140 likes | 345 Views
Mebromi Rootkit. By, Anish Shanmugasundaram Yashwanth Sainath Jammi. ROOTKIT – An Introduction. Software that enables continued privileged access to a computer. Designed for a Unix System.
E N D
MebromiRootkit By, AnishShanmugasundaram YashwanthSainathJammi
ROOTKIT – An Introduction • Software that enables continued privileged access to a computer. • Designed for a Unix System. • Hides its presence from administrators by subverting standard operating system functionality or other applications. • Attacker needs a root-level access to install a rootkit.
MEBROMI ROOTKIT • It targets BIOS (basic input/output system) ROMs. • BIOS :- Software responsible for booting up a computer. • First malware since IceLord that targets BIOS. • Attacks only BIOS ROMs made by Award Company. • Exclusively targets Chinese users protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus. • Designed to evade Anti-virus detection.
FUNCTIONING • Consists of a BIOS rootkit, an MBR (master boot record), a kernel mode rootkit, portable executable file infector and trojan downloader • Adds malicious instructions that are executed early in a computer's boot-up sequence thus reflashing the BIOS of computer it attacks. • To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory.
METHODS IN LOADING MEBROMI’S KERNEL DRIVER • The malware can extract and load the flash.dll library which will load the bios.sys driver. • It can also load by • stopping the beep.sys service key. • then overwrite the beep.sys driver with its own bios.sys code. • restart the service key and restore the original beep.sys code.
Contd.. • Job of MBR ends here after loading the infection. • When Windows startup, It will load the patched executable. • Then, the payload self-decrypts its malicious code and loads in memory the my.sys driver. • Then it searches web pages to download additional infection.
SYMPTOMS • Google and Yahoo webpages are redirected. • Desktop background image and Browser homepage settings are changed. • Slows down the computer and internet. • Corrupts the windows registry and can cause unwanted pop up ads. • It can infect and can cause a computer crash. • It may contain keyloggers which is a software used to steal sensitive data like passwords, bank account and credit card information.
PREVENTION • The first step in prevention a Mebromirootkit will be to run the system in less privileged user mode. • Run the command sc lock at Command Prompt. • use HIPS (Host based Intrusion Prevention System) tool like AntiHook. • Firewall all networks. • Monitor all log files.
DETECTION • Detection is difficult as it is designed to hide its existence. • Applications that can be used to detect the rootkits are : • Tripwire and AIDE • Chkrootkit • LSMO • KSTAT
REMOVAL • Even if an anti-virus product can detect and clean the MBR infection, it will be restored at the next system start-up when the malicious BIOS payload would overwrite the MBR code again. • Developing an anti-virus utility able to clean the BIOS code is a challenge because it needs to be totally error-proof to avoid rendering the system unbootable at all. • Thus Rebuilding the system would be the best bet to remove the infection.
THREATS • Mebromi is not designed to infect 64-bit operating system. • It cannot infect a system if it runs with less privileges . • it should be able to infect all the different releases and updates of Award, Phoenix, AMI BIOS’s which involves a high level of complexity.
REFERENCES • http://www.scmagazineus.com/researchers-uncover-first-active-bios-rootkit-attack/article/212035/ • http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/ • http://en.wikipedia.org/wiki/Rootkit • http://www.web2secure.com/2011/09/mebromi-rootkit-bios-threat-in-wild.html • http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ • http://www.cleanpcguide.com/remove-trojan-mebromi-removal-guide-how-to-remove-trojan-mebromi/