[WawaSeb]

Hello,

Is it possible to find the BIOS-FLASHING somewhere (Mebromi) : http://blogs.norman.com/2011/malware-de ... ing-trojan ?

Best regards,

[EP_X0FF]

Hello,

Is it possible to find the BIOS-FLASHING somewhere (Mebromi) : http://blogs.norman.com/2011/malware-de ... ing-trojan ?

Best regards,

This is Trojan:WinNT/Bioskit.A

I need to ask for permission to share this sample, or you can get it from somebody else.

edit:
Here are the hashes for components.

http://www.virustotal.com/file-scan/rep ... 1315469744
http://www.virustotal.com/file-scan/rep ... 1315454105
http://www.virustotal.com/file-scan/rep ... 1315469775

[sww]

Will post a detailed article (as always) in a near future. God damit, i'm too slow... :evil:

[WawaSeb]

Thanks EP_X0FF for alias and VT links.
;)

[erikloman]

The possible dropper from our Cloud (see attachment).

Found it thanks to EP_X0FF hash:
http://www.virustotal.com/file-scan/rep ... 1315454105

[shaheen]

http://blogs.norman.com/2011/malware-de ... ing-trojan

Looks very interesting. Has anyone been able to grab a sample and test it. I wonder if it will work in a VM and will not escape from it.

[Evilcry]

Hi,

Mebromi or Mybios/Bioskit is crap, basically only a Cut&Paste from IceLord Rootkit, nothing special :)

No VM Escape.

Regards,
Evilcry

[frank_boldewin]

i wasn't impressed by this stuff either. nothing new in bios.sys icelord hasn't shown us some years ago.
further the norman analysis misses to go into detail how exactly the hook.rom works which gets flashed.

[cjbi]

Not interested.
This is just variant of Rootkit IceLord.
Name should be IceLord.B.

[obse]

Btw first MBR-kit(mebroot) ITW was also released after few years of published PoC (Eeye bootroot)
and everybody said exactly the same: "nothing interesting, i'm already seen that..."
but that was a big pain in ... (you known where ;) for AV vendors, and for some of them till today