BIOS rootkit attacks China

Powered by SC Magazine

But attack scope is limited.

Researchers have discovered what is believed to be the first in-the-wild rootkit that targets BIOS, the built-in software responsible for booting up a computer and managing communication between the machine and its attached devices.

The discovery of Mebromi is notable not because any widespread infections are anticipated – the complexity of a successful attack on the motherboard is high – but because it appears to be the first malware written for the BIOS in at least four years.

The potent malware cocktail, consisting of a BIOS rootkit, an MBR (master boot record) rootkit, a kernel-mode rookit, a PE (portable executable) file infector and a trojan downloader, is designed to evade anti-virus detection.

Right now, the active attack exclusively is targeting Chinese users, Webroot researcher Marco Giuliani said.

The trojan dropper is designed to first infect Award BIOS, manufactured by Phoenix Technologies. Once the BIOS is infected, the malicious code compromises the master boot record, a small program initiated when a computer starts up.

Anti-virus technologies likely will struggle against the threat.

"Storing the malicious code inside the BIOS ROM [chip] could actually become more than just a problem for security software, [given] the fact that even if an anti-virus product [can] detect and clean the MBR (master boot record) infection, it will be restored at the next system start-up when the malicious BIOS payload would overwrite the MBR code again," Giuliani said.

"Developing an anti-virus utility able to clean the BIOS code is a challenge because it needs to be totally error-proof to avoid rendering the system unbootable at all."

Still, he doubts the threat will become far-reaching because the rootkit only works with one type of BIOS, likely because it is fashioned after the IceLord BIOS proof-of-concept from 2007, which also targeted Award.

"Although this kind of infection is potentially one of the most persistent infections known out there in the wild, it will hardly become a major threat because of the level of complexity needed to achieve the goal," Giuliani wrote.

The Chinese security firm Qihoo 360 first detected the attack, according to Webroot.

This article originally appeared at

Copyright © SC Magazine, US edition

BIOS rootkit attacks China
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.