New MBR killer on the loose

And it's potentially very nasty

Mebratix.B aka Ghost Shadow

Quote by EP_X0FF of RkUnhooker etc fame

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=151

http://www.symantec.com/connect/pt-br/blogs/trojanmebratixb-ghost-mbr

 

If anyone knows how to get it, pls PM me.

 

@aigle

See your PM

 

Hi Agile/Clone Ranger,

Can you PM me too? Required to test it.

 

I hope you're testing it on an isolated PC not a VM

 

Does MBRGuard block this? can somebody test?

 

Why not in VM? Will it infect my original MBR ? I don't think so...If it is like that then i will test it on isolated environment...

 

Try reading the 4th line of the first post... Now maybe it's talking about the VPC MBR, but personally I don't trust malware in a VPC/sandbox. Always on an isolated PC that's fully recoverable.

 

http://translate.google.com/transla...kafan.cn/thread-663430-1-4.html&sl=auto&tl=en

 

More info from ESET on this Backdoor Trojan

 

Aloha,

I have analyzed Mebratix.B: http://web17.webbpro.de/index.php?page=analysis-of-mebratix:

Code:

Sector 0: Malicious MBR, relocates itself to 0000h:0600h
Sector 1: Will be loaded by mbr to 0000h:7C00h and relocates to fixed address 9700h:0000h
          Installs int 13h hook, reads 59 sectors from sector 2 and decrypts first 3 of them
          Loads original mbr from encrypted sector 2 to 7C00h and executes it
          Patches NT Loader code integrity verification and hooks ntldr to jump to sector 3
Sector 2: Original master boot record (encrypted)
Sector 3: Protected mode bootkit code, called by ntldr hook
          Restores interrupt 13h vector
          further code (not analysed yet)
Sector 4: further code (not analysed yet)
Sector 5+: PE image, kernel driver, 16544 bytes (~ 16 KB)

Reversed code can be found here. Only Windows XP is affected btw, because it only contains the signatures for Windows XP startup files.

 

Can someone please test this against shadow defender?

 

Thanx for the source code it helps me in studying it I am learning assembly language programming

 

Hi aigle,

join KM and you will see the files. Usually all the malware talked about on KM will have some analysis with the sample attached to the post.

 

It destroys the VM MBR,the Host system is unaffected.
As was explained in the referenced thread the Host can only be infected by malware that's specifically coded to exploit a vulneability in the particular VM software it's run on,or by accessing a shared folder.

 

OK, thanks. Got a sample, will see if it,s correct sample or not.

 

I'd like a piece of that as well. Please PM it to me.

Thanks.

 

Please PM it to me as well.

I want to add it to a personal collection of malware that I'm building to test AVs and firewalls.

 

Pls don,t ask for samples in public.

 

Some request to Wondershare Time Freeze, since it has a MBR protection...

 

it's probably a coincidence, but after searching & downloading (but not executing) samples of this malware (for testing), I lost one of my partitions (it was missing after I restarted the computer...). The files I downloaded were ro.exe and mebratix.zip. I also clicked on several links for "infected" sites (to obtain the malware) before acquiring those files, but got blocked by my security apps, or the site was down, or something - at least it looked like the access failed.

Anyway, I booted to BartPE which I have available from my boot menu, ran Acronis Disk Director to recover the missing partition and I also put ro.exe inside a rar archive just in case. No (related) problems after that; no data loss or corruption as far as I can tell. As I said, probably coincidence, but it made me wonder...

 

@Toaster

Hi thanks for posting


@CogitoTesting, pajenn, et al

Just to let you know, and anyone else, i fully expected to retrieve the file from one of the malware www's i had knowledge of at the time. When i got round to visiting them the file had gone, or the www didn't work anymore. It would have been nice to see some testing with it, but stuff happens, sometimes you win sometimes you don't Maybe next time

Looks like aigle has it, so PM him

@pajenn

I had ro.exe the other day https://www.wilderssecurity.com/showthread.php?t=274488 but after uploading it to VT got rid of it

Sorry to hear about you losing a partition, makes me wonder too, could be a coincidence but ? Anyway the good thing is you were able to get it back in one piece, with no "apparent" side effects

 

I'm sorry about being a persistent pain in the neck, but I would highly appreciate it if someone would just PLeaSE run it against Shadow defender and report back. i've started another thread in the virtualization subforum w/o any replies.
Thanks guys


Ow, 1 more thing,im curious about? how does MBRguard fare?