|Innovating The Next Big Thing||May 21, 2013|
• Leadership & Vision
• Innovation at HP
• HP Buzz
• Ecosystem: HP Partners & Customers
• Competitive Landscape: HP Rivals
• On the Go: Mobile & Wireless Solutions
• Enterprise Solutions
• Digital Arts & Entertainment
• Fine Print: Imaging & Printing
• Analyst Insights
• Enterprise Insights
• Network & Information Security
• Enterprise Mobility
Next Innovator Group
HP.com Quick Links
• The HP Blog Hub
HP User Groups
• Ghost City
Feedjit Live Web Stats
McAfee Blogs: ‘Bioskits’ Join Ranks of Stealth Malware
Jun 7, 2012 – Arvind Gowda
We have seen many discussions of the MyBios “Bioskit” discovered at the end of 2011. MyBios was the first malware to successfully infect the Award BIOS and survive the reboot. It was first discovered by a Chinese security company; many other security vendors published detailed analyses after that.
We have seen a lot of samples targeting the master boot record (MBR) to survive a reboot and reinfect a system. We found a sample in our collection that infected the MBR. Further investigation showed that the next variant of the malware was a Bioskit. The first variant of the malware was an executable that infected the MBR; the second was a DLL with the Bioskit component. We will discuss the second variant in this blog.
The malware’s main dropper is a DLL that is responsible for the MBR infection. It reads the original MBR from Sector 0 and writes it to Sector 15.
MyBios code writes the malicious MBR.
The malware overwrites the original MBR in sector 0 and writes the file to be dropped (the downloader) in hidden sectors. The DLL copies itself to the Recycle folder and deletes itself. The downloader is dropped and executed every time the system is started.
The malicious MBR
The next two screens show the malicious MBR code, which reads the original MBR from Sector 15 into memory at location 0000:7c00. Control passes to the original MBR at this location and the system boots in the normal way.
Usually the boot sector is read to this memory location in a clean system after the power-on self-test and INT 19 jumps to location 0000:7c00.
The malicious MBR at 7c00 before the interrupt
The original MBR at 7c00 after the interrupt
All the components dropped will be present in the DLL, including the utility cbrom.exe from the BIOS manufacturer, which the malware uses to flash the BIOS.
Dropped System File
The sys file responsible for flashing the BIOS is similar to the one seen in MyBios. Unlike bios.sys, the code to check the BIOS manufacturer and the BIOS size is present in the DriverEntry. However, the functionality of both the drivers remains the same.
Code to check for Award BIOS
The rest of the code responsible for backing up and flashing the BIOS is present in the driver dispatch. A graph showing the code flow of both MyBios and the Niwa rootkit can be seen below.
MyBios code flow
NIWA code flow
What’s interesting is that the strings observed in both malware are almost identical.
It cannot be a coincidence that almost all of the strings are identical (including misspellings and bad grammar). This suggests the same individual or group is behind both of these BIOS-flashing malware.
McAfee detection and cleaning
McAfee detects this infection as “Niwa!mem” and successfully cleans the MBR infection and deletes all other malicious dropped components.
We have now seen two Bioskit malware in the wild within a couple of months. When the first Bioskit was identified, we did not know how soon we would see another. Now it appears we should expect to see more in near future. It’s not hard to detect and clean the MBR, but cleaning BIOS infections will be a challenge for security vendors.
» Send this article to a friend...
» Comments? Tell us what you think...
» More Network & Information Security articles...
Commentsblog comments powered by Disqus
Support This Site
• 5/12 Frontline Sentinel: Two-Factor Authentication for Social Media Sites
• 5/12 Print Service Providers Worldwide Accelerate Growth with the HP Indigo 10000 Digital Press
• 5/10 McAfee Blogs: RealTime for ePO – Optimized Endpoint Security
• 5/10 HP Announces Participation in Upcoming Investor Conferences
• 5/10 HP Vertica Announces First Annual Worldwide User Conference
• 5/10 HP to Present Live Audio Webcast of Second Quarter Earnings Conference Call
• 5/10 Ovum: Ovum comments: GB smart meter delay better late than never
• 5/10 Gartner Says India Has The Potential To Lead The World In The Nexus Of Social, Mobile, Cloud And Information But May Waste The Opportunity
• 5/9 Frontline Sentinel: NSA's Manual on Hacking the Internet
• 5/9 Frontline Sentinel: 8 charged in $45 million cybertheft bank heist
• 5/9 Gartner Highlights Three Key Foundational Elements for Demand-Driven Retail Success
• 5/9 iSuppli: Korean and American Versions of Galaxy S4 as Different as Kimchee and Coleslaw, IHS Teardown Reveals
• 5/9 eMarketer: eMarketer: Emerging Markets Drive Facebook User Growth
• 5/9 Connect: Influence HP - HP ISS Roadshow in August and September
• 5/9 Connect: Meet Stephanie Webster - Connect Member Relations Manager
• 5/9 Wireless Watch: Microsoft/Nokia alliance at crossroads as both ponder OS futures
• 5/9 Wireless Watch: Apple must rethink far more than the iOS user interface
• 5/9 Faultline: Quantenna gets closer to ST Micro, expect it to get “ascloseasthis”
• 5/9 Faultline: Microsoft volunteers to take Nook, as Barnes and Noble start to breakup
• 5/9 Canalys: Smart mobile device shipments exceed 300 million in Q1 2013 - Android powers 59% of smart phones, tablets and notebooks
• 5/8 McAfee Blogs: Cybercriminals Celebrate – It’s Mothers Day!!
• 5/8 Ovum: Government policy-makers need to create a level playing field for cloud services procurement
• 5/8 Gartner Says Smart Organizations Will Embrace Fast and Frequent Project Failure in Their Quest for Agility
• 5/7 McAfee Blogs: How Secure Are Your Social Accounts?
• 5/7 McAfee Blogs: The Password Problem. Is it Your Problem?
• 5/7 McAfee Blogs: Have you met McAfee’s SIEM?
• 5/7 McAfee Blogs: NCCDC 2013 – Red Team Recap
• 5/7 HP Security Lab Blog: HP TippingPoint announces Security Management System 3.6
• 5/7 McAfee Blogs: Yes, There are “Mother’s Day” Scams
• 5/7 Ovum: Analyst View: TPG looks to become Australia’s fourth MNO
• 5/7 Ovum: Analyst view: UK G-Cloud to champion public cloud
• 5/7 Gartner Says CIOs Will Need to Manage Both Technology and Business Innovation to Gain Competitive Advantage with Big Data
• 5/6 The Next Big Thing Blog: Tech Con ‘13
• 5/6 Data Central: Driving Change in the Energy Space
• 5/6 HP Gives SMBs Increased Mobility and Performance with New PC and Print Solutions
• 5/6 Spring '13 Commercial Printing and Personal Systems Launch – SMB
• 5/6 HP Improves Customers’ Data Center Efficiencies to Support Future Growth
• 5/6 Gartner Says Indian Public Cloud Services Market To Reach $443 Million In 2013
• 5/6 iSuppli: IHS Discusses How PCs Can Survive the Tablet Invasion, at the SID Touch Gesture Motion Event
• 5/6 McAfee Blogs: Emerging ‘Stack Pivoting’ Exploits Bypass Common Security
• 5/5 McAfee Blogs: Intel, McAfee Investing in Network Security; Strength through Acquisition
• 5/5 McAfee Blogs: Change Your Password Day – Get Onboard!
• 5/5 Frontline Sentinel: iFrame drive-by attack demo [Anatomy of Attack online]
• 5/5 The Next Big Thing Blog: Robots in space, more to come...
• 5/3 Frontline Sentinel: Basic Use of Maltego for Network Intelligence Gathering
• 5/3 iSuppli: Russian, Eastern European Video Surveillance Market to Double from 2012 to 2017