New Malware Hides from Antivirus in Your BIOS [News]

Ads by Google

Malware researchers and malware programmers are in constant competition, the latter hunting for new ways to hide, the former sniffing out those methods. BIOS, the basic operating system pre-installed on computer motherboards, is the perfect place to hide, but has been thought generally safe from intrusion.

A new piece of nasty known as Trojan.Mebromi has been found capable of re-flashing a computer’s motherboard BIOS in order to insert new code which, in turn, corrupts a computer’s master boot record. In doing so, this Trojan hides in a place where anti-virus programs can’t look and executes its payload in an environment where they don’t exist.

That’s not to say removing this threat would be impossible, but it is difficult, as pointed out by security researcher Marco Giuliani. “Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all.

There is some good news. The current incarnation of this malware can’t run if it isn’t given escalated privileges, so UAC should keep you safe if you use it. The Trojan also can’t infect computers running 64-bit operating systems, either. Finally, Award BIOS is the only target.

Mebromi is not the first malware to exploit the BIOS, but it is the first to be caught in the wild for over a decade.  I wouldn’t worry about a rash of BIOS infections just yet, however. This malware targets a security flaw discovered in Award BIOS five years ago, but never used and apparently never patched. If the developers finally fix that flaw, the window of opportunity will be closed – for now, at least.

Source:  Webroot Threat Blog, Symantec

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Windows Hacks & Customization
Windows Hacks & Customization
91 Members
Windows_10
Windows_10
83 Members
Windows Troubleshooting
Windows Troubleshooting
57 Members
Best Windows Software
Best Windows Software
55 Members
Ads by Google
Comments (10)
  • Admin

     Great article. Very informative. I’m just curious if wiping the hard drive is the solution if one becomes infected with this or if flashing the bios is the only option.. Thanks..

    • M.S. Smith

      You’d have to flash the BIOS and wipe the hard drive, I think, if you were fully infected. Or flash the BIOS and use a removal tool to get rid of the malware on the hard drive. 

  • JoeyDee

    “There are more and more known viruses that infect the MBR (Master Boot Record). Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS.
    One of them is the notorious CIH APPEARED IN 1999, which infected the
    computer BIOS and thus harmed a huge number of computers at that time.
    Recently, we met a new threat named Trojan.Mebromi that can add
    malicious components into Award BIOS which allows the threat to take
    control of the system even before MBR.

    BIOS Threat is Showing up Again!: http://www.symantec.com/connect/blogs/bios-threat-showing-again

  • JoeyDee

    This isn’t new.

  • Anonymous

    I was having some malware problems that definitely seemed like they might be of this type (I successfully removed stuff and it kept coming back and I had the right brand of BIOS). I flashed the BIOS (hadn’t updated it in a while anyway) and then ran another scan, and it hasn’t come back after I removed it this time around. So I guess you have a stop-gap solution until someone comes out with a patch to fix the vulnerability or anti-virus can find stuff in the BIOS.

  • Jeffery Fabish

    Award and other BIOS manufactures should issue a patch for this vulnerability, it’s not an anti-viruses job.

    • Matt Smith

      I agree. It’s really a shame they didn’t issue a patch when proof was shown it could be done years ago. But then they’re a BIOS company – consumers don’t interact with them, so I’m not sure there is much incentive for them to act fast.

Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.