BIOS Malware in the Wild

In a blog post by Marco Giuliani it’s been revealed that a new type of malware targeting your computer’s BIOS is in the wild. Termed ‘Mebromi’ by researchers, it’s one of the rarer types of malware in that it digs to the deepest levels of your PC, making it extremely difficult to find and potentially dangerous to remove.

What’s the Big Deal?

The problem with BIOS malware is how deep it goes. Think of your computer like a stack of blocks. On top is what is called user space. This is where most of your programs sit. When you run Internet Explorer, Outlook, Photoshop or most any other program, it is running in user space. Think of this as “you”. It is where programs have only the abilities that you specifically have on the computer. Removing malware at this level can be irksome but is usually manageable. That’s not to say that user space malware isn’t dangerous. After all the most valuable items on your computer are your files and user space malware is fully capable of deleting all of your important data or shipping it off somewhere, so it’s best not to take it lightly. Still, it’s also among the easiest to detect and remove.

The next block down would be the operating system. If you are running Windows or OS X or Linux, this is where it runs. For the most part, anything run at the OS level is capable of altering pretty much anything on your system and can, as you would imagine, cause considerable damage. If malware is running as part of the OS, it is capable of masquerading as legitimate processes and altering system calls such that it can become very difficult to detect. Anti-malware vendors have developed sophisticated methods of detecting OS level malware but it can be very difficult to fully rid yourself of because of the power at its disposal.

Another block down we find MBR malware or rootkits. Each hard drive has a special location which is where the computer first looks for code to start running. When the computer starts, it finds this location, loads the code and starts executing it. This code typically will then direct the computer to search another spot, load that code and start booting the actual operating system (i.e. Windows, OS X, etc). If malware takes command of this boot sector, it will be able to make sure it gets loaded before the operating system is loaded. Moreover, even if anti-malware software cleans the infection from the OS or from user space, the next time the computer boots it will become infected again. Because of this ability to survive many types of cleaning and reinfect on reboot, rootkits are extremely difficult to detect and remove and will sometimes require additional effort to clean.

The final block in the stack is the BIOS malware. BIOS malware infects the computer, not on the hard drive, but on a special chip called the BIOS. The BIOS chip actually gets invoked before the hard drive comes into play. As the boot or root sector is to the hard drive, the BIOS is to the whole computer. Why would such a critical piece of the computer be prone to overwriting with malware? Because sometimes bug fixes are needed. BIOS is just a program like any other, albeit a very low level program. It is critical to proper functioning of your computer though. If a vendor determines there is a bug, they can provide a BIOS update which can then be used to “flash” the BIOS and apply the changes. It is this mutability that leaves it open to tampering by malware. What makes BIOS malware particularly insidious isn’t just that it is loaded at such a low level that it is extremely hard to detect and counter, but that removing it could be very damaging to your computer. Overwriting your BIOS to eliminate the malware, if done improperly, could leave your computer unable to boot until your BIOS is reflashed with a properly functioning BIOS image.

How to Block this BIOS Malware

The way this malware infects your machine starts off just like any other malware attack vector. It has to be introduced to your system from somewhere else, perhaps in a download or attachment which you run, perhaps incidentally from an infected webpage you visit. The payload then has to get past any anti-malware applications you have running and defeat any security measures the operating system has in place. Only once those hurdles are cleared will it be able to do its dirty work. That said, those hurdles are only as high as you make them. If you use an old or unpatched operating system or do not keep your security measures up to date, you are leaving yourself open to attack. In all cases, your best line of attack is to compute responsibly and remain aware while using your PC.

Image by Salvatore Vuono
Share