Security Corner

Sep 18 2011   3:38PM GMT

Beware of Mebromi rootkit

Ken Harthun Ken Harthun Profile: Ken Harthun

This snippet from SANS NewsBites Vol. 13, No. 74, 16 September 2011:

Researchers have detected a rootkit that targets the BIOS, Master Boot Record (MBR), the kernel, and files of PCs. It has been at least four years since malware that focuses on BIOS has been found. Trojan.Mebromi adds malicious instructions to the BIOS that cause machines to becomere-infected when they are booted even after the master boot records has been cleared of infection.  Mebromi is unlikely to become widespread as it affects just one type of BIOS. However, it raises the question of how to create a utility to clean BIOS and poses no risk of damage.

Regardless of whether or not this becomes widespread, it points up the reality that nothing in a PC is truly safe; indeed, routers switches and other networking equipment all contain IOS chips that can be flashed. In this case, it’s only one BIOS maker, Award. Here is an interesting flowchart put together by Symantec after they analyzed the trojan’s behavior:

Flowchart from Symantec showing Mebromi's actions

Mebromi flowchart from Symantec

It’s almost too simple. I think we’ll be seeing more of this type of thing in the future.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: