back to article Malware burrows deep into computer BIOS to escape AV

Researchers have discovered one of the first pieces of malware ever used in the wild that modifies the software on the motherboard of infected computers to ensure the infection can't be easily eradicated. Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add malicious instructions that are …


This topic is closed for new posts.
  1. Microphage

    Rootkit reflashes BIOS of computers it attacks

    I thought NGSCB was supposed to protect this kind of thing, or making the BIOS readonly. How exactly does this malware get on a non-infected computer in the first place.


    `We still have a while before it starts raining'

    1. BristolBachelor Gold badge

      Through windows sieve ^H^H^H^H^H firewall

    2. Antony Riley

      Root kits require root to be installed (the installer isn't typically considered part of the rootkit).

      Once you have a rootkit installed all bets are off regards any antivirus or operating system protections.

      The only protection against this sort of thing is a jumper setting on the motherboard to enable/disable flashing, which I believe many motherboards used to ship with.

    3. Ross R

      That's what they want you to think. NGSCB/Palladium's purpose is to save Sony the trouble of installing a rootkit on your machine.

    4. Annihilator

      The BIOS can be reflashed from within Windows though - it's how we (legitimately) update the BIOS. It's not hard to envisage a virus taking advantage of this.

      To do it though, the OS has presumably already been compromised though. This is just deep-rooting it further in the system to stand a better chance of survival. It isn't normally seen however as virus writers tend to aim as far and wide as possible, which isn't usually compatible with specific BIOS versions/manufacturers.

      1. fLaMePrOoF

        "To do it though, the OS has presumably already been compromised though"

        Not necessarily so; the delivery system could be nothing more than a maliciously corrupt firmware binary and / or flash utility.

    5. Trygve Henriksen

      My guess is that it maskerades as a WoW goldfarming bot...

    6. Captain Scarlet Silver badge


      Bitlocker for hard drive encryption is the only thing I am aware of that came out of it, thought the rest of it had yet to be implemented.

    7. G2

      quote from that microsoft page: "Much of the NGSCB architecture design is covered by patents, and there will be intellectual property issues to be resolved. "

      this is why that thing is not used much, patents = either increased product costs for manufacturers or exposing themselves to lawsuits.

      the only devices that i know to use it are the game consoles, XBOX, PlayStation and the like, but those are relatively closed and isolated ecosystems where competition in hardware is non-existent, e.g. the only way to get an xbox motherboard is from Microsoft. Same thing is for Sony and playstation motherboards.

  2. ToddRundgren

    swap the ROM

    Surely if a machine did get infected to the point where the machine wouldn't boot, you would buy a new boot rom, install it and voila?

    1. Annihilator

      Oh right

      Piece of piss then.

      I've done a BIOS transplant in the past, but only because I'd accepted the board was dead following a failed flash upgrade. I'd not recommend it as it's very hairy, won't give you the full functionality of the board as it likely resets it to be a "reference" mobo (in the end I got it to the stage where it would boot, barely with massive errors, enough to get to a DOS flash utility, hotswapped the failed chip back in and reflashed the firmware - success rate of 1 in 3 so far)

    2. Anonymous Coward
      Anonymous Coward


      Maybe fifteen years ago, but pretty much all of them are surface mounted these days and I don't rate your chances of replacing one of those at home.

      Some machines do, however have a backup BIOS.

      1. Anonymous Coward
        Anonymous Coward

        Not that hard, a SMD rework station can be purchased for about 100 quid and it makes changing SMD a doddle...

        Its out of the leauge of your average home user but anyone whom can weild a soldering iron competantly wouldn't struggle.

    3. fLaMePrOoF

      With CIH this was the only way to repair an infected machine without having access to stand-alone EPROM flashing equipment, indeed, I repaired one such dead laptop for a client back in the late nineties by simply sourcing a replacement Phoenix BIOS chip from the manufacturers and dropping it in.

      With this sort of infection though the prognosis is not so grim; as the BIOS re-write does not intentionally trash the EPROM like CIH did, it should still possible to simply re-flash your BIOS with an official firmware.

  3. MacroRodent

    The only solution

    All computers with updateable bios should have a physical button connected to the write-enable pin of the chip that has to be pressed to allow flashing it, but I guess it would cost too much. Even with this feature, malware might be able to infect the bioses of really stupid users ("remember to press the bios flash button to view our fabulous p*** site"), but they surely would deserve it.

    1. Edwin

      I once had...

      ...a BIOS that required you to confirm a BIOS reprogramming by flashing up a text screen. I'm guessing this feature died because Joe User didn't want his Windows BIOS update utility crashing Win95 every time he updated the BIOS.

      With most BIOS now able to update themselves from a USB drive directly from the configuration screen, I guess it should be possible to reinstate this feature.

