In the past few weeks a Chinese security company called Qihoo 360 blogged about a new BIOS rootkit hitting Chinese computers. This turned to be a very interesting discovery as it appears to be the first real malware targeting system BIOS since a well-known proof of concept called IceLord in 2007. The malware is called Mebromi and contains a bit of everything: a BIOS rootkit specifically targeting Award BIOS, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader. At this time, Mebromi is not designed to infect 64-bit operating system and it is not able to infect the system if run with limited privileges.
The infection starts with a small encrypted dropper that contains five crypted resource files: hook.rom, flash.dll, cbrom.exe, my.sys, bios.sys. The goal of these files will be presented later in this analysis.
The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus. To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory instead of virtual memory.
System Manufacturer/Model Number Asus G73SW-XN2 OS Windows 2000 5.0 Build 2195 CPU Intel Core i7-2630QM@2GHz(2.9GHz Turbo Boost) [Sandy Bridge] Motherboard Asus G73SW (Intel HM65 Chipset) Memory Kingston DDR3 1333 16GB (4GBx4) Graphics Card nVidia GTX 460m 1.5GB Sound Card EAX Advanced HD 5.0, THX TruStudio Monitor(s) Displays 17.3 in. primary & 23 in. secondary Screen Resolution 1920x1080
Keyboard Built-in 102-Key Backlit Keyboard Hard Drives Seagate Momentus XT (SATA II) 500 GB @ 7200 RPM
Hitachi (SATA II) 500GB @ 7200 RPM
Non Raid because ASUS was crappy to choose an HM65 Chipset Other Info It's a Laptop.