MBR Rootkit versus HIPS/ Sandboxes

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-010718-3448-99

I wonder how well HIPS and SandBxes will stand against this malware. I am able to grab a copy of this but I have no VM to test it against some software( like GesWall, EQSecure, ThreatFire, NeoavaGuard, CFP etc).

 

Hi Pete, have you tested the Sandboxie/Defense Wall with the cleanMBR?

I am thinking if the Sandboxie virtualization will prevent the directly hardware port I/O.

Thanks.

 

I can check it out with DW in case I had this sample.

 

Ilya, I have PMed u the link for this rootkit.

 

Lol, logical.

 

For the record, TF failed to detech this trojan thanks to no low-level disk access protection.

Perhaps they'll finally add some rules for this, as well as some other long-since much-needed ones.

 

Hello aigle,

I already sent a sample to Ilya a couple of days ago. His response was that the latest version of DefenseWall(v2.10) was able to contain and prevent it from doing any damage.


Peace & Gratitude,

CogitoErgoSum

 

Just runed it though DefenseWall 2.10 under Virtual PC and VirtualBox- had no single issue with it. Unfortunately, I couldn't make it write to MBR, but anyway... Naturelly, this test is not really independent , so, you may try it by yourself.

 

Hello aigle,

With Vista 32, Shadow Defender in "Protected Mode" and Primary Response SafeConnect disabled, I personally tested and can confirm that DefenseWall v2.10 does in fact contain and prevent the mbr rootkit from doing any damage.


Peace & Gratitude,

CogitoErgoSum

 

This is interesting.

After some further testing on my copy of the sample, I couldn't detect any write requests to the boot sector either.

Does your copy drop a file to the temp folder and install it as a global hook, too, by any chance?

 

Yes, but trying to erase its own file directly and with "delayed delete" it is the right behavioural sequence.

 

Now I'm beginning to get the feeling that what we have on our hands here isn't the bootkit at all.

 

Yes, I have the same feeling. OK, lets dig for the right one. Other hand, I just sent the sample to virustotal and Symantec said it is the right Mebroot trojan sample.

 

Hey guys,you might have the right kiddie afterall but trust me this no biggie to do battle with for any software such as HIPS/sandboxing and VM

RE MBR infection.

Once the first file is executed it drops a .tmp file in <userprofile temp> folder.
It then registers a service to load this file at boot.

http://img174.imageshack.us/img174/6369/autorunsiv0.jpg

This .tmp file if uploaded to VT service will return a lot of hits as Sinowal C/Gen type.

Here's the biggie where it falls over as an efficient RK(or malware) installer,inorder for the service(file)to run it needs a reboot

FWIW on the next session on a properly configured SW firewall will capture svchost phoning to the mothership for more goodies.
http://img338.imageshack.us/img338/333/keriozp5.jpg

1x .DLL + .exe + .tmp will drop in <wind temp> both exe+dll= Sinowal flag@ VT.On my infections they have been titled "ldo2."

The service entry then goes AWOL and MBR rootkit has landed
http://img207.imageshack.us/img207/6866/gmeryu4.jpg

But seriously guys this thing is no biggie from a prevention point of view versus your chosen software afterall it has to perform so many tricks inorder to go live that it will trip over so many intercept points

 

Nice show ;-)

 

Hot damn! Nice work fcukdat. I restored a clean image before reboot, and failed to see anything after that.

 

Hi fcukdat! Thanks for the nice work. So it doesn,t seem to be a clever rootkit.

@ Solcroft, I wonder why TF is not catching it, so many malicious actions indeed. BTW what is the SHA1 hash for ur sample?

Thanks

 

Hi Pete, Thanks.

 

Anyone knows if it is possible to detect( and possible remove) this rootkit by a scanner ATM?

Thanks

 

GMER latest beta build detects MBR RK
It also has a restore function which resets MBR thus killing the active RK

 

That,s great. So what about so many AV scanners with rootkit scanning capabilities?

Symantec, KAV, Antivir, FSecure, etc

Anyone tried with them?

Thanks

 

Hello aigle,

If I am not mistaken, Prevx CSI+ can detect and remove the MBR RK.


Peace & Gratitude,

CogitoErgoSum

 

Highly technical but interesting analysis of this rootkit here from GMER:

http://www2.gmer.net/mbr/