  4. Dazed and Confused


    I thought viruses that attacked the BIOS were all the rage back in the 90s so the BIOS implementations took steps to protect themselves. Like popping up a big message on the screen saying the BIOS was being modified and did you want to proceed. Don't say all those lessons have been forgotten.

    As they say,

    The one thing you can learn from history is that people who don't learn from history are doomed to repeat its mistakes.

  5. Anonymous Coward
    Anonymous Coward

    BIOS or EFI

    Would be good to know if EFI is affected by this.

    Simple fix though - password lock the BIOS, for anything other than Read activities.

    1. Scott Broukell

      Bios password

      Nice try, and one that I had at first thought would work, but, sadly these can be keylogged from the buffer and hence are not so secure. There are papers by e.g. Jonathan Brossard which demonstrate this.

      IIRC many older Mainboards used to have a setting for a more complete block on bios rom write access.

      1. Rob Dobs

        Keylogged when?

        You have valid point of the possibility, but actual likely hood is very low for common user, and very easy to work around in corporate environment.

        How often do you need to get into the BIOS for changes, where you would need to type the password? For most machines this would only be during setup, and could certainly be done off-line before the machine is connected to the net and at risk for infection. Common user will never update their bios once PC is working, and corporate environments should already be doing most work on machines off-line.

        Agreed that simple jumper to allow BIOS flash should be common feature as it used to be. Never liked being able to flash bios from windows specifically because of issues like this.

  6. Sceptic Tank Silver badge

    "Because the BIOS is stored on a ROM, or read-only-memory chip, modifications have the potential to render a computer largely inoperable."

    I'm no EE, but how do you reprogram a ROM chip? Didn't they become obsolete like 20 years ago?

    1. Jess

      how do you reprogram a ROM chip? Didn't they become obsolete like 20 years ago?

      Since real ROMs are pretty much obsolete as you point out, the term is now used for things that are actually reprogrammable, but only intended to be reprogrammed for firmware updates

    2. Anonymous Coward
      Anonymous Coward

      Not really...

      The thing you know as a ROM (EEPROM, strictly speaking, but generally known as a ROM) that is to say - a large discreet component in a socket on the edge of the motherboard, is no longer there. However, there is a surface mount jobbie that does the same thing. Often the surface mount jobbie has a shadow that can be swapped in, less often and usually in higher end servers there is also a read only fallback as well, just in case everything goes badly wrong.

    3. fLaMePrOoF

      EP - ROM DUH!

  7. Steve the Cynic

    CIH did something different.

    Granted, CIH did modify the BIOS, but rather than replacing the BIOS with a hacked-on version so as to be able to reinfect easily, CIH erased the 'boot block', so the machine would not boot.

    To add insult to injury, it also overwrote the first 200MB of the first disk.

    In effect, CIH's modifications to the BIOS were the destructive payload, not the infection mechanism.

    The privilege escalation was moderately clever, and relied on a combination of a security failure in the x86 instruction set - user-mode code can trivially retrieve the base address of the interrupt descriptor table - and a security failure in Win9x - that table is writeable from user-mode code. CIH used this combination to gain access to kernel mode.

  8. LaeMing

    Old skool

    Nothing beats a computer virus like a mechanical obstacle - bringing back a jumper on the BIOS chip's write-enable line would probably be a good idea. (It is not like flashing the BIOS is a frequent event or something generally done by the type of user who never opens their case, and if it was, you could replace the jumper with a rear-panel mini-switch, I guess).

    1. Nigel 11

      Offline AV

      BIOS write-protect jumper or switch, seconded. Best design would be like the reset switch on desktops - you'd have to hold it down while you powered on the system to enable BIOS flashing, and you couldn't accidentally leave it enabled.

      Another insanity is trying to run anti-virus software within a potentially infected and subverted operating system. The right approach would be to boot off a DVD-ROM, download up-to-date virus signatures from the vendor and then scan the disks. Since the on-disk operating system is not active, there is nowhere for a rootkit to hide (except maybe in the BIOS, hence the need for mechanical protection).

      1. SteveK

        "The right approach would be to boot off a DVD-ROM, download up-to-date virus signatures from the vendor and then scan the disks"

        I have a fair rate of students bringing their infected machines in (policy says they must have AV but without admin access to their personal PCs can't enforce...), so my solution to this was to create a Windows PE boot image which can be booted via TFTP (or written to CD) and connects to a read-only network share that has SAV32CLI, updated overnight with the virus definitions that our enterprise console has downloaded. Just network-boot the machine and run a disinfect or remove scan with no worries about what is being run. or what the virus is preventing from being accessed.


  9. Anonymous Cowherder

    "How exactly does this malware get on a non-infected computer in the first place."


