Virus Hides from Scanners

Wednesday, September 14, 2011 @ 01:09 PM gHale


A virus is out there that makes its home in a computer’s BIOS, where it remains hidden from conventional virus scanners.

The virus, called Mebromi, first checks to see whether the victim’s computer uses an Award BIOS, according to Chinese Anti Virus vendor 360. If so, it uses the CBROM command-line tool to hook its extension into the BIOS. The next time the system boots, the BIOS extension adds additional code to the hard drive’s master boot record (MBR) in order to infect the winlogon.exe / winnt.exe processes on Windows XP and 2003 / Windows 2000 before Windows boots.

RELATED STORIES
SCADA Security Alert: Mobile Workers
Malware Changes, Systems Need to, Also
Executive Fear: APT Attacks
Worm Spreads with New Capabilities

The next time Windows launches, the malicious code downloads a rootkit to prevent a virus scanner from cleaning the drive’s MBR. Even if the scanner does clean the drive, the whole infection routine repeats the next time the BIOS module boots. Mebromi can also survive a change of hard drive.

If the computer doesn’t use an Award BIOS, the contaminant simply infects the MBR.

The idea of hooking a malicious routine into the BIOS is not new and offers attackers the advantage of keeping hidden from the virus scanner.

In 1999, the CIH virus attempted to manipulate its victim’s BIOS, but it had only destructive effects: It overwrote the BIOS, and the computer would no longer boot. In 2009, security researchers presented a scenario in which a rootkit anchored in the BIOS. But so far, no BIOS contaminant has managed to become widespread, possibly because there are simply too many different motherboards – and therefore too many different ways of flashing the BIOS.



Leave a Reply

You must be logged in to post a comment.