Mebromi Rootkit

advertisement
By,
Anish Shanmugasundaram
Yashwanth Sainath Jammi




Software that enables continued privileged
access to a computer.
Designed for a Unix System.
Hides its presence from administrators by
subverting standard operating system
functionality or other applications.
Attacker needs a root-level access to install a
rootkit.






It targets BIOS (basic input/output system) ROMs.
BIOS :- Software responsible for booting up a
computer.
First malware since IceLord that targets BIOS.
Attacks only BIOS ROMs made by Award
Company.
Exclusively targets Chinese users protected by
Chinese security software Rising Antivirus and
Jiangmin KV Antivirus.
Designed to evade Anti-virus detection.



Consists of a BIOS rootkit, an MBR (master
boot record), a kernel mode rootkit, portable
executable file infector and trojan downloader
Adds malicious instructions that are executed
early in a computer's boot-up sequence thus
reflashing the BIOS of computer it attacks.
To gain access to the BIOS, the infection first
needs to get loaded in kernel mode so that it
can handle with physical memory.


The malware can extract and load the flash.dll
library which will load the bios.sys driver.
It can also load by
stopping the beep.sys service key.
 then overwrite the beep.sys driver with its own
bios.sys code.
 restart the service key and restore the original
beep.sys code.





Job of MBR ends here after loading the
infection.
When Windows startup, It will load
the patched executable.
Then, the payload self-decrypts its malicious
code and loads in memory the my.sys driver.
Then it searches web pages to download
additional infection.






Google and Yahoo webpages are redirected.
Desktop background image and Browser
homepage settings are changed.
Slows down the computer and internet.
Corrupts the windows registry and can cause
unwanted pop up ads.
It can infect and can cause a computer crash.
It may contain keyloggers which is a software
used to steal sensitive data like passwords,
bank account and credit card information.





The first step in prevention a Mebromi rootkit
will be to run the system in less privileged user
mode.
Run the command sc lock at Command
Prompt.
use HIPS (Host based Intrusion Prevention
System) tool like AntiHook.
Firewall all networks.
Monitor all log files.


Detection is difficult as it is designed to hide its
existence.
Applications that can be used to detect the
rootkits are :




Tripwire and AIDE
Chk rootkit
LSMO
KSTAT



Even if an anti-virus product can detect and
clean the MBR infection, it will be restored at
the next system start-up when the malicious
BIOS payload would overwrite the MBR code
again.
Developing an anti-virus utility able to clean
the BIOS code is a challenge because it needs
to be totally error-proof to avoid rendering the
system unbootable at all.
Thus Rebuilding the system would be the best
bet to remove the infection.



Mebromi is not designed to infect 64-bit
operating system.
It cannot infect a system if it runs with less
privileges .
it should be able to infect all the different
releases and updates of Award, Phoenix, AMI
BIOS’s which involves a high level of
complexity.
THANKYOU






http://www.scmagazineus.com/researchersuncover-first-active-bios-rootkitattack/article/212035/
http://www.theregister.co.uk/2011/09/14/bios_r
ootkit_discovered/
http://en.wikipedia.org/wiki/Rootkit
http://www.web2secure.com/2011/09/mebromirootkit-bios-threat-in-wild.html
http://blog.webroot.com/2011/09/13/mebromithe-first-bios-rootkit-in-the-wild/
http://www.cleanpcguide.com/remove-trojanmebromi-removal-guide-how-to-remove-trojanmebromi/
Download