    Always the bloody users.

  10. Tom 7

    Its time to admit

    that trying to make computing user friendly only makes it virus friendly.

    People are going to have to play in sandboxes AND learn simple security procedures. This may sound onerous to some but when I've managed to explain it to management the response has been 'that's just what we want in the organisation'.

    Getting them to sign exemption forms so they take responsibility when that security is removed from their PC's can 'do something operationally sensitive' is another matter.

  11. Rob Moir

    CIH and the BIOS

    Just to be clear, CIH didn't attempt to "infect" a computer's BIOS, just trash it.

    This might sound like "much the same thing" to some people, but in reality its very difficult. Being able to infect the computer firmware with code that will execute and infect files on the hard disk at each boot has always been one of the virus "holy grails".

  12. Ralthor

    I remember CiH

    Hit me once. Bugger to get rid of. Boot a workable machine, hotswap in buggered bios chip, reflash. What a pain in the ass. The thought occurred to me at the time that machines should be shipping with 2 BIOS ROMs. One of which would be unwritable and used purely to reflash the main BIOS back to factory specs in case of failure.

    1. TeeCee Gold badge

      The thought occurred to others too.

      There are quite a few mobos out there sporting a second, backup bios.

      1. Rob Dobs

        yes but..

        There are Gigabyte had this as a common feature on most MB for many years now.

        However the problem is that one is not read/write and the other read only. Both are read write, and though this virus may not hit both, it would be a minimal task for the virus once booted to update BOTH BIOS to the infected state.

        Again two having backup BIOS helps in this area, but doesn't solve the problem in general. The second BIOS either has to be READ only or protected by a write enable jumper (that would normally NOT be connected).

  13. Ross R

    "Because the BIOS is stored on a ROM, or read-only-memory chip, modifications have the potential to render a computer largely inoperable."

    Thanks, but I know what ROM stands for. I also know what EEPROM stands for. I even know the difference between the two.

    What I fail to understand is the connection between the type of memory used and rendering the computer largely inoperable. How would a BIOS stored in SRAM fare any better?

  14. Joe Montana


    They should bring back the physical flash enable jumper...

    But there's not just the BIOS to worry about, virtually all of your hardware has a small upgradeable firmware attached to it, video bios, hard drive firmware, even keyboards have firmware... Plenty of places for malicious code to embed themselves.

    1. Nick Ryan Silver badge

      Yep - IIRC viruses have already been found and written on these kind of peripherals. It won't be too long before the (GP)GPU that modern gfx cards sport start to get hit in a main stream manner, and it'll be down to idiot operating systems and "developers" forgetting security entirely and adding features that can be used in an insecure way or can escalate their access across a system.

  15. Anonymous Coward
    Anonymous Coward

    Reasonable durability (sale of goods) or forseeability of breakdown

    in the case of consumer purchases, MIGHT provide a remedy AND an incentive/kick up the bum for the MOBO or system suppliers/mfrs to get their acts together.

    In the USA the contract is all, I gather, although even there they've brought in federal "lemon laws" where stuff just doesn't work - whereas in the UK a clause attempting to absolve the supplier for liability for anything related to virus infections might well be struck out for being unfair/unbalanced/an attempt to avoid responsibilies under SOGA etc.

    1. Anonymous Coward
      Anonymous Coward


      It's hardly the responsibillity of the manufacturer if you've installed dodgy software which compromises your system.

      That would be like a safe manufacturer being held responsible for your allowing a man in a stripy jumper with a sack saying "swag" into the room with your safe and leaving him there to do what he wants.

  16. launcap Silver badge

    Is it just me?

    .. having flashbacks to the good old BBC Model B with sideways RAM? Putting 'borrowed' ROM images in and then having to wire in a write-protect switch because the sneaky ROM authors started doing write tests in case someone had 'borrowed' their ROM and loaded it into sideways RAM..

  17. Anonymous Coward 15

    Find some way of triggering the emergency boot block, such as deliberately performing a failed flash.

  18. Robert Carnegie Silver badge


    This may be specific to a particular BIOS, but the virus writers don't need me to suggest to them that uploading every additional BIOS found to their evil servers, and downloading a cracked version of any compatible one on file, will let them have lots more fun.

    And once an evil BIOS is running, is there anything that it can't do? Such as hiding itself as well as the virus on disk from anti-virus software?

    As for EFI - yeah, they can probably get us that way, too. Beware of insertable media carrying EFI routines.

  19. Bog witch
    IT Angle

    Factually incorrect

    According to the article, the code is loaded onto a ROM -READ ONLY memory. It is, in fact, an EEPROM, Electrically Eraseable Programmable Read Only Memory. If it was actually READ ONLY, how would the code write to it?

