2. By, Anish Shanmugasundaram Yashwanth Sainath Jammi

3.  Software that enables continued privileged access to a computer.  Designed for a Unix System.  Hides its presence from administrators by subverting standard operating system functionality or other applications.  Attacker needs a root-level access to install a rootkit.

4.  It targets BIOS (basic input/output system) ROMs.  BIOS :- Software responsible for booting up a computer.  First malware since IceLord that targets BIOS.  Attacks only BIOS ROMs made by Award Company.  Exclusively targets Chinese users protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus.  Designed to evade Anti-virus detection.

5.  Consists of a BIOS rootkit, an MBR (master boot record), a kernel mode rootkit, portable executable file infector and trojan downloader  Adds malicious instructions that are executed early in a computer's boot-up sequence thus reflashing the BIOS of computer it attacks.  To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory.

6.  The malware can extract and load the flash.dll library which will load the bios.sys driver.  It can also load by  stopping the beep.sys service key.  then overwrite the beep.sys driver with its own bios.sys code.  restart the service key and restore the original beep.sys code.

7.  Job of MBR ends here after loading the infection.  When Windows startup, It will load the patched executable.  Then, the payload self-decrypts its malicious code and loads in memory the my.sys driver.  Then it searches web pages to download additional infection.

9.  Google and Yahoo webpages are redirected.  Desktop background image and Browser homepage settings are changed.  Slows down the computer and internet.  Corrupts the windows registry and can cause unwanted pop up ads.  It can infect and can cause a computer crash.  It may contain keyloggers which is a software used to steal sensitive data like passwords, bank account and credit card information.

10.  The first step in prevention a Mebromi rootkit will be to run the system in less privileged user mode.  Run the command sc lock at Command Prompt.  use HIPS (Host based Intrusion Prevention System) tool like AntiHook.  Firewall all networks.  Monitor all log files.

11.  Detection is difficult as it is designed to hide its existence.  Applications that can be used to detect the rootkits are :  Tripwire and AIDE  Chk rootkit  LSMO  KSTAT

12.  Even if an anti-virus product can detect and clean the MBR infection, it will be restored at the next system start-up when the malicious BIOS payload would overwrite the MBR code again.  Developing an anti-virus utility able to clean the BIOS code is a challenge because it needs to be totally error-proof to avoid rendering the system unbootable at all.  Thus Rebuilding the system would be the best bet to remove the infection.

13.  Mebromi is not designed to infect 64-bit operating system.  It cannot infect a system if it runs with less privileges.  it should be able to infect all the different releases and updates of Award, Phoenix, AMI BIOS’s which involves a high level of complexity.

14. THANKYOU

15.  http://www.scmagazineus.com/researchers- uncover-first-active-bios-rootkit- attack/article/212035/  http://www.theregister.co.uk/2011/09/14/bios_r ootkit_discovered/  http://en.wikipedia.org/wiki/Rootkit  http://www.web2secure.com/2011/09/mebromi- rootkit-bios-threat-in-wild.html  http://blog.webroot.com/2011/09/13/mebromi- the-first-bios-rootkit-in-the-wild/  http://www.cleanpcguide.com/remove-trojan- mebromi-removal-guide-how-to-remove-trojan- mebromi/