New MBR rootkit goes undetected

http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html

 

Damn it! Last night I got an infection alert from Prevx Edge. It said:

\\PhysicalDrive\MBR - Possible Malicious Rootkit

And I couldn't remove or block it

A scan with GMER and nothing popped up?

 

Ahh just found out GMER does NOT detect the rootkit. I'm stuffed for a little while

 

What is the best way to prevent a MBR Rootkit?

Thank you.

 

unplugging ur PC

 

Wonder why Prevx didn't block it. Was it the trial version?

 

I also see he runs Defensewall. Wonder how it got by that?

 

Seriously? Is there a way to configure HIPS to protect from this? Say for example... DriveSentry?

Just Curious

Thanks in advance,
Toby

 

Yeah.

 

Does Avira detect it? If you installed it in "safer mode" then it might pick it up.

 

Wow...with all the security you are running, I am surprised it wasn't picked up!

 

So how does this thing get installed? I suppose the user has to install it themselves.

 

two questions........
1.could something like sandboxie..returnil prevent it from infecting pc in first place?
2.once infected could something like rollback snapshot restore save one the pain of cleaning the mess?

 

Well, it says 'possible', I suppose that FPs can happen for rootkits as well.

 

Yes it could be. But the detection of this new rootkit coincides with when Prevx detected it on my computer.

I am unsure as I did install Eaz-Fix just before that.

So for the mean time it's better to be safe then sorry

 

As per the comments on the blog by Marco:

So if you have backup ( I have with MbrFix ) , you could apply that too.

Plus it looks like PrevX will be kind enough to release the fix for free, so better wait a few days IMO.

 

Just write a new MBR and it's gone.

 

Manual removal. Load up the recovery console or repair tools by inserting the Windows disk, type fixmbr, reboot. The command writes a new boot sector which erases the rootkit.

edit : just read at Sysinternals of another ark tool that detects.

CodeWalker

cmcinfosecdotcom

 

CodeWalker didn't work on my virtual machine. I managed to get infected the VM and I checked with GMER: result is the presence of many system threads without a known origin.

I tried CodeWalker but it says the MBR is clean

 

Are you useing the beta or last stable version of prevx?
A few days ago Prevx edge beta was giving a FP on Rollback Rx as a rootkit.

https://www.wilderssecurity.com/showthread.php?t=225190&page=132

ExFix is basicly the same. I would send your scan log if possiable to Prevx to check out.
Or post in the thread linked above with your find so if it is a FP it can be fixed.

 

See reply from 'mysec'
http://www.dslreports.com/forum/r22231286-New-Mebroot-spreading-around-and-got-undetected

 

Are you using beta version of Prevx?
Did you install eaz-fix?

If so, please send me a Prevx scan log at falsipositivi[-aT]pcalsicuro[dOt]com and I'll have a look at it

 

I had the same prompt from Edge (paid), while installing Eaz-Fix and assumed it related to Eaz-Fiz so completed the installation, I guess it must be a FP.

gh113

 

Wouldnt BIOS option named BOOT VIRUS PROTECTION keep us safe against MBR rootkits?
Or its useless at this moment?

 

Hello all,
Some programs like Rollback Rx (and maybe EAZ-fix as well) modify the MBR in a non-malicious manner but our realtime MBR scanning will detect the change and alert the user just to be safe.

We are offering MBR rootkit cleanup for free, but the new, difficult to detect MBR rootkit is detected only in the beta version (which will be released officially this week).

Conventional AVs can block the infection before it enters (as they do with other threats) but that doesn't help if you're already infected or if they don't have a signature for it (i.e. Conficker).

The problem with this infection is that once it gets in, every AV simply cannot read the MBR - it is a highly intelligent rootkit which is very effective at hiding the contents from the AVs. We had to develop an alternate engine to find this file and AFAIK no one else detects it yet.

mysec at DSLReports missed the point that what we're outlining here is NOT about the means of getting infected, its what happens AFTER you get infected. Threats get past AVs all the time and once they're in, they can generally be removed relatively easily. This one cannot, however.