Software that enables continued privileged access to a
computer. Designed for a Unix System. Hides its presence from
administrators by subverting standard operating system
functionality or other applications. Attacker needs a root-level
access to install a rootkit.
Slide 4
It targets BIOS (basic input/output system) ROMs. BIOS :-
Software responsible for booting up a computer. First malware since
IceLord that targets BIOS. Attacks only BIOS ROMs made by Award
Company. Exclusively targets Chinese users protected by Chinese
security software Rising Antivirus and Jiangmin KV Antivirus.
Designed to evade Anti-virus detection.
Slide 5
Consists of a BIOS rootkit, an MBR (master boot record), a
kernel mode rootkit, portable executable file infector and trojan
downloader Adds malicious instructions that are executed early in a
computer's boot-up sequence thus reflashing the BIOS of computer it
attacks. To gain access to the BIOS, the infection first needs to
get loaded in kernel mode so that it can handle with physical
memory.
Slide 6
The malware can extract and load the flash.dll library which
will load the bios.sys driver. It can also load by stopping the
beep.sys service key. then overwrite the beep.sys driver with its
own bios.sys code. restart the service key and restore the original
beep.sys code.
Slide 7
Job of MBR ends here after loading the infection. When Windows
startup, It will load the patched executable. Then, the payload
self-decrypts its malicious code and loads in memory the my.sys
driver. Then it searches web pages to download additional
infection.
Slide 8
Slide 9
Google and Yahoo webpages are redirected. Desktop background
image and Browser homepage settings are changed. Slows down the
computer and internet. Corrupts the windows registry and can cause
unwanted pop up ads. It can infect and can cause a computer crash.
It may contain keyloggers which is a software used to steal
sensitive data like passwords, bank account and credit card
information.
Slide 10
The first step in prevention a Mebromi rootkit will be to run
the system in less privileged user mode. Run the command sc lock at
Command Prompt. use HIPS (Host based Intrusion Prevention System)
tool like AntiHook. Firewall all networks. Monitor all log
files.
Slide 11
Detection is difficult as it is designed to hide its existence.
Applications that can be used to detect the rootkits are : Tripwire
and AIDE Chk rootkit LSMO KSTAT
Slide 12
Even if an anti-virus product can detect and clean the MBR
infection, it will be restored at the next system start-up when the
malicious BIOS payload would overwrite the MBR code again.
Developing an anti-virus utility able to clean the BIOS code is a
challenge because it needs to be totally error-proof to avoid
rendering the system unbootable at all. Thus Rebuilding the system
would be the best bet to remove the infection.
Slide 13
Mebromi is not designed to infect 64-bit operating system. It
cannot infect a system if it runs with less privileges. it should
be able to infect all the different releases and updates of Award,
Phoenix, AMI BIOSs which involves a high level of complexity.