Stealth MBR Rootkit

[jdjudy]

Has anyone had any experiance with "Stealth MBR Rootkit". I ran a scan with GMER and it came up:

\device\Harddisk0\DR0 ~ sector 00: MBR rootkit detected !!!
\device\Harddisk0\DR0 ~ sector 22: rootkit-like behavior
\device\Harddisk0\DR0 ~ sector 22: rootkit-like behavior

Avira Premium, Windows Firewall, SAS Free & EAZ-FIX are used on this machine. Windows XP SP2, IE7 and alot of uTorrent.

I have read that recovery console FIXMBR can correct this, though I concern that it may have something to do with EAZ-FIX. Any insight?

[BlueZannetti]

Quote:

Originally Posted by jdjudy

I have read that recovery console FIXMBR can correct this, though I concern that it may have something to do with EAZ-FIX. Any insight?

While I have not used EAZ-FIX, based on the way it works, I'd say odds are good this is the cause of the alerts.

Blue

[lucas1985]

Quote:

Originally Posted by BlueZannetti

While I have not used EAZ-FIX, based on the way it works, I'd say odds are good this is the cause of the alerts.

Yup

[EASTER]

I run RAW stealth MBR sandboxed today and it choked, puked, and fell flat on it's face. I done the same with some pretty mean malware sandboxed and the result always returned the same, no posibility of escape and easily erased, i use ERASER to fully wipe %Sandbox% contents. No chance for $m to mysteriously ressurrect them after that.

With SandboxIE, i am thoroughly impressed!

[lotuseclat79]

MBR Rootkit, A New Breed of Malware
F-Secure article here.

Gmer, Prevx and two Symantic article links at bottom of article.

This kind of malware is an outstanding example of why Windows users should acquire familiarity with using Linux Live CD's, reorder their BIOS to boot from CD before hard disk, and know how to issue dd commands to save off the original MBR for a Windows hard drive (and their Linux dual boot hard drive) after a clean installation before any connection to the Internet.

A Linux Live CD environment with at least a 1GB RAM can activate a safe environment (assuming the Internet connection to the computer is temporarily disconnected) without any hard drives mounted or accessed. From there as root:

# dd if=/dev/sda of=/mnt/linux/root/Mbrs/sdambr bs=512 count=1

The above dd command assumes that a Windows OS is installed on /dev/sda and a Linux hard drive is mounted at the mount point /mnt/linux of the Linux Live CD environment. The MBR of the Windows hard drive is saved on the Linux hard drive in the file /root/Mbrs/sdambr, and has a block size of 512 bytes for one count.

The restoration of the Windows MBR in a Live CD envronment is:

# dd if=/mnt/linux/root/Mbrs/sdambr of=/dev/sda bs=512 count=1

The above example assumes that the Linux hard drive is first mounted into the Live CD environment by:

# mount -v -t ext3 /dev/sdb2 /mnt/linux (or a similar partition name that holds the Linux distribution identified with the command: fdisk -l which is issued by root account).

Note: The Linux hard drive used in this example could be any hard drive like device such as a USB flash drive, external hard drive, dvd or cd.

-- Tom

[Rmus]

The article mentions that the attack vectors are drive-by sites with different exploit code embedded in the web page.

Another article linked states,

http://www.prevx.com/blog/75/Master-...e-and-ITW.html

Quote:

After the dropper gets executed,

It's obvious that the rootkit has to download/execute in order to do its dirty work.

Malware triggered by Remote Code Execution (Drive-by) can be easily prevented from executing by any number of White List solutions.

One of the exploits mentioned is

Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)

An earlier use of this shows how the malicious executable can be blocked from downloading/executing -- here, using Anti-Executable:


______________________________________________


______________________________________________

For other solutions, see the recent threads on LUA and SRP.

Someone once wrote,

"If it can't execute, it can't infect."


----
rich

[aigle]

Went to the same link hxxp://www.zj5173.com/qq.htm.

Some chineese but nothing seems to happen.

[Rmus]

It's an old exploit from a year ago -- just used to demonstrate White List blocking with one of the exploits listed in the article.

I just checked some of my other links from past exploits but none are active.

Keep your eye open for "Mebroot" exploits -- some might show up soon.

Check the main weblog page of f-secure which posted the above article:

http://www.f-secure.com/weblog/

Also:

http://isc.sans.org/diary.html

-- they often get notified quickly when exploits surface in the wild.


----
rich

[aigle]

Oh, i thought it,s some recent one.

Thanks

[Stijnson]

Quote:

Originally Posted by lotuseclat79

MBR Rootkit, A New Breed of Malware
F-Secure article here.

Gmer, Prevx and two Symantic article links at bottom of article.

This kind of malware is an outstanding example of why Windows users should acquire familiarity with using Linux Live CD's, reorder their BIOS to boot from CD before hard disk, and know how to issue dd commands to save off the original MBR for a Windows hard drive (and their Linux dual boot hard drive) after a clean installation before any connection to the Internet.

A Linux Live CD environment with at least a 1GB RAM can activate a safe environment (assuming the Internet connection to the computer is temporarily disconnected) without any hard drives mounted or accessed. From there as root:

# dd if=/dev/sda of=/mnt/linux/root/Mbrs/sdambr bs=512 count=1

The above dd command assumes that a Windows OS is installed on /dev/sda and a Linux hard drive is mounted at the mount point /mnt/linux of the Linux Live CD environment. The MBR of the Windows hard drive is saved on the Linux hard drive in the file /root/Mbrs/sdambr, and has a block size of 512 bytes for one count.

The restoration of the Windows MBR in a Live CD envronment is:

# dd if=/mnt/linux/root/Mbrs/sdambr of=/dev/sda bs=512 count=1

The above example assumes that the Linux hard drive is first mounted into the Live CD environment by:

# mount -v -t ext3 /dev/sdb2 /mnt/linux (or a similar partition name that holds the Linux distribution identified with the command: fdisk -l which is issued by root account).

Note: The Linux hard drive used in this example could be any hard drive like device such as a USB flash drive, external hard drive, dvd or cd.

-- Tom

The problem is that 'regular Joes' (myself included I guess) will never be able to do this and comprehend it.

[chris2busy]

Quote:

Originally Posted by Stijnson

The problem is that 'regular Joes' (myself included I guess) will never be able to do this and comprehend it.

don't worry thats the geeky approach of the solution.just pop in your windows cd,open recovery mode nad type FIXMBR in the console and your done..now if you got more than one operating system in your hard drive thats another deal,you'll have to reload the bootloader you used to have.

[Stijnson]

Quote:

Originally Posted by chris2busy

don't worry thats the geeky approach of the solution.just pop in your windows cd,open recovery mode nad type FIXMBR in the console and your done..now if you got more than one operating system in your hard drive thats another deal,you'll have to reload the bootloader you used to have.

Of course you have to discover that you're infected first...
A lot of people won't even know they're infected with this MBR rootkit. I think I wouldn't notice it either. Or are there any tell-tale signs?

[chris2busy]

well if you have many OS or any sort of ISR software,like EAZ-FIX ,first defence-ISR,rollbackRX e.t.c their boot screen will disappear since the rootkit will have overwritten ur MBR.

[Stijnson]

Quote:

Originally Posted by chris2busy

well if you have many OS or any sort of ISR software,like EAZ-FIX ,first defence-ISR,rollbackRX e.t.c their boot screen will disappear since the rootkit will have overwritten ur MBR.

I don't have any of those. I just have to be even more careful on the net I guess.