The Inquirer-Home

A BIOS trojan is found in the wild

Hook used for rootkit redundancy
Tue Sep 13 2011, 14:32

SECURITY RESEARCHERS at Chinese antivirus firm 360 have identified a piece of malware that installs rogue code into the BIOS of targeted computers.

Dubbed BMW by 360 and Mebromi by other security vendors, the threat has separate components for the operating system, the master boot record (MBR) and the system BIOS.

A computer's BIOS holds a set of low-level instructions that execute before the boot loader to detect and initialise the computer's hardware components.

There are various types of BIOS, depending on motherboard and manufacturer, but according to 360, BMW only infects Award BIOS versions produced by Phoenix Technologies.

The malware adds a BIOS module called HOOK.ROM, which determines if malicious code has been erased from the MBR and restores it if necessary.

The MBR instructions serve a similar purpose. They check to see if certain Windows files are still infected before the operating system starts and reinfects them if they're not.

Thus, the BIOS hook and MBR code restore the rootkit at every reboot. Ultimately malicious code is added to winlogon.exe on Windows XP and Windows Server 2003, and to wininit.exe on Windows Vista and Windows 7.

BIOS malware is very rare, which makes BMW an interesting find, however hooking BIOS for malicious purposes is not a new concept. One of the first attempts to put it into practice was in 1999 with the CIH virus that ended up damaging infected systems.

Fortunately, because of hardware diversity users don't need to worry about this type of malware becoming widespread. BIOS flashing is so different from one motherboard manufacturer to another that it is almost impossible to develop code that does it reliably on the majority of systems.

It's worth pointing out that motherboards are not the only devices whose firmware can be infected by malware. Certain home routers have also been targeted by trojans in the past and have even been joined together in botnets. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Masque malware is putting iPad and iPhone user data at risk

Has news of iOS malware made you reconsider getting an iPhone?