Ping FTR: Mebromi BIOS Virus Out in the Wild

[~BD~]

You've advised that this in impossible!

Your comments requested on this item:-

**

Security specialists have recently discovered a virus that makes its way
into the BIOS, making it very hard to get rid of using current
commercial anti-virus solutions.

The virus called Mebromi seems to be focused towards Chinese users,
especially AMI BIOS owners, but this doesn't mean that the rest of the
world is safe, as this could represent a gate opener for hackers who
want to make sure our computers remain under their control.


A full description of the way Mebromi functions was posted on the
Webroot Threat Blog, giving us an insight on how this malicious element
makes its way to the very core of a computer.

The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file
injector and a Trojan downloader are the elements encapsulated in this
potentially destructive malware, which at the moment is unable to cause
any damage to machines running 64-bit operating systems if the user
privileges are limited.

The whole thing starts with a few files that try to access the kernel
to load the virus's own kernel driver that will later generate the
serious part of the infection.

After it successfully infects the BIOS using a file called Cbrom.exe,
which is a legitimate tool developed by Phoenix Technologies designed to
modify the Award/Phoenix system's ROM binaries, it moves to infecting
the master boot record of the device.

The winlogon.exe or wininit.exe files are also corrupted and injected
with codes that will generate the download of additional infections.

http://news.softpedia.com/news/Mebro...d-221702.shtml

[Peter Foldes]

Attention: Crossposted post

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

> You've advised that this in impossible!
>
> Your comments requested on this item:-
>
> **
>
> Security specialists have recently discovered a virus that makes its way into the BIOS,
> making it very hard to get rid of using current commercial anti-virus solutions.
>
> The virus called Mebromi seems to be focused towards Chinese users, especially AMI BIOS
> owners, but this doesn't mean that the rest of the world is safe, as this could
> represent a gate opener for hackers who want to make sure our computers remain under
> their control.
>
>
> A full description of the way Mebromi functions was posted on the Webroot Threat Blog,
> giving us an insight on how this malicious element makes its way to the very core of a
> computer.
>
> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file injector and a Trojan
> downloader are the elements encapsulated in this potentially destructive malware, which
> at the moment is unable to cause any damage to machines running 64-bit operating systems
> if the user privileges are limited.
>
> The whole thing starts with a few files that try to access the kernel to load the
> virus's own kernel driver that will later generate the serious part of the infection.
>
> After it successfully infects the BIOS using a file called Cbrom.exe, which is a
> legitimate tool developed by Phoenix Technologies designed to modify the Award/Phoenix
> system's ROM binaries, it moves to infecting the master boot record of the device.
>
> The winlogon.exe or wininit.exe files are also corrupted and injected with codes that
> will generate the download of additional infections.
>
> http://news.softpedia.com/news/Mebro...d-221702.shtml

It is a trojan, not a virus and we already established the fact it is in the wild and was
found in China.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[~BD~]

David H. Lipman wrote:
> From: "~BD~"<~BD~@nomail.afraid.org>
>
>> You've advised that this in impossible!
>>
>> Your comments requested on this item:-
>>
>> **
>>
>> Security specialists have recently discovered a virus that makes its way into the BIOS,
>> making it very hard to get rid of using current commercial anti-virus solutions.
>>
>> The virus called Mebromi seems to be focused towards Chinese users, especially AMI BIOS
>> owners, but this doesn't mean that the rest of the world is safe, as this could
>> represent a gate opener for hackers who want to make sure our computers remain under
>> their control.
>>
>>
>> A full description of the way Mebromi functions was posted on the Webroot Threat Blog,
>> giving us an insight on how this malicious element makes its way to the very core of a
>> computer.
>>
>> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file injector and a Trojan
>> downloader are the elements encapsulated in this potentially destructive malware, which
>> at the moment is unable to cause any damage to machines running 64-bit operating systems
>> if the user privileges are limited.
>>
>> The whole thing starts with a few files that try to access the kernel to load the
>> virus's own kernel driver that will later generate the serious part of the infection.
>>
>> After it successfully infects the BIOS using a file called Cbrom.exe, which is a
>> legitimate tool developed by Phoenix Technologies designed to modify the Award/Phoenix
>> system's ROM binaries, it moves to infecting the master boot record of the device.
>>
>> The winlogon.exe or wininit.exe files are also corrupted and injected with codes that
>> will generate the download of additional infections.
>>
>> http://news.softpedia.com/news/Mebro...d-221702.shtml
>
> It is a trojan, not a virus and we already established the fact it is in the wild and was
> found in China.


Have you actually *read* the Webroot article, David?

http://blog.webroot.com/2011/09/13/m...t-in-the-wild/

Btw .......

There was a time when you, DHL, used to publish quite a long list of
URL's - places for folk to visit to get detailed help with interpreting
their HJT logs.

