Posted by: Ken Harthun
BIOS, Malware, Mebromi, Security, Symantec, Trojan
This snippet from SANS NewsBites Vol. 13, No. 74, 16 September 2011:
Researchers have detected a rootkit that targets the BIOS, Master Boot Record (MBR), the kernel, and files of PCs. It has been at least four years since malware that focuses on BIOS has been found. Trojan.Mebromi adds malicious instructions to the BIOS that cause machines to becomere-infected when they are booted even after the master boot records has been cleared of infection. Mebromi is unlikely to become widespread as it affects just one type of BIOS. However, it raises the question of how to create a utility to clean BIOS and poses no risk of damage.
Regardless of whether or not this becomes widespread, it points up the reality that nothing in a PC is truly safe; indeed, routers switches and other networking equipment all contain IOS chips that can be flashed. In this case, it’s only one BIOS maker, Award. Here is an interesting flowchart put together by Symantec after they analyzed the trojan’s behavior:
It’s almost too simple. I think we’ll be seeing more of this type of thing in the future.