Incident Response, TDR, Vulnerability Management

Researchers uncover first active BIOS rootkit attack


Researchers have discovered what is believed to be the first in-the-wild rootkit that targets BIOS, the built-in software responsible for booting up a computer and managing communication between the machine and its attached devices.

The discovery of Mebromi is notable not because any widespread infections are anticipated – the complexity of a successful attack on the motherboard is high – but because it appears to be the first malware written for the BIOS in at least four years, Webroot researcher Marco Giuliani, who studied the threat, said in a blog post Tuesday.

The potent malware cocktail, consisting of a BIOS rootkit, an MBR (master boot record) rootkit, a kernel-mode rookit, a PE (portable executable) file infector and a trojan downloader, is designed to evade anti-virus detection.

Right now, the active attack exclusively is targeting Chinese users, Giuliani said. The trojan dropper is designed to first infect Award BIOS, manufactured by Phoenix Technologies. Once the BIOS is infected, the malicious code compromises the master boot record, a small program initiated when a computer starts up.

Anti-virus technologies likely will struggle against the threat.

"Storing the malicious code inside the BIOS ROM [chip] could actually become more than just a problem for security software, [given] the fact that even if an anti-virus product [can] detect and clean the MBR (master boot record) infection, it will be restored at the next system start-up when the malicious BIOS payload would overwrite the MBR code again," Giuliani wrote. "Developing an anti-virus utility able to clean the BIOS code is a challenge because it needs to be totally error-proof to avoid rendering the system unbootable at all."

Still, he doubts the threat will become far-reaching because the rootkit only works with one type of BIOS, likely because it is fashioned after the IceLord BIOS proof-of-concept from 2007, which also targeted Award.

"Although this kind of infection is potentially one of the most persistent infections known out there in the wild, it will hardly become a major threat because of the level of complexity needed to achieve the goal," Giuliani wrote.

The Chinese security firm Qihoo 360 first detected the attack, according to Webroot.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.