Slide 1

Slide 2

By, Anish Shanmugasundaram Yashwanth Sainath Jammi

Slide 3

Software that enables continued privileged access to a computer. Designed for a Unix System. Hides its presence from administrators by subverting standard operating system functionality or other applications. Attacker needs a root-level access to install a rootkit.

Slide 4

It targets BIOS (basic input/output system) ROMs. BIOS :- Software responsible for booting up a computer. First malware since IceLord that targets BIOS. Attacks only BIOS ROMs made by Award Company. Exclusively targets Chinese users protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus. Designed to evade Anti-virus detection.

Slide 5

Consists of a BIOS rootkit, an MBR (master boot record), a kernel mode rootkit, portable executable file infector and trojan downloader Adds malicious instructions that are executed early in a computer's boot-up sequence thus reflashing the BIOS of computer it attacks. To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory.

Slide 6

The malware can extract and load the flash.dll library which will load the bios.sys driver. It can also load by stopping the beep.sys service key. then overwrite the beep.sys driver with its own bios.sys code. restart the service key and restore the original beep.sys code.

Slide 7

Job of MBR ends here after loading the infection. When Windows startup, It will load the patched executable. Then, the payload self-decrypts its malicious code and loads in memory the my.sys driver. Then it searches web pages to download additional infection.

Slide 8

Slide 9

Google and Yahoo webpages are redirected. Desktop background image and Browser homepage settings are changed. Slows down the computer and internet. Corrupts the windows registry and can cause unwanted pop up ads. It can infect and can cause a computer crash. It may contain keyloggers which is a software used to steal sensitive data like passwords, bank account and credit card information.

Slide 10

The first step in prevention a Mebromi rootkit will be to run the system in less privileged user mode. Run the command sc lock at Command Prompt. use HIPS (Host based Intrusion Prevention System) tool like AntiHook. Firewall all networks. Monitor all log files.

Slide 11

Detection is difficult as it is designed to hide its existence. Applications that can be used to detect the rootkits are : Tripwire and AIDE Chk rootkit LSMO KSTAT

Slide 12

Even if an anti-virus product can detect and clean the MBR infection, it will be restored at the next system start-up when the malicious BIOS payload would overwrite the MBR code again. Developing an anti-virus utility able to clean the BIOS code is a challenge because it needs to be totally error-proof to avoid rendering the system unbootable at all. Thus Rebuilding the system would be the best bet to remove the infection.

Slide 13

Mebromi is not designed to infect 64-bit operating system. It cannot infect a system if it runs with less privileges. it should be able to infect all the different releases and updates of Award, Phoenix, AMI BIOSs which involves a high level of complexity.

Slide 14

THANKYOU

Slide 15

http://www.scmagazineus.com/researchers- uncover-first-active-bios-rootkit- attack/article/212035/ http://www.theregister.co.uk/2011/09/14/bios_r ootkit_discovered/ http://en.wikipedia.org/wiki/Rootkit http://www.web2secure.com/2011/09/mebromi- rootkit-bios-threat-in-wild.html http://blog.webroot.com/2011/09/13/mebromi- the-first-bios-rootkit-in-the-wild/ http://www.cleanpcguide.com/remove-trojan- mebromi-removal-guide-how-to-remove-trojan- mebromi/