Yes they are in fact in the wild. I have been infected by a ROOTKIT similar to membroni, because it affected the AWARD BIOS of that Mainboard that I owned.
It was in 2007 and I'm sure that it was administered by the NSA.
It was extremely difficult to detect but I was a determined bugger.
I was running Windows ME and all of a sudden I had a new group of tools added to my System. But it wasn't until I was sitting idle one day and was watching many mega bytes of data being uploaded that I noticed something wasn't right.
To cut a long winded story short. It did not matter if I formatted the HDD or installed Windows 2000, DOS, or Linux I even installed Windows 98 which came with long file names and a 48 bit core.
It was while running Red Hat 7.0 from the command line that I discovered a 1.4Mb file loaded into the UMB. This turned out to be Dr DOS with Netware which was set to run as soon as the Power Button was pressed, even before the PC POST was run.
Also while running Windows 98 I used a tool from the CD that allowed me to see my RAM. This is where I was able to see my BIOS which to my surprise had spelling mistakes. AWARD was spelled AW4RD and there were many others.
I even tried to re-flash my BIOS. When it started to Write, the first half was unchanged and the second half was changed. Inside the BIOS menu I found a PCI controller that wasn't there before. It had 24 or so devices attached to it, where it came from had me driven crazy. So I sent Mainboard back to MSI with diagnosis of Virus infected BIOS EPROM. And several days later arrived a brand new mainboard which had an even newer BIOS version than was on website. And a clean install of Windows 2000 was normal, with no super user tools.
I have also seen evidence of another similar one to the GodMODE Rootkit on 4 different PC's in the last year. It also had a Dr DOS image in UMB, which I used a power tool to destroy. This I expected to kill the BIOS or something. I wrote zero's to the 0 sector forward for 2Mb which I have pictures of for proof.
When I rebooted that machine with Hiren's Boot CD on board I not only booted successfully into Windows XP in RAMDISC but I read the boot logs. Every device connected noted the missing HEAD and all combined together to re write the missing piece. The application also had taken over the booting and added re-directs into the boot process which made the dead device work again.
3 of the 4 PC's with same infection i had previously worked on, this made me point to myself as the Infector, but then the 4th arrived and it was untouched by me. also 3 of the 4 machines are laptops with the Insyde BIOS loaded. The 4th is a desktop with a Gigabyte DDR3 board running Phoenix BIOS.
The infection was nearly identical on all 4 machines. No Rootkit tools ran at all, always failed. Even GMER crashed when run.
The infection appears to attempt to connect to several different servers with the goal of uploading lists of all files on PC HDD. After even removing drivers from wifi & BT devices they were still able to maintain a dedicated connection that could not be disabled. So I disabled in BIOS.
The infection was even attempting to send data via the Infra Red port, COM port, one had an AM/FM tuner installed and was trying to connect out with that. That machine I killed with a hammer.
The infection on 4 machines had me contemplating the reality that every new PC has an exploitable EPROM that will be activated depending on what the user does online. But I had been pulling These PC's apart from the inside for 3 months and my head had me think many fantasy scenarios. But I did find one of the laptops that had Windows Update Server as the deployment source for what had taken over the PC. Or did it?