Mebromi: the virus that replaces your BIOS

If talking about for years of viruses (and other malware) capable of dealing with the BIOS, nothing really effective was outside CIH/Chernobyl in the ' 90s (and fortunately). But this is no longer the case: a new malware, Mebromi, uses in effect the BIOS of the computer as a vector of spread.

Unlike ICH which completely cleared the BIOS of the computer, Mebromi changes it to remain in the computer even if the hard disk is formatted or replaced. The operation is quite simple: the program will save the BIOS, change some internal routines and then the new BIOS flasher, without either visible to the user. Once this is done, it will automatically infect the MBR (which is the map of the partitions on the hard disk).

Fortunately, Mebromi has a few limitations. First, it does address what type Award BIOS, so the friend, Phoenix and other UEFI are not vulnerable. Then, it does work only on 32-bit Windows systems and administrator accounts only. Finally, as the program infects the MBR, the hard drives that use a different partition scheme are not vulnerable.

Remains a problem: disinfection. The classic full format has no effect and it is therefore necessary to Flash the BIOS with a "clean" version, in the hope that it exists...

0 Comments:

Post a Comment