Old Hack, New Twist: When Rootkits Grab Hold of MBRs

ronjor · Feb 7, 2008

In order to turn bigger profits from their armies of compromised computers, hackers this year will use a new tactic in targeting master boot records with viruses that plant rootkits on computers' hard drives, experts warn. These infections activate during the boot sequence before the operating system starts
Click to expand...

Article

larryb52 · Feb 7, 2008

ronjor said:

Article
Click to expand...

good read, thanks Ron...

Stijnson · Feb 7, 2008

And a scary read at that...

Rmus · Feb 7, 2008

Very informative!

Some quotes:

"We started seeing this in the wild in mid-December attacking unpatched computers,"
Click to expand...

(my emphasis)

The temporary solution may only exist in users applying prudent principles of safe computing in depth, DeBolt suggested.
Click to expand...

(Why should this be just "temporary"?)

Prevention Beats Cure
One defense method that software security firms are studying is a combination of white list and black list to improve protection.It is easier to lock out untrusted programs from running on a computer than to detect and remove malware, said DeBolt.
Click to expand...

Firms are "studying" use of white list? Discussion and implementation of this has been in effect at least as far back as 2004:

www.infosec.co.uk/ExhibitorLibrary/123/An_Ounce_of_Prevention.pdf

What if we were to take a more proactive approach and determine which processes and software should be allowed to run instead? Such a whitelist approach exists today in the form of software solutions that enable enterprises to enforce a security policy for the use of approved application, denying all else by default.
Click to expand...

----
rich

Pedro · Feb 7, 2008

That on the prevention side. What about removal?

Versions of Microsoft (Nasdaq: MSFT) Latest News about Microsoft Windows such as XP have a built-in command that may neutralize these MBR infections, according to Masiello. Computer users can issue the FixMBR command in the Recovery Console to make the operating system write a new master boot record to the hard disk drive.

However, that and other methods do not always succeed, he said. For example, FixMBR will restore the master boot record to a previous state, but that state might also be infected. System Restore does not reset the pre-rootkit condition, either.

"The rootkit can survive a hard drive reformat and reinstallation of the Windows OS. The only good chance is to use a tool that wipes out sector zero," Masiello said. "Otherwise, users really can't do much about it."

Click to expand...

My bold.
So what are the best tools for this operation? After wiping, then what?

Meriadoc · Feb 7, 2008

'old hack new twist'.....yeah an old attack vector is back!

lodore · Feb 7, 2008

soon enough antivirus companies will provide removal of these threats.
as we know drweb already does.
im sure the rest will follow suit.
lodore

lucas1985 · Feb 7, 2008

Pedro said:

So what are the best tools for this operation? After wiping, then what?
Click to expand...

- Every tool that overwrites the MBR: DBAN, the zero tool from your HDD manufacturer, the built-in HDDerase command, a Linux tool CD, etc.
- After wiping, do a normal installation.

Pedro · Feb 7, 2008

Thank you Lucas.
That DBAn i knew, but it erases the whole HD. A bit extreme , although i see its usefulness. Is there a tool .. ah forget it, i'm going to search.

Mrkvonic · Feb 7, 2008

Pedro said:

That on the prevention side. What about removal?

My bold.
So what are the best tools for this operation? After wiping, then what?
Click to expand...

Hello,
Sounds terrifying, but all you need to do is simply put something into good ole MBR / Sector 0. Can be a different boot loader - BSD sounds a good choice. You can use any bootable CD to purge the sins. You can even restore the MBR by overwriting it with fixmbr from recovery console.
Mrk

controler · Feb 7, 2008

MBR viri go way back as we all know, the only new twist is ROOTKIT.

I always wondered when that would come. BIOS attacks go back as far as I know to the late 80's. Why not combine a MBR-BIOS-Rootkit?
We ourselves may be teaching these new thieves how to operate right here at Wilders.

con

BananaJones · Feb 8, 2008

I'm assuming that when the machine has a non-standard bootsector, e.g. when FDISR is installed or GRUB is present, such an MBR infection would be visible, because the non-standard MBR would have been gone... right...?

lucas1985 · Feb 10, 2008

Remember that it makes a copy of the original MBR to disguise itself and keep the PC working normally.
From the Symantec Research blog

What if I have Linux and Windows?
We decided to test this situation in the lab, using an internal hard disk with two partitions and LILO (or Grub) as boot loader. If your MBR is infected by Mebroot while in Windows (the threat will not run within Linux), the computer will still be able to boot up normally into both operating systems. While Linux is totally unaffected by this threat, and will work as normal, Windows XP will continue to run the rootkit when it finishes booting up. This was something expected, since the threat stores a backup copy of the old MBR to boot up correctly. However, this fact raises an interesting consideration: if the MBR is the weakest point in the chain, it could eventually be possible to create the first multi-platform malware targeting both the Windows and Linux kernels during the boot process.
Click to expand...

Pedro · Feb 11, 2008

All it has to do is create a folder/partition, hide it, and store our mbr, to call it and boot as usual (with the added code running). Then store executables for both OS's. Am i making correct conclusions?

lucas1985 · Feb 11, 2008

AFAIK, this MBR rootkit stores its code in the end of the disk, so the MBR hijack is only used as a loader. I think that using low-level routines one can place a relative large amount of code (for the Linux/BSD/Solaris/OS X/Windows variants) at the end of disk and lock it with the same low-level routines (marking the section as damaged for example)
Quite scary indeed and much more feasible than BIOS rootkits.

dr pan k · Feb 11, 2008

excellent rootkit detection with gmer. its free and simple..u can use it with all major AV programms. personaly i love it

http://www.gmer.net/index.php

Log in or Sign up

Old Hack, New Twist: When Rootkits Grab Hold of MBRs

ronjor Global Moderator

larryb52 Registered Member

Stijnson Registered Member

Rmus Exploit Analyst

Pedro Registered Member

Meriadoc Registered Member

lodore Registered Member

lucas1985 Retired Moderator

Pedro Registered Member

Mrkvonic Linux Systems Expert

controler Guest

BananaJones Registered Member

lucas1985 Retired Moderator

Pedro Registered Member

lucas1985 Retired Moderator

dr pan k Registered Member

Log in or Sign up

Old Hack, New Twist: When Rootkits Grab Hold of MBRs

ronjor Global Moderator

larryb52 Registered Member

Stijnson Registered Member

Rmus Exploit Analyst

Pedro Registered Member

Meriadoc Registered Member

lodore Registered Member

lucas1985 Retired Moderator

Pedro Registered Member

Mrkvonic Linux Systems Expert

controler Guest

BananaJones Registered Member

lucas1985 Retired Moderator

Pedro Registered Member

lucas1985 Retired Moderator

dr pan k Registered Member

Useful Searches