For a long time, you never included www.aumha.net - yet after I
questioned you about same you did, eventually, include Aumha in that list.

This is the relevant URL for Malware removal:-

http://www.aumha.net/viewforum.php?f...t&sd=d&start=0

Do you still publish that list? (If so, where, please?)

Do you still include Aumha in such a listing?

Do you consider Aumha a 'safe' place to visit and the advice given there
to be 'sound'?

[Aardvark]

On Sun, 09 Oct 2011 18:57:21 +0100, ~BD~ wrote:

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> You've advised that this in impossible!
>>>
>>> Your comments requested on this item:-
>>>
>>> **
>>>
>>> Security specialists have recently discovered a virus that makes its
>>> way into the BIOS, making it very hard to get rid of using current
>>> commercial anti-virus solutions.
>>>
>>> The virus called Mebromi seems to be focused towards Chinese users,
>>> especially AMI BIOS owners, but this doesn't mean that the rest of the
>>> world is safe, as this could represent a gate opener for hackers who
>>> want to make sure our computers remain under their control.
>>>
>>>
>>> A full description of the way Mebromi functions was posted on the
>>> Webroot Threat Blog,
>>> giving us an insight on how this malicious element makes its way to
>>> the very core of a computer.
>>>
>>> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file
>>> injector and a Trojan downloader are the elements encapsulated in this
>>> potentially destructive malware, which at the moment is unable to
>>> cause any damage to machines running 64-bit operating systems if the
>>> user privileges are limited.
>>>
>>> The whole thing starts with a few files that try to access the kernel
>>> to load the virus's own kernel driver that will later generate the
>>> serious part of the infection.
>>>
>>> After it successfully infects the BIOS using a file called Cbrom.exe,
>>> which is a legitimate tool developed by Phoenix Technologies designed
>>> to modify the Award/Phoenix system's ROM binaries, it moves to
>>> infecting the master boot record of the device.
>>>
>>> The winlogon.exe or wininit.exe files are also corrupted and injected
>>> with codes that will generate the download of additional infections.
>>>
>>> http://news.softpedia.com/news/Mebro...us-Out-in-the-
Wild-221702.shtml
>>
>> It is a trojan, not a virus and we already established the fact it is
>> in the wild and was found in China.
>
>
> Have you actually *read* the Webroot article, David?
>
> http://blog.webroot.com/2011/09/13/m...os-rootkit-in-
the-wild/
>
> Btw .......
>
> There was a time when you, DHL, used to publish quite a long list of
> URL's - places for folk to visit to get detailed help with interpreting
> their HJT logs.
>
> For a long time, you never included www.aumha.net - yet after I
> questioned you about same you did, eventually, include Aumha in that
> list.
>
> This is the relevant URL for Malware removal:-
>
> http://www.aumha.net/viewforum.php?f...t&sd=d&start=0
>
> Do you still publish that list? (If so, where, please?)
>
> Do you still include Aumha in such a listing?
>
> Do you consider Aumha a 'safe' place to visit and the advice given there
> to be 'sound'?

UNNECESSARY CROSSPOSTING REMOVED

HTH



--
America is the only country that went from barbarism to decadence without
civilization in between. - Oscar Wilde

[Peter Foldes]

Needless crossposting removed AGAIN

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in
news:j6sna1$mi5$1@dont-email.me:

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> You've advised that this in impossible!
>>>
>>> Your comments requested on this item:-
>>>
>>> **
>>>
>>> Security specialists have recently discovered a virus that makes
>>> its way into the BIOS, making it very hard to get rid of using
>>> current commercial anti-virus solutions.
>>>
>>> The virus called Mebromi seems to be focused towards Chinese
>>> users, especially AMI BIOS owners, but this doesn't mean that the
>>> rest of the world is safe, as this could represent a gate opener
>>> for hackers who want to make sure our computers remain under their
>>> control.
>>>
>>>
>>> A full description of the way Mebromi functions was posted on
>>> the Webroot Threat Blog,
>>> giving us an insight on how this malicious element makes its way
>>> to the very core of a computer.
>>>
>>> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file
>>> injector and a Trojan downloader are the elements encapsulated in
>>> this potentially destructive malware, which at the moment is
>>> unable to cause any damage to machines running 64-bit operating
>>> systems if the user privileges are limited.
>>>
>>> The whole thing starts with a few files that try to access the
>>> kernel to load the virus's own kernel driver that will later
>>> generate the serious part of the infection.
>>>
>>> After it successfully infects the BIOS using a file called
>>> Cbrom.exe, which is a legitimate tool developed by Phoenix
>>> Technologies designed to modify the Award/Phoenix system's ROM
>>> binaries, it moves to infecting the master boot record of the
>>> device.
>>>
>>> The winlogon.exe or wininit.exe files are also corrupted and
>>> injected with codes that will generate the download of additional
>>> infections.
>>>
>>> http://news.softpedia.com/news/Mebro...-in-the-Wild-2
>>> 21702.shtml
>>
>> It is a trojan, not a virus and we already established the fact it
>> is in the wild and was found in China.
>
>
> Have you actually *read* the Webroot article, David?

