Author: Vitaly Kiktenko, Design and Test Lab
In a recent weeks a new rootkit, that is able to infect system BIOS was discovered (Rootkit.Win32.Mybios.a). The initial code of this malware is being executed as a part of BIOS boot code, loaded from motherboard ROM, which is the earliest startup known so far. This malware infects AwardBIOS systems, that have AWDFLASH software embedded in BIOS. Although main code of this rootkit still reside in MBR and acts as an ordinary bootkit, the ROM code contains malware self-regeneration routine, that is invoked by BIOS after each system reboot, which makes system disinfection more challenging. Rootkit uses SMI port to rewrite the BIOS, using the configuration of BIOS-embedded AWDFLASH software. Also malware dropper carries legal utility CBROM, that was developed by Phoenix technologies, and commonly used by hardware vendors to customize BIOS code for their products. Malware uses this utility to embed own module into victims computer BIOS as ISA ROM BIOS extension. The code in BIOS checks the boot drives MBR for bootkit code, and rewrites it from a backup, stored in BIOS.
Such kind of malware does not seem to be widely spread for now, but this may become common in future, with the development of generic system management interfaces for firmware updates.