New Malware Hides from Antivirus in Your BIOS [News]

Ads by Google

Malware researchers and malware programmers are in constant competition, the latter hunting for new ways to hide, the former sniffing out those methods. BIOS, the basic operating system pre-installed on computer motherboards, is the perfect place to hide, but has been thought generally safe from intrusion.

A new piece of nasty known as Trojan.Mebromi has been found capable of re-flashing a computer’s motherboard BIOS in order to insert new code which, in turn, corrupts a computer’s master boot record. In doing so, this Trojan hides in a place where anti-virus programs can’t look and executes its payload in an environment where they don’t exist.

That’s not to say removing this threat would be impossible, but it is difficult, as pointed out by security researcher Marco Giuliani. “Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all.

There is some good news. The current incarnation of this malware can’t run if it isn’t given escalated privileges, so UAC should keep you safe if you use it. The Trojan also can’t infect computers running 64-bit operating systems, either. Finally, Award BIOS is the only target.

Mebromi is not the first malware to exploit the BIOS, but it is the first to be caught in the wild for over a decade.  I wouldn’t worry about a rash of BIOS infections just yet, however. This malware targets a security flaw discovered in Award BIOS five years ago, but never used and apparently never patched. If the developers finally fix that flaw, the window of opportunity will be closed – for now, at least.

Ads by Google

Source:  Webroot Threat Blog, Symantec

From the Web

10 Comments - Write a Comment


Jeffery Fabish

Award and other BIOS manufactures should issue a patch for this vulnerability, it’s not an anti-viruses job.

Matt Smith

I agree. It’s really a shame they didn’t issue a patch when proof was shown it could be done years ago. But then they’re a BIOS company – consumers don’t interact with them, so I’m not sure there is much incentive for them to act fast.



I was having some malware problems that definitely seemed like they might be of this type (I successfully removed stuff and it kept coming back and I had the right brand of BIOS). I flashed the BIOS (hadn’t updated it in a while anyway) and then ran another scan, and it hasn’t come back after I removed it this time around. So I guess you have a stop-gap solution until someone comes out with a patch to fix the vulnerability or anti-virus can find stuff in the BIOS.



This isn’t new.


First MBR bug was around 1999-2000 IIRC…


I believe this is mentioned at the bottom of the article.



“There are more and more known viruses that infect the MBR (Master Boot Record). Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS.
One of them is the notorious CIH APPEARED IN 1999, which infected the
computer BIOS and thus harmed a huge number of computers at that time.
Recently, we met a new threat named Trojan.Mebromi that can add
malicious components into Award BIOS which allows the threat to take
control of the system even before MBR.

BIOS Threat is Showing up Again!:



 Great article. Very informative. I’m just curious if wiping the hard drive is the solution if one becomes infected with this or if flashing the bios is the only option.. Thanks..

M.S. Smith

You’d have to flash the BIOS and wipe the hard drive, I think, if you were fully infected. Or flash the BIOS and use a removal tool to get rid of the malware on the hard drive. 

Your comment