Beware the Mebromi, my son: BIOS infections

Symantec has identified Mebromi. a piece of malware that not only infects the MBR, but also infects the Award BIOS. BIOS infections are very difficult to detect and eradicate.

By hooking into the BIOS, Mebromi can easily re-infect a system the next time you reboot. Which is exactly what it does.
And when you mess around with the BIOS, there’s a very real danger of rendering the system unbootable. If the power goes out while it’s reprogramming the BIOS, the system won’t boot. But if you’re a malware author, the benefit outweighs the risk.

This makes me glad my new motherboard doesn’t have an Award BIOS, but it’s only a matter of time before malware that infects other brands appears. The 2013 leak of the AMI source code all but guaranteed it.

Antivirus software will have a difficult time cleaning the BIOS, and will run against the same risks in doing so. Some may resort to advising the user to download the correct BIOS from their manufacturer and re-flash it. That would be the safest approach.

In fact, if you’re fixing a computer, it might be a good idea to flash the BIOS, even if it appears to be up to date, just in case.

Due to the difficulty of cleaning this up, I highly recommend keeping your security software up to date. And I’m starting to think more and more that installing VMware or a similar product, along with some kind of Linux virtual machine with a web browser in it is a very good idea. Then you can use that virtual machine for the majority of your online activity, giving yourself an extra layer of protection.

Some people have questioned the source. Symantec, being an antivirus vendor, makes money by protecting people from viruses. But they don’t say they have anything that actually cleans this up completely. I take this advisory very much as a heads-up, rather than as an attempt at turning a profit.

Malware is growing ever more sophisticated, and very rapidly, and now we’re seeing people re-using old tricks that failed in the past. MBR infections fell by the wayside a decade ago, but now they’re back. Here’s how to clean the MBR. CIH messed around with BIOS code in 1999, but more as a payload rather than as a means to re-infect a machine. Attacking the BIOS is hard but not completely off the table again.

Today, viruses don’t set out to destroy computers so much as they set out to build networks of compromised computers that they can then use for other purposes. As competition among these networks grows and removal tools grow more sophisticated, the malware also becomes more sophisticated.

2 thoughts on “Beware the Mebromi, my son: BIOS infections

  • September 16, 2011 at 6:50 pm
    Permalink

    Wow, it took two years (give or take) from proof of concept to appearing in the field. It would be very interesting to see how close the Mebromi code is to the code that appeared in Phrack. I wonder if there’s a disassembly of Mebromi out there anywhere yet….?

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux