http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-010718-3448-99

I wonder how well HIPS and SandBxes will stand against this malware. I am able to grab a copy of this but I have no VM to test it against some software( like GesWall, EQSecure, ThreatFire, NeoavaGuard, CFP etc).

Isn't this that Ring 0 thing, which also modified the MBR. IF so Defense Wall and Sandboxie did fine. The other HIPS also did if you answered the questions right.

Pete

-{ Quote: "Isn't this that Ring 0 thing, which also modified the MBR. IF so Defense Wall and Sandboxie did fine. The other HIPS also did if you answered the questions right.

Pete" }-

Hi Pete, have you tested the Sandboxie/Defense Wall with the cleanMBR?

I am thinking if the Sandboxie virtualization will prevent the directly hardware port I/O.

Thanks.

I can check it out with DW in case I had this sample.

Ilya, I have PMed u the link for this rootkit.

-{ Quote: "The other HIPS also did if you answered the questions right." }-
Lol, logical.

For the record, TF failed to detech this trojan thanks to no low-level disk access protection.

Perhaps they'll finally add some rules for this, as well as some other long-since much-needed ones. :)

-{ Quote: "Hi Pete, have you tested the Sandboxie/Defense Wall with the cleanMBR?

I am thinking if the Sandboxie virtualization will prevent the directly hardware port I/O.

Thanks." }-


Sandboxie has protected against this yes. With the version of DF I tested I'd be surprised if it didn't also pass. I don't remember testing. May do some retesting to verify, but Sandboxie, has passed anything I've done with it.

Pete

Hello aigle,

I already sent a sample to Ilya a couple of days ago. His response was that the latest version of DefenseWall(v2.10) was able to contain and prevent it from doing any damage.


Peace & Gratitude,

CogitoErgoSum

Just runed it though DefenseWall 2.10 under Virtual PC and VirtualBox- had no single issue with it. Unfortunately, I couldn't make it write to MBR, but anyway... Naturelly, this test is not really independent :), so, you may try it by yourself.

Hello aigle,

With Vista 32, Shadow Defender in "Protected Mode" and Primary Response SafeConnect disabled, I personally tested and can confirm that DefenseWall v2.10 does in fact contain and prevent the mbr rootkit from doing any damage.


Peace & Gratitude,

CogitoErgoSum

-{ Quote: "Just runed it though DefenseWall 2.10 under Virtual PC and VirtualBox- had no single issue with it. Unfortunately, I couldn't make it write to MBR, but anyway... Naturelly, this test is not really independent :), so, you may try it by yourself." }-
This is interesting.

After some further testing on my copy of the sample, I couldn't detect any write requests to the boot sector either.

Does your copy drop a file to the temp folder and install it as a global hook, too, by any chance?

-{ Quote: "Does your copy drop a file to the temp folder and install it as a global hook, too, by any chance?" }-
Yes, but trying to erase its own file directly and with "delayed delete" it is the right behavioural sequence.

-{ Quote: "Yes, but trying to erase its own file directly and with "delayed delete" it is the right behavioural sequence." }-
Now I'm beginning to get the feeling that what we have on our hands here isn't the bootkit at all.

Yes, I have the same feeling. OK, lets dig for the right one. Other hand, I just sent the sample to virustotal and Symantec said it is the right Mebroot trojan sample.

Hey guys,you might have the right kiddie afterall but trust me this no biggie to do battle with for any software such as HIPS/sandboxing and VM ;)

RE MBR infection.

Once the first file is executed it drops a .tmp file in <userprofile temp> folder.
It then registers a service to load this file at boot.

http://img174.imageshack.us/img174/6369/autorunsiv0.jpg

This .tmp file if uploaded to VT service will return a lot of hits as Sinowal C/Gen type.

Here's the biggie where it falls over as an efficient RK(or malware) installer,inorder for the service(file)to run it needs a reboot;D

FWIW on the next session on a properly configured SW firewall will capture svchost phoning to the mothership for more goodies.
http://img338.imageshack.us/img338/333/keriozp5.jpg

1x .DLL + .exe + .tmp will drop in <wind temp> both exe+dll= Sinowal flag@ VT.On my infections they have been titled "ldo2."

The service entry then goes AWOL and MBR rootkit has landed:thumb:
http://img207.imageshack.us/img207/6866/gmeryu4.jpg

But seriously guys this thing is no biggie from a prevention point of view versus your chosen software afterall it has to perform so many tricks inorder to go live that it will trip over so many intercept points;)

Nice show ;-)

-{ Quote: "Hey guys,you might have the right kiddie afterall but trust me this no biggie to do battle with for any software such as HIPS/sandboxing and VM ;)

RE MBR infection.

Once the first file is executed it drops a .tmp file in <userprofile temp> folder.
It then registers a service to load this file at boot.

http://img174.imageshack.us/img174/6369/autorunsiv0.jpg

This .tmp file if uploaded to VT service will return a lot of hits as Sinowal C/Gen type.

Here's the biggie where it falls over as an efficient RK(or malware) installer,inorder for the service(file)to run it needs a reboot;D

FWIW on the next session on a properly configured SW firewall will capture svchost phoning to the mothership for more goodies.
http://img338.imageshack.us/img338/333/keriozp5.jpg

1x .DLL + .exe + .tmp will drop in <wind temp> both exe+dll= Sinowal flag@ VT.On my infections they have been titled "ldo2."

The service entry then goes AWOL and MBR rootkit has landed:thumb:
http://img207.imageshack.us/img207/6866/gmeryu4.jpg

But seriously guys this thing is no biggie from a prevention point of view versus your chosen software afterall it has to perform so many tricks inorder to go live that it will trip over so many intercept points;)" }-
Hot damn! Nice work fcukdat. :thumb: I restored a clean image before reboot, and failed to see anything after that. :(

Hi fcukdat! Thanks for the nice work. So it doesn,t seem to be a clever rootkit.

