Help! Do I have a MBR Rootkit?

Prevx 3.0 has removed the same file 3 days in a row. I believe I got it from my buddy's copy of Adobe Illustrator CS3. I don't know where he got it...

[28/7/2009 15:48] The file [\\.\PhysicalDrive0\MBR] has been removed and contained a threat of type [Possible MBR Rootkit] - Identity: 0000000000000000000000000000000000000000

[29/7/2009 17:36] The file [\\.\PhysicalDrive0\MBR] has been removed and contained a threat of type [Possible MBR Rootkit] - Identity: 0000000000000000000000000000000000000000

[31/7/2009 12:53] The file [\\.\PhysicalDrive0\MBR] has been removed and contained a threat of type [Possible MBR Rootkit] - Identity: 0000000000000000000000000000000000000000

Interestingly, I did not use Adobe Illustrator on 7/30 and no threat was detected / removed that day.

Anyone know what's going on here and what I can do to fix it? Will simply uninstalling the Illustrator software clear it up or is this thing now fully entrenched in my system?

Thanks in advance for any input.

 

Hello ssmithct;

I don't believe a rootkit will be dependent on whether or not you run a particular application;
either it's there or it's not.

Have you submitted this information to Prevx ?

In case you haven't done so yet, scan with another security application;
MBAM and A-Squared (free versions of both will do nicely) and see if either or both detect the same suspect file.

Submitting to VirusTotal would also be a good idea.

 

Hello,
I'd suspect that your copy of Illustrator is infected with something that is infecting the MBR. If you'd like us to try and find the source of the infection, could you send us the executables which you received originally that installed Illustrator (to report@prevxresearch.com)? We will analyze them to see what is causing the infection to be dropped and report back. Also, if you could send a scan log to report@prevxresearch.com as well by clicking Tools > Save Scan Results, we will see if there are any obvious signs of infection.

The MBR rootkit check is quite reliable so I do suspect something is modifying your MBR and the fact that it is coming from Illustrator increases my suspicion... unless Adobe has started integrating operating system loaders as part of their JPEG processing

 

Ok, I sent two .exe files my buddy said were "cracked" (one for photoshop and one for illustrator) as well as a scan log to report@prevxresearch.com. Prevx removed the same file again tonight...

Will one of the free security apps find this infection if prevx has removed it? I believe that it is reinstalled every time I launch illustrator or photoshop using these "cracked" .exe files...

Thanks so much for looking into this...

 

Hey buddy the first thing is that you should not be using CRACKED programs, that's why you keep getting infected!

TH

 

Indeed However, we haven't received the samples, ssmithct - could you please try sending them with the restrictions in this post: https://www.wilderssecurity.com/showthread.php?t=245129 or by using a file sending service?

But in general, it would definitely be advisable to stay away from cracked software, especially Adobe Illustrator which is a massively feature-full and complex program that has required many years and millions of dollars to develop. As many economists will tell you, there is no such thing as a free lunch and if you think you're getting software for free that other people have paid money for - you aren't.

 

You're right TH. I learned my lesson. I wasn't sure what he meant when he said "cracked" and to be honest, I didn't want to know. I was more concerned with using the software. I just assumed "cracked" was his way of saying that he did something so that I wouldn't need to register it using his license key. This is what I get. Let it be a lesson to everyone... it's not worth the hassle. I'll follow the instructions to send the exe's.

 

ok file went through. I had to change the .exe to ".xex" in the RAR archive so that gmail would let it go through.

 

Thanks - we've analyzed the file and you have managed to avoid the majority of the infection because you're using a 64bit operating system. Its hard to say what else has been added/changed in the program itself so we do recommend that you use something else (i.e. the free Paint.NET http://www.getpaint.net/download.html#download) and not run these programs anymore.

However, it does not appear that the infection has spread elsewhere so your system should otherwise be fine.

 

So what exactly does this infection do? Can you tell what its endgame is? How were you able to determine that the 64 bit OS prevented further damage? Can you see evidence of it in the scan log? I'm just curious...

Thanks so much. And yes, the software has been removed.

ss

 

Good to here

TH

 

The MBR rootkit installs itself below Windows in the area of your harddisk where the operating system loads from, and then jumps into the operating system to infect directly. While this is a very powerful technique for malware authors, it is also very system dependent and therefore it frequently won't work on different computers. Because of the low market share of 64bit operating systems, the malware authors aren't focusing much on them and definitely not focusing on them for the in-the-wild MBR rootkits.

So, the 64bit OS didn't directly prevent it, per-se, but the unpopularity of that architecture prevented that variant from operating properly.

Please let me know if you need anything else!

 

PrevxHelp

What's this, favourtism or what ?

" Please let me know if you need anything else! "

You never asked me that. A hundred $ would be nice lol.

 

You can let me know if you need anything else also of course

 

Im just wondering what this infection does once its on your system. Does it steal information and send it somewhere? Is there a way to figure that kind of thing out?

Thanks again for all your help.

 

Use one Computer to work as a server. Connect another Computer to this "server" and infect it with the sample. Use Wireshark and several other tools to detect what is going on...

Btw.: Very often the infected PC will be part of a "Bot-Net".