    Since it's primarity attacking computers in China, will the three-letter agencies claim it is the Chinese Government attempting to monitor it's people or will China claim it is an attack by the US and it's allies?

    1. Rob Dobs

      depends on who its infecting most really

      If the "victims" tend to be scientists, military and government officials, heads of corporations and like I would look more towards the US (or EU, or Russia, or even more likely... Israel)

      If on the other hand the "victims" are authors, newpaper writers, heads of religious or social groups etc etc, then one would safely assume its coming from the Chinese hack state

  20. vincent himpe

    where's me box of soldering irons ?

    that nWP pin is going to get a wire strap to ground...

    (notWriteProtect : a pin on the bios chips that, if pulled low physically blocks the flash chip to be rewritten) Most motherboards these days use SPI flash chips like 25M90's and alike. These all have such a pin. Some motherboards already have a jumper to tie this pin down.

    Also parallel flash has this.

    1. Scott Broukell


      It's nearly winter in the northern hemisphere - bring on the jumpers ;-)

  21. henrydddd


    Since re-flashing the bios is a rarely occurring event, why don't motherboard manufactures put a switch that has to be set in order for the bios to be flashed. End of problem.

  22. NomNomNom


    why don't we just give up on this computer thing?

    1. Jeff from California
      Big Brother

      Hmmm… have you ever thought…

      that that "who needs computers, anyway" idea fits in awfully well with the know-nothing-or-even-less attitude being pushed as a replacement for intelligent discourse and debate these days in what used to be the United States? Wouldn't surprise me at all to read some future historian in a few decades paint a convincing case that the Kochs or other corporate minders of the "Tea Party" useful idiots were heavily invested in this sort of thing.

  23. Anonymous Coward
    Anonymous Coward

    what's more worrying is the realisation that a suitably virulent strain of malware could destroy millions of PCs by flashing junk to the BIOS. And even if the victim identifies faulty BIOS firmware as the problem, they're unlikely to go to the expense of fixing it. They'd probably go to the far greater expense of buying a new machine. Especially if they use the increasingly popular laptop form factor.

    Time to buy a Mac? LOL.

    1. Rob Dobs

      maybe Stage 1?

      Maybe this is just stage 1 testing phase of either Appull or M$ new national "NOW YOU DAMN WELL HAVE TO BUY A NEW PC" program. Wait and see after the massive crash which one gets more pushy in their advertising :-)

      1. Anonymous Coward
        Anonymous Coward


        It is a way to pump and dump Phoenix stock. Who will buy one of these machines that can be infected and and become uncleanable (by the typical PC user)? Make the threat seem ominous in spamails and the stock wobbles. Great opportunity for profit that.

        Or, get enough (Award bios/Phoenix) machines in your botnet, and hold them hostage. "Pay me or I blow them aallllll away" (written in Mandarin probably).

  24. InfosecChap

    be cool on the keyboard

    malware infecting the firmware of a keyboard, now that would be most excellent.

    Where do i sign up?

  25. Lars Silver badge

    So I suppose Linux is safe from this attach, or not.

  26. Anonymous Coward
    Anonymous Coward

    Did you know that...

    It is possible to flash an Arduino using a sound file saved as a WAV?

    Requires the chip to have a bootloader but there is a way around this problem.

    Shouldn't be too hard to design some hardware that can connect to the relevant pins on a fried BIOS chip and send the appropriate boot code during startup to at least get the machine running.

    Then reflash as normal from bootable media.

    Make a ghetto flash adaptor using Shapelock and salvaged pins from a microSD reader.


  27. Dick Emery

    Ah! This brings back memories of the Compaq BIOS virus.

  28. Anonymous Coward

    "Because the BIOS is stored on a ROM...

    ...modifications have the potential to render a computer largely inoperable."

    This statement is not only false and contradictory with the premise of the whole story (how would a Read-Only chip be subject to modifications?) but it is also not the reason why a BIOS attack can cause such damage.

    Maybe pointing out that if the Basic Input/Output System of a computer is corrupted, it will likely have difficulty accessing storage devices and booting an operating system, would have been more informative (and accurate)?

  29. 2cent


    Dare I suggest, don't allow bios to update by software, use a coreboot standardize hardware only startup bios, but watch the "payload" file for changes.

    coreboot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload.

  30. Mike Hocker


    Is it time to actually implement real TCG TPM (Trusted Platform Module) in a systematic way yet? Sadly, even three letter American and UK agency machines are shielded only by security through obscurity though they are trying to improve the situation.

    (it won't help anyone in China though, the Chincom government apparently does not allow the use of TPM, way too subversive and way too conducive to "social unrest" (nightmare bugaboo of bureaucrats in the middle kingdom...)).

This topic is closed for new posts.

Other stories you might like