Ping FTR: Mebromi BIOS Virus Out in the Wild

[Max Wachtel]

On 10/09/2011 01:57 PM, ~BD~ wrote:

> There was a time when you, DHL, used to publish quite a long list of
> URL's - places for folk to visit to get detailed help with interpreting
> their HJT logs.
>
> Do you still publish that list? (If so, where, please?)

this is an old list-some sites may not work

http://forums.spywareinfo.com/index.php?&showforum=18
http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://forums.subratam.org/index.php?showforum=7
http://forums.security-central.us/forumdisplay.php?f=13
http://castlecops.com/forum67.html
http://gladiator-antivirus.com/forum...?showforum=170
http://www.lavasoftsupport.com/index.php?showforum=36
http://forum.piriform.com/index.php?showforum=12
http://www.wilderssecurity.com/forumdisplay.php?f=26
http://makephpbb.com/phpbb/viewforum.php?f=2
http://www.techmonkeys.co.uk/forums/viewforum.php?f=8
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://forums.spywaretimes.com/index.php?showforum=2
http://www.bluetack.co.uk/forums/ind...?showforum=172
http://forums.techguy.org/f54-s.html
http://aumha.net/viewforum.php?f=30
http://www.dslreports.com/forum/cleanup
http://forum.malwareremoval.com/viewforum.php?f=11
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
--
"What would you do with a brain if you had one?"
Registered Linux User #393236

[David H. Lipman]

From: "Max Wachtel" <maxpro4u@hotmail.com>

> On 10/09/2011 01:57 PM, ~BD~ wrote:
>
>> There was a time when you, DHL, used to publish quite a long list of
>> URL's - places for folk to visit to get detailed help with interpreting
>> their HJT logs.
>>
>> Do you still publish that list? (If so, where, please?)
>
> this is an old list-some sites may not work
>

< snip >

It is not the list he wants per se, its my inclusion/exclusion of aumha.net in that list
that he want's.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in news:j6tagb$q3n$1@dont-email.me:

> Dustin wrote:
>
>> Yes. I have as well. I stand by what David Said.
>
> He didn't say very much!

He's told you the same things I have repeatedly. You don't understand,
but rather than say that, you act as if you did, so we continue. It
doesn't do anyone any good as you don't have a clue what was discussed
two pages ago, let alone what we're discussing on page 3.

>> The question is, have you read AND understood the article? It's a
>> rhetorical question. We all you know didn't.
>
> <shrug>

So thats a No, I didn't get it eh?

> I'd simply like to see the list again.

What's stopping you from googling?

> Of course!

And it would be?

> What if folk there *installed* malware instead of getting rid of it?

David...

If you have proof of this, proceed. If not, you are leaving yourself
open to various libel lawsuits; even in your country.

> Who would know?

That's the thing. You can't just make statements like that. As you
continue inferring rotten things, I'm getting the impression the only
real way to teach you different is to provide the necessary funds to
sue you in your country and take you for everything you have, for
slander and libel. These usenet posts will provide more than enough
evidence to meet US laws. I'm not sure about yours, but I'm willing to
pony up the dough for someone in your country to sue you at this point.




--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[Max Wachtel]

On 10/09/2011 09:01 PM, David H. Lipman wrote:
> From: "Max Wachtel"<maxpro4u@hotmail.com>
>
>> On 10/09/2011 01:57 PM, ~BD~ wrote:
>>
>>> There was a time when you, DHL, used to publish quite a long list of
>>> URL's - places for folk to visit to get detailed help with interpreting
>>> their HJT logs.
>>>
>>> Do you still publish that list? (If so, where, please?)
>>
>> this is an old list-some sites may not work
>>
>
> < snip>
>
> It is not the list he wants per se, its my inclusion/exclusion of aumha.net in that list
> that he want's.

seems it has had too much hinky sauce again.
btw-the list i posted was a composite of others'.
--
"What would you do with a brain if you had one?"
Registered Linux User #393236

[David H. Lipman]

From: "Max Wachtel" <maxpro4u@hotmail.com>

>> It is not the list he wants per se, its my inclusion/exclusion of aumha.net in that
>> list
>> that he want's.
>
> seems it has had too much hinky sauce again.
> btw-the list i posted was a composite of others'.

Either "too much hinky sauce" or he's off his meds again.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin]

"FromTheRafters" <erratic.howard@gmail.com> wrote in
news:j6td40$86m$1@dont-email.me:

> LoJack for Laptops comes closer to being a virus than does Mebromi.

They're about the same. The same technology. However, atleast with
lojack they have bios vendor support and cooperation so aren't reduced
to including 3rd party utility to flash one style of BIOS only.

Membromi is a compilation of tools and a bit of coding, but generally
trojan.. asshat level work.

> I think that soon there will be a virus that infects the BIOS and
> have always thought so, but it may not behave like your typical
> malware virus.

I would be inclined to agree. However, the viral code must replicate.
Persistance alone doesn't qualify.

> Those security specialists should explain to me how Mebromi
> qualifies as a virus. While it is a PE file infector, I don't see
> any recursive replication
> going on overall. Before any discussion with them, I'd have to
> ascertain whether or not they subscribe to the "all worms are
> viruses" idea - and *then* ask them to explain how Mebromi even
> qualifies as a worm once that idea is despensed with.

It's not a file infector. The modified files will not "spread" code to
other files. It's modifying two PE files to ensure it gets an
opportunity to startup another module included with it.

> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS
> as a guardian for that MBR rootkit (persistence). In addition, a
> kernel mode rootkit that hides an additional downloader's actions.
> It infects two specific system PE files as a startup method for said
> stealth downloader.

Yes, and the modified PE files do not further infect other PE files,
they are modified to ensure the program isn't replaced by the user.
Persistance. It has several layers of that, as you laid out above.

