BIOS Rootkit Infects China

Malware, such as viruses and worms, typically infect systems in user space, where applications run. A few dig deeper, infecting the system's kernel; these are called rootkits. A new piece of malware digs even deeper, infecting systems before the operating system even loads.

Dubbed "BMW virus" by Chinese antivirus vendor Qihoo 360, a new rootkit successfully infects key areas of a computer system: the BIOS (at the moment, only Award BIOS is affected), the Master Boot Record (MBR), and key Windows files. Symptoms of infection include the phrase "Find it OK" on the screen at start up, an antivirus virus warning of a "Hard Drive Boot Sector Virus", and a browser home page redirect to (which does not point to an active web site). Infection vectors include a compromised game download with a system restart required. BMW appears to be limited to China.

The BIOS or Basic Input/Output System is stored on a ROM and is responsible loading and checking the hardware for the system in advance of loading the operating system. Failure to "boot" the system from the BIOS generally means failure of the system.

While infection at this may seem novel, there have been other BIOS malware. In the 1990s CIH/Chernobyl required the motherboard of infected systems to be replaced. More recently, in 2007, the ICELord BIOS rootkit affected only Award BIOS systems. ICELord may have been the basis for the new BMW rootkit.

From Webroot

Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giving the fact that even if an antivirus detect and clean the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again. Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all. The job of handling with such specific system codes should be left to the developers of the specific motherboard model, who release BIOS updates along with specific tool to update the BIOS code.

On the other hand, although this kind of infection is potentially one of the most persistent infections known out there in the wild, it will hardly become a major threat because of the level of complexity needed to achieve the goal. While a kernel mode infection or a MBR infection could still work in a generic way among all the PC out there – and they still have a huge available free space to play with, a BIOS-based rootkit needs to be fully compatible with all major BIOS rom out there, it should be able to infect all the different releases of Award, Phoenix, AMI BIOS’s out there; a level of complexity that is simply unasked for writing a good persistent infection (e.g. TDL rootkit, various Rustock releases, ZeroAccess rootkit among all). In fact, why is Mebromi only targetting Award BIOS rom? Perhaps because there was already a known proof of concept that is 5 years old targeting Award BIOS ROM available online.

The original Chinese write up from Qihoo 360 contains more detail.