Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Mebromi: the first BIOS rootkit in the wild

15 Sep 2011   #1
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 
Mebromi: the first BIOS rootkit in the wild

Quote:
In the past few weeks a Chinese security company called Qihoo 360 blogged about a new BIOS rootkit hitting Chinese computers. This turned to be a very interesting discovery as it appears to be the first real malware targeting system BIOS since a well-known proof of concept called IceLord in 2007. The malware is called Mebromi and contains a bit of everything: a BIOS rootkit specifically targeting Award BIOS, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader. At this time, Mebromi is not designed to infect 64-bit operating system and it is not able to infect the system if run with limited privileges.

The infection starts with a small encrypted dropper that contains five crypted resource files: hook.rom, flash.dll, cbrom.exe, my.sys, bios.sys. The goal of these files will be presented later in this analysis.

The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus. To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory instead of virtual memory.
Source

A Guy


My System SpecsSystem Spec
.

15 Sep 2011   #2
arkhi

Windows 2000 5.0 Build 2195
 
 

Good thing I accidentally discovered UEFI and managed to learn about it and then install it. Protects me from MBR and BIOS rootkits
My System SpecsSystem Spec
15 Sep 2011   #3
seekermeister

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

When one sees a malware such as this, that is designed to discriminate in that fashion, it makes one wonder what the hacker has against the Chinese?
My System SpecsSystem Spec
.


15 Sep 2011   #4
xarden

Windows 7 Enterprise
 
 

Time to move to stay on linux... :P
My System SpecsSystem Spec
Reply

 Mebromi: the first BIOS rootkit in the wild




Thread Tools





Similar help and support threads
Thread Forum
Encountering the Wild PUP
7BR2R0F24WU Source A Guy
Security News
W8.1 out in the wild
Hi there For those who haven't yet tried it W8.1 is out in the wild (both in X-86 / X64 and also ENTERPRISE) -- try it in a VM (I wouldn't suggest downloading stuff from a torrent and loading it on to your REAL machine - even though this particular torrent is from WZOR which by past experience...
General Discussion
CPU AUX temperature, wild fluctuations
It's been a year and a half running this PC and I've had next to no problems. In the past couple of days I've been getting some odd locks, some strange "digitized" audio while playing video, etc. So I checked HWMonitor, and my CPU temp is reading 119 C ... So I took my box out to the garage and...
Performance & Maintenance
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter. Introduction: Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence. Presentation: Installed a 2nd HDD (Exclusively for daily...
System Security
Apple Gone Wild?
As if I needed another reason to despise Apple as a company: Police assisted Apple in search of man's home - CNN.com
Chillout Room
TDL3 rootkit x64 goes in the wild
More - TDL3 rootkit x64 goes in the wild
News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 02:52.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App