![]() This suggests the same individual or group is behind both of these BIOS-flashing malware. It cannot be a coincidence that almost all of the strings are identical (including misspellings and bad grammar). MmMapIoSpace physics address:0x%x failed. What’s interesting is that the strings observed in both malware are almost identical.įlash Aword BIOS form disk c bios.bin success.ĮxAllocatePool read file NonPagedPool failed.īackup Aword BIOS to disk c bios.bin success. A graph showing the code flow of both MyBios and the Niwa rootkit can be seen below. The rest of the code responsible for backing up and flashing the BIOS is present in the driver dispatch. ![]() However, the functionality of both the drivers remains the same. Unlike bios.sys, the code to check the BIOS manufacturer and the BIOS size is present in the DriverEntry. The sys file responsible for flashing the BIOS is similar to the one seen in MyBios. The original MBR at 7c00 after the interruptĪll the components dropped will be present in the DLL, including the utility cbrom.exe from the BIOS manufacturer, which the malware uses to flash the BIOS. The malicious MBR at 7c00 before the interrupt Usually the boot sector is read to this memory location in a clean system after the power-on self-test and INT 19 jumps to location 0000:7c00. Control passes to the original MBR at this location and the system boots in the normal way. The next two screens show the malicious MBR code, which reads the original MBR from Sector 15 into memory at location 0000:7c00. The downloader is dropped and executed every time the system is started. The DLL copies itself to the Recycle folder and deletes itself. The malware overwrites the original MBR in sector 0 and writes the file to be dropped (the downloader) in hidden sectors. It reads the original MBR from Sector 0 and writes it to Sector 15. ![]() The malware’s main dropper is a DLL that is responsible for the MBR infection. ![]() ![]() We will discuss the second variant in this blog. The first variant of the malware was an executable that infected the MBR the second was a DLL with the Bioskit component. Further investigation showed that the next variant of the malware was a Bioskit. We found a sample in our collection that infected the MBR. We have seen a lot of samples targeting the master boot record (MBR) to survive a reboot and reinfect a system. It was first discovered by a Chinese security company many other security vendors published detailed analyses after that. MyBios was the first malware to successfully infect the Award BIOS and survive the reboot. We have seen many discussions of the MyBios “Bioskit” discovered at the end of 2011. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |