New MBR rootkit goes undetected

Discussion in 'other anti-virus software' started by MAOS, Apr 13, 2009.

Thread Status:
Not open for further replies.
  1. MAOS
    Offline

    MAOS Registered Member

    http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html
  2. BrendanK.
    Offline

    BrendanK. Registered Member

    Damn it! Last night I got an infection alert from Prevx Edge. It said:

    \\PhysicalDrive\MBR - Possible Malicious Rootkit

    And I couldn't remove or block it :(

    A scan with GMER and nothing popped up?
  3. BrendanK.
    Offline

    BrendanK. Registered Member

    Ahh just found out GMER does NOT detect the rootkit. I'm stuffed for a little while :(
  4. TheKid7
    Offline

    TheKid7 Registered Member

    What is the best way to prevent a MBR Rootkit?

    Thank you.
  5. firzen771
    Offline

    firzen771 Registered Member

    unplugging ur PC :D
  6. Toby75
    Offline

    Toby75 Registered Member

    Wonder why Prevx didn't block it. Was it the trial version?
    Last edited: Apr 13, 2009
  7. Threedog
    Offline

    Threedog Registered Member

    I also see he runs Defensewall. Wonder how it got by that?
  8. Toby75
    Offline

    Toby75 Registered Member

    Seriously? Is there a way to configure HIPS to protect from this? Say for example... DriveSentry?

    Just Curious

    Thanks in advance,
    Toby
  9. BrendanK.
    Offline

    BrendanK. Registered Member

    Yeah. :(
  10. Toby75
    Offline

    Toby75 Registered Member

    Does Avira detect it? If you installed it in "safer mode" then it might pick it up.
  11. Ed_H
    Offline

    Ed_H Registered Member

    Wow...with all the security you are running, I am surprised it wasn't picked up!
  12. innerpeace
    Offline

    innerpeace Registered Member

    So how does this thing get installed? I suppose the user has to install it themselves.
  13. thathagat
    Offline

    thathagat Guest

    two questions........
    1.could something like sandboxie..returnil prevent it from infecting pc in first place?
    2.once infected could something like rollback snapshot restore save one the pain of cleaning the mess?
  14. Osaban
    Offline

    Osaban Registered Member

    Well, it says 'possible', I suppose that FPs can happen for rootkits as well.
  15. BrendanK.
    Offline

    BrendanK. Registered Member

    Yes it could be. But the detection of this new rootkit coincides with when Prevx detected it on my computer.

    I am unsure as I did install Eaz-Fix just before that.

    So for the mean time it's better to be safe then sorry :)
  16. vijayind
    Offline

    vijayind Registered Member

    As per the comments on the blog by Marco:
    So if you have backup ( I have with MbrFix ) , you could apply that too.

    Plus it looks like PrevX will be kind enough to release the fix for free, so better wait a few days IMO.
    Last edited: Apr 14, 2009
  17. BJStone
    Offline

    BJStone Registered Member

    Just write a new MBR and it's gone.
  18. Meriadoc
    Offline

    Meriadoc Registered Member

    Manual removal. Load up the recovery console or repair tools by inserting the Windows disk, type fixmbr, reboot. The command writes a new boot sector which erases the rootkit.

    edit : just read at Sysinternals of another ark tool that detects.

    CodeWalker
    cmcinfosecdotcom
    Last edited: Apr 14, 2009
  19. MAOS
    Offline

    MAOS Registered Member

    CodeWalker didn't work on my virtual machine. I managed to get infected the VM and I checked with GMER: result is the presence of many system threads without a known origin.

    I tried CodeWalker but it says the MBR is clean :(
  20. LoneWolf
    Offline

    LoneWolf Registered Member


    Are you useing the beta or last stable version of prevx?
    A few days ago Prevx edge beta was giving a FP on Rollback Rx as a rootkit.

    http://www.wilderssecurity.com/showthread.php?t=225190&page=132

    ExFix is basicly the same. I would send your scan log if possiable to Prevx to check out.
    Or post in the thread linked above with your find so if it is a FP it can be fixed.
  21. Longboard
    Offline

    Longboard Registered Member

  22. EraserHW
    Offline

    EraserHW Prevx Moderator

    Are you using beta version of Prevx?
    Did you install eaz-fix?

    If so, please send me a Prevx scan log at falsipositivi[-aT]pcalsicuro[dOt]com and I'll have a look at it :)
  23. greenhorn113
    Offline

    greenhorn113 Registered Member

    :)
    I had the same prompt from Edge (paid), while installing Eaz-Fix and assumed it related to Eaz-Fiz so completed the installation, I guess it must be a FP.

    gh113
  24. Sm3K3R
    Offline

    Sm3K3R Registered Member

    Wouldnt BIOS option named BOOT VIRUS PROTECTION keep us safe against MBR rootkits?
    Or its useless at this moment?
  25. PrevxHelp
    Offline

    PrevxHelp Former Prevx Moderator

    Hello all,
    Some programs like Rollback Rx (and maybe EAZ-fix as well) modify the MBR in a non-malicious manner but our realtime MBR scanning will detect the change and alert the user just to be safe.

    We are offering MBR rootkit cleanup for free, but the new, difficult to detect MBR rootkit is detected only in the beta version (which will be released officially this week).

    Conventional AVs can block the infection before it enters (as they do with other threats) but that doesn't help if you're already infected or if they don't have a signature for it (i.e. Conficker).

    The problem with this infection is that once it gets in, every AV simply cannot read the MBR - it is a highly intelligent rootkit which is very effective at hiding the contents from the AVs. We had to develop an alternate engine to find this file and AFAIK no one else detects it yet.

    mysec at DSLReports missed the point that what we're outlining here is NOT about the means of getting infected, its what happens AFTER you get infected. Threats get past AVs all the time and once they're in, they can generally be removed relatively easily. This one cannot, however.
Thread Status:
Not open for further replies.