BIOS-MBR-Windows(BMW) or Mebromi, a new virus targeting the computer BIOS

A new virus targeting the computer BIOS was discovered by the chinese security company 360 Safety Center and it was reported that already several thousand of computers in the Chinese space were infected. The BMW virus attacks the computers running 32 bits systems and containing Award BIOS and it tries to infect users posing as a well-known game plug-in offered by malicious websites. The infection strategy is to trick the visitors to turn off first the antivirus software  to avoid a possible conflict with the plug-in installation and finally to install it. Award BIOS is not at first attack against itself, the first attempts were made in 2007 year with the IceLord rootkit.

The BIOS( Basic Input Output System) consists in basic instructions and settings needed to operate the computer hardware and is stored in the BIOS chip(EEPROM chip), a motherboard component containing a non-volatile memory.

The fact is that the BIOS infections are very harmful for the computers, remember the CIH virus discovered in 1998 which was able to destroy completely the motherboard BIOS chip or to destroy the hard disk partition table making the contained data unavailable. Also the disinfection procedures are very hard to implement by the antivirus software because once the infection occurs by flashing the BIOS, the disinfection theoretically requires another BIOS flash. A scaring idea that even replacing the hard disk, you can not get rid of this kind of viruses. Fortunately, the CIH virus could not affect Windows NT operating systems family and users running Windows 2000, XP, Vista,7 or newer versions are safe. But virus developers are not sleeping and new BIOS viruses are expected.

However, a proof of concept about infecting the computer BIOS by flashing it was demonstrated by two security researchers,  Anibal Sacco and Alfredo Ortega in CanSecWest Security Conference (Vancouver, 2009) and SyScan Security Conference (Singapore, 2009). Their method of inserting malicious code in the BIOS routines allowed the full control of the infected computer.

Highlighting the high security risk revealed by their discovery, they said:

“We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus.”

The conferences were in 2009, now in 2011 it’s discovered in the wild the BMW BIOS virus to prove they were right.

In the first part, the BIOS infection, this virus uses an infected bios.sys file to replace the original one. The new malicious kernel mode driver bios.sys reads the BIOS code at physical memory address 0xF0000, verifies if it’s Award BIOS and in this case it drops and executes two files, cbrom.exe used to modify the BIOS code and hook.rom which is actually the rootkit code and is added to the BIOS ROM data using above mentioned cbrom.exe tool. It’s simply a BIOS flashing procedure but using besides the original BIOS software, the rootkit code as a bonus.

The second part in this chain type infection is the Master Boot Record infection performed by overwriting the first sectors of the hard disk where the MBR reside. A backup of the original MBR is stored also for transferring the control to it after the virus is loaded into memory and a kernel mode driver my.sys, in reality a rootkit, is used to hide the infection on the hard disk by hooking the hard disk low level read/write operations. Also the malicious code tries to decide what kind of file system the active partition is using, FAT32 or NTFS and further is searching for the two files winlogon.exe for Windows XP and 2003 or wininit.exe for Windows Vista and 7 systems to finish the infection by infecting them in the third and last part of the infection, the Windows infection.

The BMW virus is able to add encrypted malicious code to these two files and to modify their entry point in order to allow the virus execution first. After malicious code is decrypted in memory and executed, the control is passed back to the original entry point of these files. Using URLDownloadToFileA and WinExec functions, the BMW virus download and execute more malware(trojans, browser hijackers) from the attackers servers leading to a totally compromised computer.

The good news are the 360 Security Center released a disinfection tool especially for this BIOS virus called MBRImmunity(http://down.360safe.com/MBRImmunity.zip).

You can read more about the BMW BIOS virus at below addresses. Because the websites are in the chinese language, using an online translator as Google Translate is recommended.

http://bbs.360.cn/3229787/251088462.html

http://bbs.360.cn/4005462/251096134.html

http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

Keep safe !

Posted in Thoughts.

2 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *