New MBR rootkit goes undetected

Discussion in 'other anti-virus software' started by MAOS, Apr 13, 2009.

Thread Status:
Not open for further replies.
  1. MAOS

    MAOS Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    15
    http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html
     
  2. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Damn it! Last night I got an infection alert from Prevx Edge. It said:

    \\PhysicalDrive\MBR - Possible Malicious Rootkit

    And I couldn't remove or block it :(

    A scan with GMER and nothing popped up?
     
  3. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Ahh just found out GMER does NOT detect the rootkit. I'm stuffed for a little while :(
     
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,397
    What is the best way to prevent a MBR Rootkit?

    Thank you.
     
  5. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    unplugging ur PC :D
     
  6. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Wonder why Prevx didn't block it. Was it the trial version?
     
    Last edited: Apr 13, 2009
  7. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I also see he runs Defensewall. Wonder how it got by that?
     
  8. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Seriously? Is there a way to configure HIPS to protect from this? Say for example... DriveSentry?

    Just Curious

    Thanks in advance,
    Toby
     
  9. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Yeah. :(
     
  10. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Does Avira detect it? If you installed it in "safer mode" then it might pick it up.
     
  11. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL
    Wow...with all the security you are running, I am surprised it wasn't picked up!
     
  12. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,087
    Location:
    Mountaineer Country
    So how does this thing get installed? I suppose the user has to install it themselves.
     
  13. thathagat

    thathagat Guest

    two questions........
    1.could something like sandboxie..returnil prevent it from infecting pc in first place?
    2.once infected could something like rollback snapshot restore save one the pain of cleaning the mess?
     
  14. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    3,869
    Well, it says 'possible', I suppose that FPs can happen for rootkits as well.
     
  15. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Yes it could be. But the detection of this new rootkit coincides with when Prevx detected it on my computer.

    I am unsure as I did install Eaz-Fix just before that.

    So for the mean time it's better to be safe then sorry :)
     
  16. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    As per the comments on the blog by Marco:
    So if you have backup ( I have with MbrFix ) , you could apply that too.

    Plus it looks like PrevX will be kind enough to release the fix for free, so better wait a few days IMO.
     
    Last edited: Apr 14, 2009
  17. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
    Just write a new MBR and it's gone.
     
  18. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Manual removal. Load up the recovery console or repair tools by inserting the Windows disk, type fixmbr, reboot. The command writes a new boot sector which erases the rootkit.

    edit : just read at Sysinternals of another ark tool that detects.

    CodeWalker
    cmcinfosecdotcom
     
    Last edited: Apr 14, 2009
  19. MAOS

    MAOS Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    15
    CodeWalker didn't work on my virtual machine. I managed to get infected the VM and I checked with GMER: result is the presence of many system threads without a known origin.

    I tried CodeWalker but it says the MBR is clean :(
     
  20. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,367

    Are you useing the beta or last stable version of prevx?
    A few days ago Prevx edge beta was giving a FP on Rollback Rx as a rootkit.

    http://www.wilderssecurity.com/showthread.php?t=225190&page=132

    ExFix is basicly the same. I would send your scan log if possiable to Prevx to check out.
    Or post in the thread linked above with your find so if it is a FP it can be fixed.
     
  21. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,178
    Location:
    Sydney, Australia
  22. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    587
    Location:
    Italy / UK
    Are you using beta version of Prevx?
    Did you install eaz-fix?

    If so, please send me a Prevx scan log at falsipositivi[-aT]pcalsicuro[dOt]com and I'll have a look at it :)
     
  23. greenhorn113

    greenhorn113 Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    149
    Location:
    England
    :)
    I had the same prompt from Edge (paid), while installing Eaz-Fix and assumed it related to Eaz-Fiz so completed the installation, I guess it must be a FP.

    gh113
     
  24. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    474
    Wouldnt BIOS option named BOOT VIRUS PROTECTION keep us safe against MBR rootkits?
    Or its useless at this moment?
     
  25. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello all,
    Some programs like Rollback Rx (and maybe EAZ-fix as well) modify the MBR in a non-malicious manner but our realtime MBR scanning will detect the change and alert the user just to be safe.

    We are offering MBR rootkit cleanup for free, but the new, difficult to detect MBR rootkit is detected only in the beta version (which will be released officially this week).

    Conventional AVs can block the infection before it enters (as they do with other threats) but that doesn't help if you're already infected or if they don't have a signature for it (i.e. Conficker).

    The problem with this infection is that once it gets in, every AV simply cannot read the MBR - it is a highly intelligent rootkit which is very effective at hiding the contents from the AVs. We had to develop an alternate engine to find this file and AFAIK no one else detects it yet.

    mysec at DSLReports missed the point that what we're outlining here is NOT about the means of getting infected, its what happens AFTER you get infected. Threats get past AVs all the time and once they're in, they can generally be removed relatively easily. This one cannot, however.
     
Thread Status:
Not open for further replies.