[rkhunter]

@obse
May be you right, but in case with Mebroot was a simple code copy-paste. But in this case, malware need drop a special BIOS utility.

[rkhunter]

Symantec research
http://www.symantec.com/connect/blogs/b ... wing-again

[EP_X0FF]

IDK what deeper analysis here can be. This malware is just like Popureb - well advertised piece of sh*t. And yes, it's again perfectly suitable for scaring users in ridicuolus attempt to shake with them a little more money on their "virtual protection". Dropper uses some primitive well known trick to load driver. There are some primitive copy-pasted disk hooking (standalone driver) combined with yet again copy-pasted bios stuff (standalone driver) with 3 IOCTL's (identify AwOrd bios, dump it, flash new). Don't forget about cbrom. Downloadable payload is inaccessible now, but I think it's also pure trash. If someone have it, please attach.

In case of comparing this with first itw bootkit, well there is nothing to compare.
Bootkit has only copy-pasted eeye boot part, while this bioskit all created from different pieces of another's code.
Bootkit was enough stable and enough widely distributed, bioskit no and can't.
I can continue, but it's too boring.

Like in case of popureb - KG/AM.

[obse]

Look deeper. You've seen how easyly can be erased/rewritten rom - via few instruction, thanks to AwardSW team.
It only a matter of time to see the advanced version of malware or in worse case ransomware from script kddies

[EP_X0FF]

I look deeper and see UEFI. Aside from this there are no real advantages from the using this method of infection. If look on it actual payload - MBR reinfection is doubtful. You have infected computer with malware flashed BIOS, how do you see that - an AV scanner dumping data and looking for signature pattern? Ok, maybe, but in this case is more simpler to detect it via scanning infected MBR. Once modification detected - it's up to service. AV scanner re-flashing BIOS? What's next - controllers microcode? In case of incorrect boot record fix - user gets unbootable computer - still it's possible to recover mbr or data and do os reinstall. In case of incorrect BIOS flash user gets unworkable computer - can be recovered too, but not comparable with previous one. In additional - there are already exists effective and incomparable more complex rootkits ITW. They widely distributed and well debugged. And what a surprise - none of them doesn't looks like copy-pasted Chinese puzzle. Bioskit is doubtful in malware profitability, but perfectly fits "We all gonna die" usual AV hysterics.

[WawaSeb]

Hello everybody,

Just in case, here is two files dropped by infection : (my.sys and bios.sys)
I feel to n00b for interesting paper but again many thanks for dropper/hashes.


Password : "infected", of course

[Julian]

The good thing: To infect the BIOS malware has to install a driver. Pretty easy to detect for most behavior blockers. :)
Also preventing the MBR from getting infected isn't such a big deal.

[kareldjag/michk]

hi,

Less evil than TDL4...
It's maybe the same rootkit that is discussed on 360 boards, and in this case, tools like MBRImmunity or BiosFix have been made available.
http://bbs.360.cn/4005462/251096134.html
http://bbs.360.cn/4005462/251088932.html
http://www.52pojie.cn/thread-107790-1-1.html

As said "kamarade" EP_X0FF there is much more sophisticated rootkits, much more OS independent, and which can resist to a drive format and replacement, and to a Bios flashing as i mentioned here:
http://www.kernelmode.info/forum/viewto ... f=11&t=803

Rgds

[rkhunter]

Webroot:
http://blog.webroot.com/2011/09/13/mebr ... -the-wild/

Dr.Web:
http://news.drweb.com/show/?i=1879&lng=ru&c=14

[nekko]

«Доктор Веб» обнаружил троянца, способного заразить BIOS
"Doctor Web" has found a Trojan that can infect the BIOS

http://www.cnews.ru/news/top/index.shtm ... /13/455168