Malware burrows deep into computer BIOS to escape AV

[~BD~]

Researchers have discovered one of the first pieces of malware ever used
in the wild that modifies the software on the motherboard of infected
computers to ensure the infection can't be easily eradicated.

Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it
attacks to add malicious instructions that are executed early in a
computer's boot-up sequence. The instructions, in turn, alter a
computer's MBR, or master boot record, another system component that
gets executed prior to the loading of the operating system of an
infected machine. By corrupting the processes that run immediately after
a PC starts, the malware stands a better chance of surviving attempts by
antivirus programs to remove it.

http://www.theregister.co.uk/2011/09...it_discovered/

--
Dave - exactly what *I've* suspected for years! ;-)

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

> Researchers have discovered one of the first pieces of malware ever used in the wild
> that modifies the software on the motherboard of infected computers to ensure the
> infection can't be easily eradicated.
>
> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add
> malicious instructions that are executed early in a computer's boot-up sequence. The
> instructions, in turn, alter a computer's MBR, or master boot record, another system
> component that gets executed prior to the loading of the operating system of an infected
> machine. By corrupting the processes that run immediately after a PC starts, the malware
> stands a better chance of surviving attempts by antivirus programs to remove it.
>
> http://www.theregister.co.uk/2011/09...it_discovered/
>

This is the FIRST malware to infiltrate the BIOS that's been in the wild, it is targeting
Chinese computers in China and ONLY targets Phoenix/Award BIOS.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[~BD~]

David H. Lipman wrote:
> From: "~BD~"<~BD~@nomail.afraid.org>
>
>> Researchers have discovered one of the first pieces of malware ever used in the wild
>> that modifies the software on the motherboard of infected computers to ensure the
>> infection can't be easily eradicated.
>>
>> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add
>> malicious instructions that are executed early in a computer's boot-up sequence. The
>> instructions, in turn, alter a computer's MBR, or master boot record, another system
>> component that gets executed prior to the loading of the operating system of an infected
>> machine. By corrupting the processes that run immediately after a PC starts, the malware
>> stands a better chance of surviving attempts by antivirus programs to remove it.
>>
>> http://www.theregister.co.uk/2011/09...it_discovered/
>>
>
> This is the FIRST malware to infiltrate the BIOS that's been in the wild, it is targeting
> Chinese computers in China and ONLY targets Phoenix/Award BIOS.
>
>

Please explain exactly how you can be so certain about this, Mr Lipman.

[Peter Foldes]

"~BD~" <~BD~@nomail.afraid.org> wrote in message news:j4son9$soe$1@dont-email.me...
> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>

> Please explain exactly how you can be so certain about this, Mr Lipman


You are Trolling again ???
Did you read the article in the link you posted you dumbass??

This below was in your link you frickin dumb Troll

<snip>
Mebromi is able to attack only BIOS ROMs made by Award, a manufacturer that was
purchased by Phoenix in the late 1990s. The malware checks the BIOS ROM each time
the PC boots up. If it's made by Award and the malicious instructions aren't found,
Mebromi adds the code by reflashing the chip on the motherboard. According to
Giuliani, it was first documented by the Chinese security company Qihoo 360, and
primarily infects computers in that country.
<end snip>

JS

[~BD~]

Peter Foldes wrote:
> "~BD~" <~BD~@nomail.afraid.org> wrote in message
> news:j4son9$soe$1@dont-email.me...
>> David H. Lipman wrote:
>>> From: "~BD~"<~BD~@nomail.afraid.org>
>
>> Please explain exactly how you can be so certain about this, Mr Lipman
>
>
> You are Trolling again ???
> Did you read the article in the link you posted?

Of course I did.

> This below was in your link you frickin dumb Troll
>
> <snip>
> Mebromi is able to attack only BIOS ROMs made by Award, a manufacturer
> that was purchased by Phoenix in the late 1990s. The malware checks the
> BIOS ROM each time the PC boots up. If it's made by Award and the
> malicious instructions aren't found, Mebromi adds the code by reflashing
> the chip on the motherboard. According to Giuliani, it was first
> documented by the Chinese security company Qihoo 360, and primarily
> infects computers in that country.
> <end snip>

That does *not* mean that other bad guys have not done the same thing
earlier, now does it?!!

Sometimes you are sooooooooo thick, PF (or JS, or Derek)! Doh!
>
> JS

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

>
> That does *not* mean that other bad guys have not done the same thing earlier, now does
> it?!!
>

FUD monger !

Yes it does. We would have known about it just as fast.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Bullwinkle.]

Make up your mind.

Perhaps I am PF???


"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j4ss1a$hfs$1@dont-email.me...

Sometimes you are sooooooooo thick, PF (or JS, or Derek)! Doh!
>
> JS

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> Researchers have discovered one of the first pieces of malware ever used in the wild
>>> that modifies the software on the motherboard of infected computers to ensure the
>>> infection can't be easily eradicated.
>>>
>>> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add
>>> malicious instructions that are executed early in a computer's boot-up sequence. The
>>> instructions, in turn, alter a computer's MBR, or master boot record, another system
>>> component that gets executed prior to the loading of the operating system of an
>>> infected
>>> machine. By corrupting the processes that run immediately after a PC starts, the
>>> malware
>>> stands a better chance of surviving attempts by antivirus programs to remove it.
>>>
>>> http://www.theregister.co.uk/2011/09...it_discovered/
>>>
>>
>> This is the FIRST malware to infiltrate the BIOS that's been in the wild, it is
>> targeting
>> Chinese computers in China and ONLY targets Phoenix/Award BIOS.
>>
>>
>
> Please explain exactly how you can be so certain about this, Mr Lipman.


Its called reading and understanding and it wasn't from reading TheRegister we page.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[~BD~]

David H. Lipman wrote:
> From: "~BD~"<~BD~@nomail.afraid.org>
>
>> David H. Lipman wrote:
>>> From: "~BD~"<~BD~@nomail.afraid.org>
>>>
>>>> Researchers have discovered one of the first pieces of malware ever used in the wild
>>>> that modifies the software on the motherboard of infected computers to ensure the
>>>> infection can't be easily eradicated.
>>>>
>>>> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add
>>>> malicious instructions that are executed early in a computer's boot-up sequence. The
>>>> instructions, in turn, alter a computer's MBR, or master boot record, another system
>>>> component that gets executed prior to the loading of the operating system of an
>>>> infected
>>>> machine. By corrupting the processes that run immediately after a PC starts, the
>>>> malware
>>>> stands a better chance of surviving attempts by antivirus programs to remove it.
>>>>
>>>> http://www.theregister.co.uk/2011/09...it_discovered/
>>>>
>>>
>>> This is the FIRST malware to infiltrate the BIOS that's been in the wild, it is
>>> targeting
>>> Chinese computers in China and ONLY targets Phoenix/Award BIOS.
>>>
>>>
>>
>> Please explain exactly how you can be so certain about this, Mr Lipman.
>
>
> Its called reading and understanding and it wasn't from reading TheRegister we page.
>

I think you are full of sh*t, Mr Lipman.

Btw - there is *no* "we page".

D.

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.org>

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.org>
>>
>>> David H. Lipman wrote:
>>>> From: "~BD~"<~BD~@nomail.afraid.org>
>>>>
>>>>> Researchers have discovered one of the first pieces of malware ever used in the wild
>>>>> that modifies the software on the motherboard of infected computers to ensure the
>>>>> infection can't be easily eradicated.
>>>>>
>>>>> Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to
>>>>> add
>>>>> malicious instructions that are executed early in a computer's boot-up sequence. The
>>>>> instructions, in turn, alter a computer's MBR, or master boot record, another system
>>>>> component that gets executed prior to the loading of the operating system of an
>>>>> infected
>>>>> machine. By corrupting the processes that run immediately after a PC starts, the
>>>>> malware
>>>>> stands a better chance of surviving attempts by antivirus programs to remove it.
>>>>>
>>>>> http://www.theregister.co.uk/2011/09...it_discovered/
>>>>>
>>>>
>>>> This is the FIRST malware to infiltrate the BIOS that's been in the wild, it is
>>>> targeting
>>>> Chinese computers in China and ONLY targets Phoenix/Award BIOS.
>>>>
>>>>
>>>
>>> Please explain exactly how you can be so certain about this, Mr Lipman.
>>
>>
>> Its called reading and understanding and it wasn't from reading TheRegister we page.
>>
>
> I think you are full of sh*t, Mr Lipman.
>

Marco's writeup...
http://blog.webroot.com/2011/09/13/m...t-in-the-wild/

Symantec's writeup...
http://www.symantec.com/connect/blog...-showing-again

The sh!t is what spews from your fingertips.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp