|Innovating The Next Big Thing||June 20, 2013|
• Analyst Insights
• Enterprise Insights
• Network & Information Security
• Enterprise Mobility
• Remembering 9/11
Next Innovator Group
Feedjit Live Web Stats
• Ghost City
McAfee Blogs: ‘Bioskits’ Join Ranks of Stealth Malware
Jun 7, 2012 – Arvind Gowda
We have seen many discussions of the MyBios “Bioskit” discovered at the end of 2011. MyBios was the first malware to successfully infect the Award BIOS and survive the reboot. It was first discovered by a Chinese security company; many other security vendors published detailed analyses after that.
We have seen a lot of samples targeting the master boot record (MBR) to survive a reboot and reinfect a system. We found a sample in our collection that infected the MBR. Further investigation showed that the next variant of the malware was a Bioskit. The first variant of the malware was an executable that infected the MBR; the second was a DLL with the Bioskit component. We will discuss the second variant in this blog.
The malware’s main dropper is a DLL that is responsible for the MBR infection. It reads the original MBR from Sector 0 and writes it to Sector 15.
MyBios code writes the malicious MBR.
The malware overwrites the original MBR in sector 0 and writes the file to be dropped (the downloader) in hidden sectors. The DLL copies itself to the Recycle folder and deletes itself. The downloader is dropped and executed every time the system is started.
The malicious MBR
The next two screens show the malicious MBR code, which reads the original MBR from Sector 15 into memory at location 0000:7c00. Control passes to the original MBR at this location and the system boots in the normal way.
Usually the boot sector is read to this memory location in a clean system after the power-on self-test and INT 19 jumps to location 0000:7c00.
The malicious MBR at 7c00 before the interrupt
The original MBR at 7c00 after the interrupt
All the components dropped will be present in the DLL, including the utility cbrom.exe from the BIOS manufacturer, which the malware uses to flash the BIOS.
Dropped System File
The sys file responsible for flashing the BIOS is similar to the one seen in MyBios. Unlike bios.sys, the code to check the BIOS manufacturer and the BIOS size is present in the DriverEntry. However, the functionality of both the drivers remains the same.
Code to check for Award BIOS
The rest of the code responsible for backing up and flashing the BIOS is present in the driver dispatch. A graph showing the code flow of both MyBios and the Niwa rootkit can be seen below.
MyBios code flow
NIWA code flow
What’s interesting is that the strings observed in both malware are almost identical.
It cannot be a coincidence that almost all of the strings are identical (including misspellings and bad grammar). This suggests the same individual or group is behind both of these BIOS-flashing malware.
McAfee detection and cleaning
McAfee detects this infection as “Niwa!mem” and successfully cleans the MBR infection and deletes all other malicious dropped components.
We have now seen two Bioskit malware in the wild within a couple of months. When the first Bioskit was identified, we did not know how soon we would see another. Now it appears we should expect to see more in near future. It’s not hard to detect and clean the MBR, but cleaning BIOS infections will be a challenge for security vendors.
» Send this article to a friend...
» Comments? Tell us what you think...
» More Network & Information Security articles...
Commentsblog comments powered by Disqus
Support This Site
• 6/17 McAfee Blogs: The Defense Department Lists Mobile Security as a Top Priority
• 6/17 McAfee Blogs: The Strategic Consumer
• 6/17 McAfee Blogs: Keeping Your Small Business Safe from Cyberattacks
• 6/17 McAfee Blogs: Exciting Times for SMBs at National Small Business Week!
• 6/17 McAfee Blogs: Why whitelisting is ready for Enterprise desktops
• 6/13 Gartner Says Cloud Office Systems Total 8 Percent of the Overall Office Market and Will Rise to 33 Percent by 2017
• 6/13 Gartner Says Worldwide External Controller-Based Disk Storage Market Grew 0.6 Percent in First Quarter of 2013
• 6/13 Faultline: Vodafone Kabel Deutschland talks confirmed, deal could be dusted in days
• 6/13 Faultline: Comcast sneaks in Homespot revolution as “Neighborhood Hotspots”
• 6/13 McAfee Blogs: Two Steps are Better Than One: Make a Hacker’s Job Harder with Two-step Verification
• 6/12 Gartner Announces Keynote Speakers for its Supply Chain Executive Conference 2013 in Australia
• 6/12 Gartner Says by 2019, 90 Percent of Organizations Will Have Personal Data on IT Systems They Don't Own or Control
• 6/12 iSuppli: Doing What It Does Best: Apple Reinvents Existing iPhones with iOS7 and Competitive Music Launch
• 6/12 McAfee Blogs: Moving up with McAfee Complete Endpoint Protection
• 6/12 McAfee Blogs: Can you answer these three smart business questions about authentication?
• 6/12 HP Security lab Blog: Top 10 things for security people to do at HP Discover 2013 - Las Vegas, NV
• 6/12 HP Security Lab Blog: HP introduces HAVEn to combat $4 billion cyber-theft in Big Data space
• 6/11 Gartner Says Worldwide Security Market to Grow 8.7 Percent in 2013
• 6/11 Gartner Says Less than 10 Percent of Enterprises Have a True Information Strategy
• 6/10 Ovum: Analyst view: Google to buy Waze
• 6/10 Ovum: Analyst view: Apple acknowledges the need for user interface refresh and is willing to do something pretty dramatic
• 6/10 Gartner Forecasts Indian Business Intelligence Software Revenue to Reach $113 Million In 2013
• 6/10 iSuppli: It’s a Tie: Bosch and STM Hold Joint Honors as No. 1 MEMS Suppliers for 2012
• 6/10 iSuppli: 1.3GW of PV Installations Eliminated by EU Anti-Dumping Duties in 2013; Double-Digit Global Growth Still Likely
• 6/10 Wireless Watch: Small Cell World Summit: industry poised to kickstart volume roll-outs
• 6/10 Wireless Watch: Cisco seeks leading role in wireless via small cells
• 6/10 McAfee Blogs: Syrian Crisis Reminds Us to Beware of ‘Charity’ Scams
• 6/9 Frontline Sentinel: Whistleblower (Edward Snowden) Behind the NSA Surveillance Speaks Out [Interview]
• 6/9 Slate: If the NSA Trusted Edward Snowden With Our Data, Why Should We Trust the NSA?
• 6/8 Gartner Says Business Analytics Will Be Central for Business Reinvention
• 6/8 Frontline Sentinel: Practical Tips to Improve Network Security with What You Already Have: Part 2 of 2
• 6/7 Gartner Says India Enterprise Software Market To Reach $3.92 Billion in 2013
• 6/7 iSuppli: Event Cinema Market Takes Off in Europe
• 6/7 McAfee Blogs: Koobface Count Correction
• 6/6 Ovum: Ovum announces winners of inaugural “BYOX Strategy” awards
• 6/6 Ovum: Analyst view: SFDC acquisition of ExactTarget is expensive, but offers significant product synergies
• 6/6 Gartner Says Worldwide Business Intelligence, CPM and Analytic Applications/Performance Management Software Market Grew Seven Percent in 2012
• 6/6 Faultline: Cloud browsers to gut the set top market – ActiveVideo leading the chase
• 6/6 Faultline: TiVo wins its biggest ever settlement - share price barely nods
• 6/6 Canalys: Canalys launches ‘Partner Program Analysis’ service - The latest addition to Canalys’ leading channels research offerings
• 6/6 McAfee Blogs: Forgo Pressure to ‘Share’ and Boost Your Privacy
• 6/6 McAfee Blogs: Summer Web Safety: A Cautionary Tale About The Internet
• 6/6 McAfee Blogs: Malicious Dating, Ad Services Plague Japanese Users
• 6/6 McAfee Blogs: Locking Down Desktops With McAfee’s Application Control
• 6/6 McAfee Blogs: Fraudulent Adult Dating Services Turn 10 Years Old, Still Evolving
• 6/6 HP Security Lab Blog: Combating professional security threats
• 6/5 Ovum: Ovum warns BYOD is here to stay and urges CIOs to respond with a clear strategy
• 6/5 What to Expect at Apple's WWDC
• 6/5 Gartner Says Organizations Must Treat Information as an Asset in its Own Right
• 6/5 Gartner Looks At The Impact of U.S. Visa Legislation on India Offshore Outsourcing in Upcoming Webinar