12345

9/29/2011

[Caution]Malicious file trying to tampering BIOS and MBR found.

1. Introduction

Recently, a malicious file which is tampering BIOS and MBR has been found, and users need to be careful on using PC.
Tampering BIOS and MBR can cause continuous re-infection, however, this malicious hasn't specific symptom so far and is being expected for test.
Because tampered BIOS and MBR are difficult to be treated by anti-virus SW, we want to let you know how to treat.

* BIOS(Basic Input Output System)
- The primary function of the BIOS is to set up the hardware and load and start a boot loader. When the PC starts up, the first job for the BIOS is to initialize and identify system devices such as the video display card, keyboard and mouse, hard disk drive, optical disc drive and other hardware

* MBR(Master Boot Record)
- A master boot record (MBR) is a type of boot sector popularized by the IBM Personal Computer. It consists of a sequence of 512 bytes located at the first sector of a data storage device such as a hard disk. MBRs are usually placed on storage devices intended for use with IBM PC-compatible systems
  


2. Spreading path and symptoms of infection

Following URL was known as the first spreading source; however, it has been blocked now.


The word "test" in URL can be another reason that it was designed to be tested.

This malicious file can be downloaded not only the URL above, but attachment, messenger, and SNS link.
Lately found malicious file checks the BIOS version of infected PC. In case of the BIOS is known as Award BIOS, it will try to tamper MBR.

Following figure is about generated file by this malicious file and infection information of tampered BIOS/MBR.


  
* Generated file

* The order of creation

A. C:\bios.sys
      Check the status of Award BIOS

B. C:\bios.sys1, C:\bios.sys2
      Load service and remove instead of beep.sys.

C. C:\my.sys
      Hook IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_DEVICE_CONTROL, and so on.
      Including rootkit code
      Protect tampered MBR

D. (User temporary folder)\bios.bin
      Save information of normal BIOS when infected

E. (User temporary folder)\cbrom.exe(Normal file)
      In case of uninfected BIOS, add malicious rom file to ISA ROM

F. (User temporary folder)\hook.rom
      Can perform malicious behavior on running BIOS infected ISA ROM

* (User temporary folder) is "C:\Documents and Settings\(User account)\Local Settings\Temp" generally.

* ISA(Industry Standard Architecture)
Industry Standard Architecture (ISA) is a computer bus standard for IBM PC compatible computers introduced with the IBM Personal Computer to support its Intel 8088 microprocessor's 8-bit external data bus and extended to 16 bits for the IBM Personal Computer/AT's Intel 80286 processor.
   http://en.wikipedia.org/wiki/Industry_Standard_Architecture

* Procedure details

* Create bios.sys / Check the stats of Award BIOS / In case of it isn't Award BIOS

Upon infected, first, bios.sys will be created.
After bios.sys is being created, following infecting procedure will be in progress.

[Created bios.sys1 / bios.sys2 file]
 - bios.sys1
 - bios.sys2
 - These files will be loaded and deleted instead of beep.sys. And beep.sys will be recovered.

After that, bios.sys will check whether infected PC's BIOS is Award BIOS or not. (If it wasn't Award BIOS, it will appear same infected symptom.) If it adopted Award BIOS, bios.sys will find SMI_PORT and set the size of BIOS.


* Process of creating bios.bin and my.sys

bios.sys will drop my.sys. And it saves current BIOS information to bios.bin.
Besides, it will try to add hook.rom in bios.bin in case of the absence "hook.rom" in saved BIOS information.

* Process of creating cbrom.exe and hook.rom / BIOS infection

In this procedure, cbrom.exe tool will be generated, which will insert hook.rom into ISA ROM with /isa parameter as following figure.



Now, BIOS is being infected.

* Process of tampering MBR

With the process of infecting BIOS, MBR can be tampered by host file. It will save normal MBR on certain sector for backup.

Following figure shows the extracting normal MBR value before saving on sector 7.



After, it will tamper normal MBR.


We can find the value of normal and malicious MBR as following.


[Normal MBR]

[Tampered MBR]

* Infected symptom of my.sys

Additionally created my.sys file is known as performing Hooking against IRP_MJ_READ, IRP_MJ_WRITE, and IRP_MJ_DEVICE_CONTROL. It has implemented to protect modifying tampered MBR.

In Device_Object Structure, it locates Driver_Object and contains Stealth Function code with controlling Call result through pre-execution of rootkit.


  
Upon completed infecting this malicious file, "Find it OK" will appear on booting.



To print "Find it OK" that sentences is located on tampered MBR.



3. How to recover BIOS, MBR manually

Once infected by malicious file above, and tampered BIOS and MBR, complete treatment can be difficult. If infected, you can recover your PC as following procedures.


* Recover BIOS manually

The easiest way to recover tampered BIOS is using BIOS update module by its manufacturer.
Following guide is the one of example in case of GIGABYTE's BIOS update module.



* How to recover MBR

If MBR was tampered, "Windows Installation CD" can work as following.

1. Use "Windows installation CD" and go to recovery mode.



2. Choose the directory to recover and type "fixmbr" Enter. And create new MBR.

"Find it OK" won't appear. And manual recovery is completed.

4. How to prevent

Due to the nature of BIOS and MBR, complete treating by Anti-Virus is difficult.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan/W32.Agent.130048.IS
 - Trojan/W32.Small.5632.DS
 - Trojan.Generic.KDV.354955

1 comment:

  1. Nice, accurate and to the point. Not everyone can provide information with proper flow.

    ReplyDelete