A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8501  by rkhunter
 Fri Sep 09, 2011 8:26 pm
@obse
May be you right, but in case with Mebroot was a simple code copy-paste. But in this case, malware need drop a special BIOS utility.
 #8508  by EP_X0FF
 Sat Sep 10, 2011 1:51 pm
IDK what deeper analysis here can be. This malware is just like Popureb - well advertised piece of sh*t. And yes, it's again perfectly suitable for scaring users in ridicuolus attempt to shake with them a little more money on their "virtual protection". Dropper uses some primitive well known trick to load driver. There are some primitive copy-pasted disk hooking (standalone driver) combined with yet again copy-pasted bios stuff (standalone driver) with 3 IOCTL's (identify AwOrd bios, dump it, flash new). Don't forget about cbrom. Downloadable payload is inaccessible now, but I think it's also pure trash. If someone have it, please attach.

In case of comparing this with first itw bootkit, well there is nothing to compare.
Bootkit has only copy-pasted eeye boot part, while this bioskit all created from different pieces of another's code.
Bootkit was enough stable and enough widely distributed, bioskit no and can't.
I can continue, but it's too boring.

Like in case of popureb - KG/AM.
 #8512  by obse
 Sat Sep 10, 2011 5:55 pm
Look deeper. You've seen how easyly can be erased/rewritten rom - via few instruction, thanks to AwardSW team.
It only a matter of time to see the advanced version of malware or in worse case ransomware from script kddies
 #8521  by EP_X0FF
 Sun Sep 11, 2011 5:48 am
I look deeper and see UEFI. Aside from this there are no real advantages from the using this method of infection. If look on it actual payload - MBR reinfection is doubtful. You have infected computer with malware flashed BIOS, how do you see that - an AV scanner dumping data and looking for signature pattern? Ok, maybe, but in this case is more simpler to detect it via scanning infected MBR. Once modification detected - it's up to service. AV scanner re-flashing BIOS? What's next - controllers microcode? In case of incorrect boot record fix - user gets unbootable computer - still it's possible to recover mbr or data and do os reinstall. In case of incorrect BIOS flash user gets unworkable computer - can be recovered too, but not comparable with previous one. In additional - there are already exists effective and incomparable more complex rootkits ITW. They widely distributed and well debugged. And what a surprise - none of them doesn't looks like copy-pasted Chinese puzzle. Bioskit is doubtful in malware profitability, but perfectly fits "We all gonna die" usual AV hysterics.
 #8526  by WawaSeb
 Sun Sep 11, 2011 3:30 pm
Hello everybody,

Just in case, here is two files dropped by infection : (my.sys and bios.sys)
I feel to n00b for interesting paper but again many thanks for dropper/hashes.


Password : "infected", of course
Attachments
(8.4 KiB) Downloaded 120 times
 #8541  by Julian
 Mon Sep 12, 2011 6:38 pm
The good thing: To infect the BIOS malware has to install a driver. Pretty easy to detect for most behavior blockers. :)
Also preventing the MBR from getting infected isn't such a big deal.
 #8542  by kareldjag/michk
 Mon Sep 12, 2011 9:02 pm
hi,

Less evil than TDL4...
It's maybe the same rootkit that is discussed on 360 boards, and in this case, tools like MBRImmunity or BiosFix have been made available.
http://bbs.360.cn/4005462/251096134.html
http://bbs.360.cn/4005462/251088932.html
http://www.52pojie.cn/thread-107790-1-1.html

As said "kamarade" EP_X0FF there is much more sophisticated rootkits, much more OS independent, and which can resist to a drive format and replacement, and to a Bios flashing as i mentioned here:
http://www.kernelmode.info/forum/viewto ... f=11&t=803

Rgds