Researchers uncover first active BIOS rootkit attack

Share this article:

Researchers have discovered what is believed to be the first in-the-wild rootkit that targets BIOS, the built-in software responsible for booting up a computer and managing communication between the machine and its attached devices.

The discovery of Mebromi is notable not because any widespread infections are anticipated – the complexity of a successful attack on the motherboard is high – but because it appears to be the first malware written for the BIOS in at least four years, Webroot researcher Marco Giuliani, who studied the threat, said in a blog post Tuesday.

The potent malware cocktail, consisting of a BIOS rootkit, an MBR (master boot record) rootkit, a kernel-mode rookit, a PE (portable executable) file infector and a trojan downloader, is designed to evade anti-virus detection.

Right now, the active attack exclusively is targeting Chinese users, Giuliani said. The trojan dropper is designed to first infect Award BIOS, manufactured by Phoenix Technologies. Once the BIOS is infected, the malicious code compromises the master boot record, a small program initiated when a computer starts up.

Anti-virus technologies likely will struggle against the threat.

"Storing the malicious code inside the BIOS ROM [chip] could actually become more than just a problem for security software, [given] the fact that even if an anti-virus product [can] detect and clean the MBR (master boot record) infection, it will be restored at the next system start-up when the malicious BIOS payload would overwrite the MBR code again," Giuliani wrote. "Developing an anti-virus utility able to clean the BIOS code is a challenge because it needs to be totally error-proof to avoid rendering the system unbootable at all."

Still, he doubts the threat will become far-reaching because the rootkit only works with one type of BIOS, likely because it is fashioned after the IceLord BIOS proof-of-concept from 2007, which also targeted Award.

"Although this kind of infection is potentially one of the most persistent infections known out there in the wild, it will hardly become a major threat because of the level of complexity needed to achieve the goal," Giuliani wrote.

The Chinese security firm Qihoo 360 first detected the attack, according to Webroot.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Report: Stolen card data is crime that concerns Americans most

A recent Gallup Crime poll indicates that Americans' top two worries revolve around having credit card data stolen or their computer or smartphones compromised.

Pirate Bay co-founder found guilty for hacking IT service provider

Gottfrid Svartholm Warg was found guilty of hacking an IT service provider in Denmark. This is his second court case for illegally accessing data.

Assume Drupal 7 sites are compromised, unless patched or updated to 7.32 ...

Assume every Drupal 7 website is compromised, unless patched or updated to Drupal 7.32 within seven hours of the disclosure of a highly critical SQL injection vulnerability.