BootIt Bare Metal & MBR Rootkits

How feasible/practical would it be to use BootIt Bare Metal to clean a "suspected" MBR Rootkit by over-writing the MBR?

Thanks in Advance.

 

Good question!

 

Hi ya, TK! The problem with that approach would be that BIBM would need to know which MBR to use during restoration. There are many different ones... at least three "standards" associated with plain vanilla Windows (XP w/NTLDR, Vista/W7 w/Bootmgr, etc.) and lots of others associated with multi-boot systems and even specialized applications like Rollback RX. Which one should you return to?

Even if you SAVE the one that's there when you turn this solution on, you'd need to reSAVE whenever you made a change to the system that caused its MBR to change (multiBOOT, Rollback install, etc.).

I use a similar approach suggested by you but its very custom. I keep a copy of whatever the latest MBR is on my system (updated whenever I add something that I know will tweak my MBR), and use a pretty simple tool to replace it if necessary (BootICE). I've had to reuse this recovery method twice since I started using it, both due to some sort of MBR RootKit virus... in both cases it was successful, and in both cases it was used to restore my Rollback RX custom MBR which then allowed me to use Rollback and step back in time to a system snapshot that was unaffected by the RootKit. It really saved my but... but as you can see, it's a very custom approach for my particular system.

For the general user to take this approach, they really need to know what their installed applications do to their system otherwise there's no way to know when to update the MBR backup image (unless you update it upon every installation which I guess is feasible).

Just some thoughts...

 

Wouldn't the Rootkit be damaged or over-written if you were to "Apply" "Std MBR" for Windows XP or "Win7 MBR" for Windows 7/Vista? It seems like the PC should still boot after applying the MBR. I guess that some installed software that modified the MBR may not work or may not work properly but wouldn't the PC still boot? Would the partition tables remain unchanged?

Thanks in Advance.

Page 49 (View MBR):

http://www.terabyteunlimited.com/downloads/bootitbm_en_manual.pdf

 

In most cases the system should BOOT fine. If the RootKit/virus messed with the VBR (Volume Boot Record), no... restoring the MBR would not help.

As I said above, most will. If you're a Rollback RX user, the system will boot with no active Rollback and the system state will be at Rollback's BASELINE rather than the last known system state. Most of TeraByte Unlimited's products usually let you restore the exact MBR/Track 0 (including the saved partition table) as well as whatever portion you would like. It also allows restoration and an unmodified partition table (in case you're restoring to another disk).

 

TheKid7,

In the BootItBM newsgroup there is a thread labelled "Have to keep reactivating". There are references to a root kit.