In the first days of September a remarkable malware sample fell nto the hands of Doctor Web’s virus analysts. At first it seemed that the malicious program dubbed Trojan.Bioskit.1 carried a standard Trojan horse payload to infect the MBR and download something from the network. However, a more detailed analysis revealed that it also incorporated routines to compromise BIOS.
The more information we acquired about the Trojan horse’s features, the more we were confident that it was a proof of concept sample rather than a fully functional malignant program; or perhaps it leaked earlier that its author intended it to. The following facts may serve as the evidence of the latter:
- Command line parameters parser (launching the malicious sample with the -u key cures the system);
- Its use of third-party utilities;
- Disabled code to deactivate the malware in 50 days;
- Two different ways to infect system files (only one of them is used);
- Code errors that look like typos.
However, none of the above said reduces the malicious potential of the Trojan horse. Before we proceed, we’d like to indicate that only Award BIOS chips can be infected by this program.
Infecting the system
First Trojan.Bioskit.1 1 dropper checks if any of system processes belongs to a Chinese anti-virus on its list. If such a process is found, the Trojan horse displays a transparent dialogue window used to invoke its main routine. Then Trojan.Bioskit.1 determines the operating system version. If the OS is Windows 2000 or later (except for Windows Vista), it continues the infestation process. The Trojan horse checks the command line status. The malware can be started via the command line with various options:
- -d – This option doesn’t work (perhaps, the feature has been removed for the “release build”);
- -w – Infect the system (the default option);
- -u – Cure the system (including the MBR and BIOS).
Dropper resources include several files:
The running dropper decompresses the %windir%\system32\drivers\bios.sys driver and saves it to the hard drive. If the \\.\MyDeviceDriver device is present in the system (the analyzed dropper didn’t include a driver for such a device), the Trojan horse saves the %windir%\flash.dll file onto disk and, most probably, attempts to successively inject it into services.exe, svchost.exe and explorer.exe processes This library is used to launch the bios.sys driver via the service control manager to create the bios service. When the library is unloaded, the service is removed. In the absence of the device \\.\MyDeviceDriver the Trojan horse is installed into the system by overwriting the beep.sys driver. When the Trojan horse is launched, beep.sys is restored from a previously created backup. The only exception is Windows 7: in this system the dropper saves %windir%\flash.dll to the disk and loads it.
Then the dropper saves the rootkit driver my.sys into the disk C root directory. If launching bios.sys has failed or Award BIOS is not detected, the Trojan horse infects the MBR. It drops the %temp%\hook.rom file (PCI Expansion ROM) to the disk. But at this stage it is used only as a container from which data is extracted and saved to disk. After that the Trojan horse overwrites 14 sectors at the beginning of the disk including the MBR. The original MBR is saved in the eighth sector.
This is a rather primitive driver by present day standards: it intercepts OF IRP_MJ_READ, IRP_MJ_WRITE and IRP_MJ_DEVICE_CONTROL hooks of the system driver disk.sys:
- In this case IRP_MJ_READ returns zeros instead of the code stored in the first 63 disk sectors and
- IRP_MJ_WRITE doesn’t allow writing into the first 63 sectors. At the same time the Trojan horse tries to enable its dropper to overwrite the MBR and other sectors, but due to an obvious code error the trick does not work. Thus, the author lets the Trojan horse to overwrite 0x14 (20) sectors, while the dropper writes only into 0xE (14).
- IRP_MJ_DEVICE_CONTROL returns STATUS_UNSUCCESSFUL as a reply to IOCTL_DISK_GET_DRIVE_LAYOUT_EX, IOCTL_STORAGE_GET_MEDIA_TYPES_EX and IOCTL_DISK_GET_DRIVE_GEOMETRY_EX requests.
Now let us assume that bios.sys has detected Award BIOS. It is this driver that distinguishes this harmful program from the large list of similar Trojan horses infecting MBR.
This driver is very small but its destructive potential is frightening. It incorporates three routines:
- Detect Award BIOS (and also determine its image size and, most importantly, the address of the I/O port, through which the Trojan horse can force generating SMI (System Management Interrupt) and thus to execute code in the SMM mode).;
- Save the BIOS image into the C:\bios.bin filex;
- Create a BIOS image from the C:\bios.bin file.
Accessing and re-flashing a BIOS chip is not a trivial task. To do this one has to be able to communicate with the motherboard chipset to access the chip, detect the chip and use a data erase/write protocol supported by it. However, the Trojan horse author chose an easier way and let BIOS do all the work. He used information acquired by a Chinese researcher with the alias Icelord. The research has been conducted in 2007 when the analysis of the Winflash utility for the Award BIOS revealed a simple method to reflash the chip via the service provided by the BIOS in the System Management Mode. The operating system doesn’t have access to the SMM and SMRAM code (if the BIOS is written properly, it will block access to the code), so the code is executed independently. The code may serve different purposes: emulate features that haven’t been implemented with the motherboard hardware, handle hardware errors, switch different power management modes, perform service tasks.
To modify the BIOS image, this malicious program uses the cbrom.exe utility (by Phoenix Technologies) incorporated into its resources. Using this utililty, the Trojan horse injects its module hook.rom as an ISA BIOS ROM into the image. Then Trojan.Bioskit.1 issues a command to its another driver to reflash the BIOS using the updated file.
Upon a subsequent system restart the BIOS will be callling all the available PCI Expansion ROM, including hook.rom. Every time it happens, the malicious code injected into the module will check if the MBR has been compromised and will reinfect it if necessary. It should be noted that the system featuring the Award BIOS will not necessarily get infected. Only one out of three motherboards tested in the virus laboratory has been infected while the remaining two motherboards didn’t have enough BIOS memory to write a new module into.
To infect thewinlogon.exe (under Windows 2000 and Windows XP) or wininit.exe (Windows 7) files, the Trojan horse writes its code into the MBR. To accomplish this task Trojan.Bioskit.1 features its own NTFS/FAT32 parser. It also inicorporates a system start counter updated once in 24 hours. The infected module is supposed to be deactivated in 50 days when it will have been modified in such a way that the malicious code will no longer be executed. But this feature has been disabled for this version of the Trojan horse. Trojan.Bioskit.1 includes two versions of the shell-code and only one is used.
It is hard to overestimate the severity of such threats especially when more sophisticated versions of this program or other viruses with similar payload are likely to appear in the future. At the moment Dr.Web anti-virus software can detect the components of the Trojan horse and cure the MBR and system files. If the system is still infected by Trojan.Bioskit.1 after malicious files have been detected and the compromised files have been cured, the compromised BIOS is the most likely source of infection. Doctor Web virus laboratory keeps working to resolve this issue.
Leave a reply