> If it had *infected* those programs with a copy of its own
> replicative function it would *then* qualify as a virus (if there
> was recursion). In order for the *BIOS* to be said to have been
> *infected* by a *virus* there would have to be replicative code in
> the BIOS itself, and the code it writes to the disk would have to
> have reciprocating code to reinfect the BIOS if the administrator
> had flashed it (like LoJack claims to do) - you need that recursion
> to make this a virus, yet as I understand it, only the Mebromi
> installation routine has the BIOS flash capability - not the
> infestation itself. So, it remains a trojan with respect to BIOS
> infection.
>
> I could be wrong, but this is how I understand it to be.

You aren't wrong, your understanding is correct.

> I think anything about this Mebromi is relevant to spyware, but they
> may not be interested in any of my opinions on the matter of malware
> type classification.


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[Dustin]

Gramsterdam <sealteam6@osama-is-dead.net> wrote in
news:72p497h67puftdpn1b7ff1a2ed2m3qbp0j@Osama-is-dead.net:

> ~BD~ wrote:
>
>>What if folk there *installed* malware instead of getting rid of it?
>>
>>Who would know?
>
>
> Everyone. The site would lose any good reputation it may have, and FF,
> Chrome, and IE would block it. It would also be on one of the many
> HOSTS files floating around (its not).
>
> Also check here (is down right now):
> http://www.siteadvisor.com/sites/www.aumha.org
>
> I looked at the site, but never registered. If you know of a URL where
> Malware is located on the site, I'll ferret it out to put this Aumha
> thing to bed once and for all.

In the interest of good will, I would be happy to analyze the said
malware if you wish to send it along to me. I will provide a full
analysis.


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in news:j6tagb$q3n$1@dont-email.me:

> What if folk there *installed* malware instead of getting rid of it?
>
> Who would know?

If you will follow G. Morgan's posted instructions, I will provide a full
analysis of the malware sample. You will have solid evidence which would
hold up in a court room, and my sincere apologies for having doubted you
on this.

I will await that email from G. Morgan.


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[~BD~]

Gramsterdam wrote:
> ~BD~ wrote:
>
>> What if folk there *installed* malware instead of getting rid of it?
>>
>> Who would know?
>
>
> Everyone. The site would lose any good reputation it may have, and FF,
> Chrome, and IE would block it. It would also be on one of the many
> HOSTS files floating around (its not).
>
> Also check here (is down right now):
> http://www.siteadvisor.com/sites/www.aumha.org
>
> I looked at the site, but never registered. If you know of a URL where
> Malware is located on the site, I'll ferret it out to put this Aumha
> thing to bed once and for all.


Doh! <rolls eyes> Think outside the box for once! :-)

Here is a malware removal thread by way of example:-

http://aumha.net/viewtopic.php?f=30&t=45086

You'll see how the person with the problem, Gramma Arlene, follows
blindly all the instructions given.

How would anyone know what *may* have been installed on Arlene's
computer unless they forensically examined it *after* the cleaning process?

[~BD~]

FromTheRafters wrote:
> "~BD~"<~BD~@nomail.afraid.org> wrote in message
> news:j6sfd0$26j$1@dont-email.me...
>> You've advised that this in impossible!
>
> No I haven't. I believe I told you that there was not yet enough room in the
> BIOS for a virus *infection* in the BIOS. I also am the one that pointed you to
> several papers on PCI rootkits and such.


Forgive me if I misunderstood. I have always valued your help and advice.


> LoJack for Laptops comes closer to being a virus than does Mebromi.
>
> I think that soon there will be a virus that infects the BIOS and have always
> thought so, but it may not behave like your typical malware virus.


Such a virus could render a computer more or less useless? Would a
cost-effective repair be possible do you think?


>> Your comments requested on this item:-
>>
>> **
>>
>> Security specialists have recently discovered a virus that makes its way into
>> the BIOS, making it very hard to get rid of using current commercial
>> anti-virus solutions.
>
> Those security specialists should explain to me how Mebromi qualifies
> as a virus. While it is a PE file infector, I don't see any recursive
> replication going on overall. Before any discussion with them, I'd have
> to ascertain whether or not they subscribe to the "all worms are viruses"
> idea - and *then* ask them to explain how Mebromi even qualifies as a
worm
> once that idea is despensed with.
>
> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
> a guardian for that MBR rootkit (persistence). In addition, a kernel mode
> rootkit that hides an additional downloader's actions. It infects two specific
> system PE files as a startup method for said stealth downloader.


I know you like to be 'correct' in the use of terms, FTR (and rightly
so) - but the *effect* is what *really* matters IMO!


> If it had *infected* those programs with a copy of its own replicative
> function it would *then* qualify as a virus (if there was recursion). In
> order for the *BIOS* to be said to have been *infected* by a *virus*
> there would have to be replicative code in the BIOS itself, and the
> code it writes to the disk would have to have reciprocating code
> to reinfect the BIOS if the administrator had flashed it (like LoJack
> claims to do) - you need that recursion to make this a virus, yet as
> I understand it, only the Mebromi installation routine has the BIOS
> flash capability - not the infestation itself. So, it remains a trojan
> with respect to BIOS infection.
>
> I could be wrong, but this is how I understand it to be.


I accept what you say.

> [...]
>
> Do you have any specific on topic questions for the spyware group?


Yes. How would anyone know that they had been infected in this manner if
their anti-malware programmes didn't flag same?


> I think anything about this Mebromi is relevant to spyware, but they
> may not be interested in any of my opinions on the matter of malware
> type classification.
>
> P.S. I don't mind the crosspost to a.p.s-e<waves>.

Dave waves back! ;-)