.
The program called Mebromi contains the entire set: a BIOS rootkit aimed at flashing Award BIOS, a bootkit for modifying the MBR, a rootkit at the Windows kernel level, a PE file modifier and a Trojan.
The virus is clearly aimed at Chinese systems and during operation checks for the presence of antivirus programs Rising Antivirus and Jiangmin KV Antivirus. At the moment, Mebromi is not intended to infect 64-bit systems and is not able to work on user accounts with limited privileges.
To be able to modify the BIOS, Mebromi uses two methods: it either starts the flash.dll library, which loads the bios.sys driver, or intercepts beep.sys and rewrites it with its own beep.sys code, starts the service, and then restores the original beep.sys code .
')
Having gained control over the bios.sys driver, the program checks that Award BIOS is used as the BIOS (the presence of the line $ @ AWDFLA). In this case, a flashing.
If the BIOS ROM matches the required one, the rootkit saves a copy of the BIOS in the file C: \ bios.bin and proceeds to the next step. Dropper extracts cbrom.exe and hook.rom files. The first is the standard Phoenix Technologies program for modifying Award / Phoenix BIOS ROM binaries. Hook.rom is a rootkit that is added to a binary. Dropper runs the cbrom.exe program with the / isa option. But before a real ISA ROM infection, the dropper checks the BIOS ROM code for the presence of the hook rom marker in order not to produce a secondary infection.
Next, all 14 sectors of the MBR are infected and the malicious code is inserted into the winlogon.exe or wininit.exe file before loading Windows. This is also where the infection marker is checked.
via Webroot Threat Blog
The program called Mebromi contains the entire set: a BIOS rootkit aimed at flashing Award BIOS, a bootkit for modifying the MBR, a rootkit at the Windows kernel level, a PE file modifier and a Trojan.
The virus is clearly aimed at Chinese systems and during operation checks for the presence of antivirus programs Rising Antivirus and Jiangmin KV Antivirus. At the moment, Mebromi is not intended to infect 64-bit systems and is not able to work on user accounts with limited privileges.
To be able to modify the BIOS, Mebromi uses two methods: it either starts the flash.dll library, which loads the bios.sys driver, or intercepts beep.sys and rewrites it with its own beep.sys code, starts the service, and then restores the original beep.sys code .
')
Having gained control over the bios.sys driver, the program checks that Award BIOS is used as the BIOS (the presence of the line $ @ AWDFLA). In this case, a flashing.
If the BIOS ROM matches the required one, the rootkit saves a copy of the BIOS in the file C: \ bios.bin and proceeds to the next step. Dropper extracts cbrom.exe and hook.rom files. The first is the standard Phoenix Technologies program for modifying Award / Phoenix BIOS ROM binaries. Hook.rom is a rootkit that is added to a binary. Dropper runs the cbrom.exe program with the / isa option. But before a real ISA ROM infection, the dropper checks the BIOS ROM code for the presence of the hook rom marker in order not to produce a secondary infection.
Next, all 14 sectors of the MBR are infected and the malicious code is inserted into the winlogon.exe or wininit.exe file before loading Windows. This is also where the infection marker is checked.
via Webroot Threat Blog
Source: https://habr.com/ru/post/128570/
All Articles