Yes. I have as well. I stand by what David Said.

The question is, have you read AND understood the article? It's a
rhetorical question. We all you know didn't.

> For a long time, you never included www.aumha.net - yet after I
> questioned you about same you did, eventually, include Aumha in that
> list.

So?

> Do you still include Aumha in such a listing?

Why would that mattter?

> Do you consider Aumha a 'safe' place to visit and the advice given
> there to be 'sound'?

Is there a point to this?




--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in
news:j6sfd0$26j$1@dont-email.me:

> You've advised that this in impossible!

Uhh, No.. He didn't.

> Security specialists have recently discovered a virus that makes its
> way into the BIOS, making it very hard to get rid of using current
> commercial anti-virus solutions.

The "virus" isn't doing the bios modification, as the article most
clearly states.

> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file
> injector and a Trojan downloader are the elements encapsulated in
> this potentially destructive malware, which at the moment is unable
> to cause any damage to machines running 64-bit operating systems if
> the user privileges are limited.

It's a kit. Missing items de-nuts it. The virus isn't infecting the
BIOS.

> After it successfully infects the BIOS using a file called
> Cbrom.exe, which is a legitimate tool developed by Phoenix
> Technologies designed to modify the Award/Phoenix system's ROM
> binaries, it moves to infecting the master boot record of the
> device.

iT'S NOT INFECTING THE BIOS. It's adding an optionrom! Using phoenix's
own program, as they lack the skills to write their own ****ing
routines.

> The winlogon.exe or wininit.exe files are also corrupted and
> injected with codes that will generate the download of additional
> infections.

They aren't corrupted. They wouldn't run then. they are modified to
carry the trojan.



--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[~BD~]

Dustin wrote:

> Yes. I have as well. I stand by what David Said.

He didn't say very much!

> The question is, have you read AND understood the article? It's a
> rhetorical question. We all you know didn't.

<shrug>

>> For a long time, you never included www.aumha.net - yet after I
>> questioned you about same you did, eventually, include Aumha in that
>> list.
>
> So?
>
>> Do you still include Aumha in such a listing?
>
> Why would that mattter?

I'd simply like to see the list again.

>> Do you consider Aumha a 'safe' place to visit and the advice given
>> there to be 'sound'?
>
> Is there a point to this?

Of course!

What if folk there *installed* malware instead of getting rid of it?

Who would know?

[FromTheRafters]

"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j6sfd0$26j$1@dont-email.me...
> You've advised that this in impossible!

No I haven't. I believe I told you that there was not yet enough room in the
BIOS for a virus *infection* in the BIOS. I also am the one that pointed you to
several papers on PCI rootkits and such.

LoJack for Laptops comes closer to being a virus than does Mebromi.

I think that soon there will be a virus that infects the BIOS and have always
thought so, but it may not behave like your typical malware virus.

> Your comments requested on this item:-
>
> **
>
> Security specialists have recently discovered a virus that makes its way into
> the BIOS, making it very hard to get rid of using current commercial
> anti-virus solutions.

Those security specialists should explain to me how Mebromi qualifies
as a virus. While it is a PE file infector, I don't see any recursive
replication
going on overall. Before any discussion with them, I'd have to ascertain
whether or not they subscribe to the "all worms are viruses" idea - and
*then* ask them to explain how Mebromi even qualifies as a worm once
that idea is despensed with.

AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
a guardian for that MBR rootkit (persistence). In addition, a kernel mode
rootkit that hides an additional downloader's actions. It infects two specific
system PE files as a startup method for said stealth downloader.

If it had *infected* those programs with a copy of its own replicative
function it would *then* qualify as a virus (if there was recursion). In
order for the *BIOS* to be said to have been *infected* by a *virus*
there would have to be replicative code in the BIOS itself, and the
code it writes to the disk would have to have reciprocating code
to reinfect the BIOS if the administrator had flashed it (like LoJack
claims to do) - you need that recursion to make this a virus, yet as
I understand it, only the Mebromi installation routine has the BIOS
flash capability - not the infestation itself. So, it remains a trojan
with respect to BIOS infection.

I could be wrong, but this is how I understand it to be.

[...]

Do you have any specific on topic questions for the spyware group?

I think anything about this Mebromi is relevant to spyware, but they
may not be interested in any of my opinions on the matter of malware
type classification.

P.S. I don't mind the crosspost to a.p.s-e <waves>.