Pinterest Stumbleupon Whatsapp
Ads by Google

Malware researchers and malware programmers are in constant competition, the latter hunting for new ways to hide, the former sniffing out those methods. BIOS, the basic operating system pre-installed on computer motherboards, is the perfect place to hide, but has been thought generally safe from intrusion.

A new piece of nasty known as Trojan.Mebromi has been found capable of re-flashing a computer’s motherboard BIOS in order to insert new code which, in turn, corrupts a computer’s master boot record. In doing so, this Trojan hides in a place where anti-virus programs can’t look and executes its payload in an environment where they don’t exist.

That’s not to say removing this threat would be impossible, but it is difficult, as pointed out by security researcher Marco Giuliani. “Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all.

There is some good news. The current incarnation of this malware 3 Free Real-Time Malware Protection & Removal Tools 3 Free Real-Time Malware Protection & Removal Tools If you realize that your browsing and download habits put you at a high risk of catching malware, you should make an effort to be protected from these threats in real-time. An anti-virus tool is... Read More can’t run if it isn’t given escalated privileges, so UAC should keep you safe if you use it. The Trojan also can’t infect computers running 64-bit operating systems, either. Finally, Award BIOS is the only target.

Mebromi is not the first malware to exploit the BIOS, but it is the first to be caught in the wild for over a decade.  I wouldn’t worry about a rash of BIOS infections just yet, however. This malware targets a security flaw discovered in Award BIOS five years ago, but never used and apparently never patched. If the developers finally fix that flaw, the window of opportunity will be closed – for now, at least.

Ads by Google

Source:  Webroot Threat Blog, Symantec

  1. Admin
    September 29, 2011 at 2:11 pm

     Great article. Very informative. I'm just curious if wiping the hard drive is the solution if one becomes infected with this or if flashing the bios is the only option.. Thanks..

    • M.S. Smith
      October 4, 2011 at 11:15 pm

      You'd have to flash the BIOS and wipe the hard drive, I think, if you were fully infected. Or flash the BIOS and use a removal tool to get rid of the malware on the hard drive. 

  2. JoeyDee
    September 16, 2011 at 1:17 pm

    "There are more and more known viruses that infect the MBR (Master Boot Record). Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS.
    One of them is the notorious CIH APPEARED IN 1999, which infected the
    computer BIOS and thus harmed a huge number of computers at that time.
    Recently, we met a new threat named Trojan.Mebromi that can add
    malicious components into Award BIOS which allows the threat to take
    control of the system even before MBR.

    BIOS Threat is Showing up Again!: http://www.symantec.com/connect/blogs/bios-threat-showing-again

  3. JoeyDee
    September 16, 2011 at 1:12 pm

    This isn't new.

    • JoeyDee
      September 16, 2011 at 1:29 pm

      First MBR bug was around 1999-2000 IIRC...

      • Tina
        September 18, 2011 at 2:57 pm

        I believe this is mentioned at the bottom of the article.

  4. Anonymous
    September 16, 2011 at 3:18 am

    I was having some malware problems that definitely seemed like they might be of this type (I successfully removed stuff and it kept coming back and I had the right brand of BIOS). I flashed the BIOS (hadn't updated it in a while anyway) and then ran another scan, and it hasn't come back after I removed it this time around. So I guess you have a stop-gap solution until someone comes out with a patch to fix the vulnerability or anti-virus can find stuff in the BIOS.

  5. Jeffery Fabish
    September 15, 2011 at 10:08 pm

    Award and other BIOS manufactures should issue a patch for this vulnerability, it's not an anti-viruses job.

    • Matt Smith
      September 19, 2011 at 6:21 am

      I agree. It's really a shame they didn't issue a patch when proof was shown it could be done years ago. But then they're a BIOS company - consumers don't interact with them, so I'm not sure there is much incentive for them to act fast.

Leave a Reply

Your email address will not be published. Required fields are marked *