1 / 14

Mebromi Rootkit

Mebromi Rootkit. By, Anish Shanmugasundaram Yashwanth Sainath Jammi. ROOTKIT – An Introduction. Software that enables continued privileged access to a computer. Designed for a Unix System.

chen
Download Presentation

Mebromi Rootkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MebromiRootkit By, AnishShanmugasundaram YashwanthSainathJammi

  2. ROOTKIT – An Introduction • Software that enables continued privileged access to a computer. • Designed for a Unix System. • Hides its presence from administrators by subverting standard operating system functionality or other applications. • Attacker needs a root-level access to install a rootkit.

  3. MEBROMI ROOTKIT • It targets BIOS (basic input/output system) ROMs. • BIOS :- Software responsible for booting up a computer. • First malware since IceLord that targets BIOS. • Attacks only BIOS ROMs made by Award Company. • Exclusively targets Chinese users protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus. • Designed to evade Anti-virus detection.

  4. FUNCTIONING • Consists of a BIOS rootkit, an MBR (master boot record), a kernel mode rootkit, portable executable file infector and trojan downloader • Adds malicious instructions that are executed early in a computer's boot-up sequence thus reflashing the BIOS of computer it attacks. • To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory.

  5. METHODS IN LOADING MEBROMI’S KERNEL DRIVER • The malware can extract and load the flash.dll library which will load the bios.sys driver. • It can also load by • stopping the beep.sys service key. • then overwrite the beep.sys driver with its own bios.sys code. • restart the service key and restore the original beep.sys code.

  6. Contd.. • Job of MBR ends here after loading the infection. • When Windows startup, It will load the  patched executable. • Then, the payload self-decrypts its malicious code and loads in memory the my.sys driver. • Then it searches web pages to download additional infection.

  7. Mebromi's BIOS tampering process

  8. SYMPTOMS • Google and Yahoo webpages are redirected. • Desktop background image and Browser homepage settings are changed. • Slows down the computer and internet. • Corrupts the windows registry and can cause unwanted pop up ads. • It can infect and can cause a computer crash. • It may contain keyloggers which is a software used to steal sensitive data like passwords, bank account and credit card information.

  9. PREVENTION • The first step in prevention a Mebromirootkit will be to run the system in less privileged user mode. •  Run the command sc lock at Command Prompt. • use HIPS (Host based Intrusion Prevention System) tool like AntiHook. • Firewall all networks. • Monitor all log files.

  10. DETECTION • Detection is difficult as it is designed to hide its existence. • Applications that can be used to detect the rootkits are : • Tripwire and AIDE • Chkrootkit • LSMO • KSTAT

  11. REMOVAL • Even if an anti-virus product can detect and clean the MBR infection, it will be restored at the next system start-up when the malicious BIOS payload would overwrite the MBR code again. • Developing an anti-virus utility able to clean the BIOS code is a challenge because it needs to be totally error-proof to avoid rendering the system unbootable at all. • Thus Rebuilding the system would be the best bet to remove the infection.

  12. THREATS • Mebromi is not designed to infect 64-bit operating system. • It cannot infect a system if it runs with less privileges . • it should be able to infect all the different releases and updates of Award, Phoenix, AMI BIOS’s which involves a high level of complexity.

  13. THANKYOU

  14. REFERENCES • http://www.scmagazineus.com/researchers-uncover-first-active-bios-rootkit-attack/article/212035/ • http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/ • http://en.wikipedia.org/wiki/Rootkit • http://www.web2secure.com/2011/09/mebromi-rootkit-bios-threat-in-wild.html • http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ • http://www.cleanpcguide.com/remove-trojan-mebromi-removal-guide-how-to-remove-trojan-mebromi/

More Related