@ Solcroft, I wonder why TF is not catching it, so many malicious actions indeed. BTW what is the SHA1 hash for ur sample?

Thanks

-{ Quote: "Sandboxie has protected against this yes. With the version of DF I tested I'd be surprised if it didn't also pass. I don't remember testing. May do some retesting to verify, but Sandboxie, has passed anything I've done with it.

Pete" }-

Hi Pete, Thanks.

Anyone knows if it is possible to detect( and possible remove) this rootkit by a scanner ATM?

Thanks

-{ Quote: "Anyone knows if it is possible to detect( and possible remove) this rootkit by a scanner ATM?

Thanks" }-

GMER latest beta build detects MBR RK ;D
It also has a restore function which resets MBR thus killing the active RK :thumb:

That,s great. So what about so many AV scanners with rootkit scanning capabilities?

Symantec, KAV, Antivir, FSecure, etc

Anyone tried with them?

Thanks

Hello aigle,

If I am not mistaken, Prevx CSI+ can detect and remove the MBR RK.


Peace & Gratitude,

CogitoErgoSum

Highly technical but interesting analysis of this rootkit here from GMER:

http://www2.gmer.net/mbr/

-{ Quote: "But seriously guys this thing is no biggie from a prevention point of view versus your chosen software afterall it has to perform so many tricks in order to go live that it will trip over so many intercept points" }-

And therein lies the beauty of Layered Approach protection. Malware, even the very newest of their crafts, ha! ha!
....at least on a well thoughtful laid out strategic plan as Layering with proven track record HIPS/Sandboxing/Virtualizing/LUA etc. only puts their efforts in a nice thick fog ;D

They are just wasting their time IMO. AV's alone, sure, they may defeat some, but with the onset of all the utilities and security programs that have surfaced in just the past year alone, those are enough hurdles to keep them spinning their wheels indefinitely.

I've regularly taken unpatched plain jane XP systems thru a walk in some of the darkest parks with just a choice few safety apps and never even been scratched. Vendors of specialized security prevention have raised the bar higher then they have ladders to reach IMO.

-{ Quote: "
FWIW on the next session on a properly configured SW firewall will capture svchost phoning to the mothership for more goodies.
" }-

And that I place considerable worth on :thumb: This is only one example, but it does lend support to the value of a properly configured two-way application firewall.

BTW, thank you fcukdat for sharing the results of your considerable efforts :)

Any testing done with Comodo Pro's Defense+ enabled?

-{ Quote: "AV's alone, sure, they may defeat some, but with the onset of all the utilities and security programs that have surfaced in just the past year alone, those are enough hurdles to keep them spinning their wheels indefinitely." }-Sounds nice.

-{ Quote: "Vendors of specialized security prevention have raised the bar higher then they have ladders to reach IMO." }-This is not very objective if you read a lot about this you would know that black hats always one step ahead. Probably full hd encryption could help against those beasts.

BluePill+Stealth MBR or vbootkit is their new focus. (= Hardware+Software mod)
(which means in fact you can disable what process you want that doesn´t matter, kill/block svchost or anything else but their malware still laughs about you)

Here is something that I discovered one reboot later it shows itself as rdbss.sys:

http://i7.tinypic.com/6q3z8k2.png

Seems so that it feels comfortable between Comodo.

-{ Quote: "Hello aigle,

If I am not mistaken, Prevx CSI+ can detect and remove the MBR RK.


Peace & Gratitude,

CogitoErgoSum" }-

I know they have plans but when did they update their tool ?

NB i wonder if they have updated to catch Nulprot or Allinone(TR-Inject) yet...
http://www.dslreports.com/forum/r19633146-

-{ Quote: "
That,s great. So what about so many AV scanners with rootkit scanning capabilities?

Symantec, KAV, Antivir, FSecure, etc

Anyone tried with them?
Thanks" }-

I know that SAS DKOM+DDA are bypassed by the active RK in MBR as it is fileless.FWIW the system is subverted as soon as it boots because the kernel is patched so i'm guessing that all these would be bypassed although i have not tested to verify beyond SAS PR 4.0

I have asked others to check elsewhere but no one seems to be able to return a positive confirmation of detection once loaded....

That said the Sinowal file components have been expedited into most good softwares targeting databases as soon as it was distrubuted.So although the softwares are blind to active RK they will probaly take out the installation files to prevent it from landing in the first place;D

-{ Quote: "And that I place considerable worth on This is only one example, but it does lend support to the value of a properly configured two-way application firewall. " }-

2 way firewalls will capture most malware infections phoning home but it must be remembered that not all will be detected.

There are trojans that patch part of the OS underpinning the firewalls operation and the net result is outbound communication while the firewall sleeps.
Also there has been seen ITW infections where the BITS service of XP is used to phone home and import more baddies.Unless you have firewall configured to uber paranoid(Don't trust M$) then is will sleep through that performance with default settings:blink:

-{ Quote: "Any testing done with Comodo Pro's Defense+ enabled?" }-

No need to test as earliar stated this badboy is so easily caught;D

FWIW i would be interested what any of the HIPS software would report if they were installed to a PC that already had the MBR RK native on it...

Hello fcukdat,

I guess I must have jumped the gun regarding Prevx CSI+.


Peace & Gratitude,

CogitoErgoSum

OK, just to clarify, I assume that HIPS who are monitoring "Low Level Disk access", can stop this thing and probably all other malware who try to modify the MBR?

Seems u did not read the whole thread!