Return of the BIOS trojans

[DKT27]

Antivirus experts have discovered a new contaminant that finds its way into the Award BIOS and can even survive a hard drive swap

Chinese AV vendor 360 has discovered a virus in the wild that makes its home in a computer's BIOS, where it remains hidden from conventional virus scanners. The contaminant, called Mebromi, first checks to see whether the victim's computer uses an Award BIOS. If so, it uses the CBROM command-line tool to hook its extension into the BIOS. The next time the system boots, the BIOS extension adds additional code to the hard drive's master boot record (MBR) in order to infect the winlogon.exe / winnt.exe processes on Windows XP and 2003 / Windows 2000 before Windows boots.

The next time Windows launches, the malicious code downloads a rootkit to prevent the drive's MBR from being cleaned by a virus scanner. But even if the drive is cleaned, the whole infection routine is repeated the next time the BIOS module is booted. Mebromi can also survive a change of hard drive. If the computer doesn't use an Award BIOS, the contaminant simply infects the MBR.

The idea of hooking a malicious routine into the BIOS is not new and offers attackers the advantage of keeping hidden from the virus scanner. In 1999, the CIH virus attempted to manipulate its victim's BIOS, but it had only destructive effects: the BIOS was overwritten, and the computer would no longer boot. In 2009, security researchers presented a scenario in which a rootkit was anchored in the BIOS. But so far, no BIOS contaminant has managed to become widespread, possibly because there are simply too many different motherboards – and therefore too many different ways of flashing the BIOS.

View: Original Article

[johndoe]

brilliant. NOT.

[T0nyB]

A virus spread bond to end with an epic fail... But still, something to fear for Award BIOS motherboard users... :fear:

EDIT: Won't the anti-virus detect it when it starts roaming around the computer? (But yeah, it still couldn't clean it, 'cause of the BIOS hooking...)

[R0H1T]

Won't a BIOS flash/update remove this thing

If not then its a real tough nut to crack

[johndoe]

this is the stuff nightmares are made of. i would hate to come across this thing. if it can take over the bios, it can potentially prevent you from doing anything at all on the PC rendering the system either completely useless or usable as a zombie/bot to the virus writer's whims

[flip2xxxx]

The next time the system boots, the BIOS extension adds additional code to the hard drive's master boot record (MBR) in order to infect the winlogon.exe / winnt.exe processes on Windows XP and 2003 / Windows 2000 before Windows boots

what about Win7?

[DKT27]

1. Bring a new and clean HDD.

2. Flash the BIOS.

3. Win.

4. You Mad Trojan? :troll:

@flip2xxxx: Yes, well, I'm not sure about it. Have got no more info. It's likely that it effects Windows 7 too.

[johndoe]

I wouldn't be too sure it would be that easy. If I was writing the damned thing (if ever I could hope to attain that kind of expertise :D) and since I'd have total system control prior even to Windows starting to boot, I'd make sure no user programs would even be able to try to hack into/mod/update the BIOS in any way. The virus writer's in the driver's seat here, the user/owner is not :P

i'm guessing the only way to remember this thing would be a physical removal/replacement of the BIOS chip but then if you connected an infected hard drive after you did THAT, it would be fun times all over again :D

[DKT27]

Dunno. In some systems (including mine), you just put a cd with a BIOS file when booting and it will flash it (or something like that). And likely that feature is embed on the motherboard, that, any virus, etc. may not be able to touch.

[madeinheaven]

How to Check BIOS for Viruses

How to Clean a BIOS Virus

[Vizard]

You don't even have to worry about this if you have UEFI.

Also....those links go nowhere madeinheaven

[tipo]

You don't even have to worry about this if you have UEFI.

Also....those links go nowhere madeinheaven

:blink:

yes they do...

[raptorV]

You don't even have to worry about this if you have UEFI.

Also....those links go nowhere madeinheaven

Are you sure UEFI bios' are safe?

Award Bios merged with Phoenix.. And Phoenix is a UEFI bios vendor..

Just a little worried coz my mobo has a Phoenix <_<

And those links are working a-ok.. :)

[RileyReefer]

How to Check BIOS for Viruses

How to Clean a BIOS Virus

I think like johndoe....an author worth his salt would surely have it so virus would not allow you any means to flash to a clean state. I dont think the person who wrote those articles you linked to thought about that. Good instructions for a newB with a corrupt bios tho. btw AMI bios here :dance2:

[Vizard]

Well if you guys can view those links then your browsers must be wide open....which means your the ones that should really be worried about becoming infected.

[johndoe]

Well if you guys can view those links then your browsers must be wide open....which means your the ones that should really be worried about becoming infected.

OMG! OMG! OMG! What do I do now? How do I close my wide open browser? :fear:

[HX1]

Okay so wait... How and when did eHow.com become a malware site? Using Hosts file possibly?

[DKT27]

I guess Prestidigitation is talking about the HTTPS certificate warning. Probably using HTTPS Everywhere. If so, there's nothing to worry, the message is misunderstood. eHow is a safe site.