0ld 5ch00l MBR Malware

Discussion in 'malware problems & news' started by Minimalist, Sep 7, 2016.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    https://labsblog.f-secure.com/2016/09/07/0ld-5ch00l-mbr-malware/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Just about all HIPS protect the MBR, via the monitoring of "low level disk access" and/or "modification of boot data"
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    I've used Malware Defender, but when installing software I've disabled it - or put it in Install mode.
    It's harder to defend against malware that is delivered through otherwise safe installers. Telling people "Install software from trusted source only" doesn't help here.
    Personally I now prefer to use detect and restore security combination.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I personally almost never use "Install Mode" when it comes to HIPS, because it defeats the whole purpose. This is a perfect example why it makes sense to even monitor trusted installers/apps. Most HIPS would have easily stopped this attack.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Yes, but would it if attack was more subtle and wouldn't target MBR? What if malware would just run (using same executable name as program you try to install) and wouldn't do anything "suspicious"?
     
  6. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,157
    Location:
    in a remote land :)
    Using an HIPS is all about understanding the concept of Parent-Children processes relationship; a decent HIPS should warn you if the children process (in this case the payload) is doing something abnormal even if the parent (the installer) is legit.
     
  7. hjlbx

    hjlbx Guest

    At some point a HIPS can fail - especially on 64 bit systems. That is why it is important to use virtualization or snapshot software when running unknown\untrusted files.

    If file turns out to be malware, then you can revert system to clean state.

    Shadow Defender or Rollback RX fits the bill here; malware, and "poof" -- system is back to pre-infection state.

    Besides, both Shadow Defender and RX products prevent MBR modification. In my testing against MBR modifying ransomware both kept a clean system.

    The only caveat is firmware. Virtualization and snapshot can be bypassed at some level upon installation of malicious firmware.

    I like the "poof" factor. @umbrapolaris taught me that one. It works.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Yes, off course. The problem is that during installation there can be a lot of executables run and a lot of parent-child notifications. Since I don't know installation procedure of all software I use by heart, and don't know if during installation specific exe or msi should be run or not, I would have to pause each execution attempt, find the file on disk, upload it to Virustotal or similar, and then continue with execution if file seems OK. There is no guarantee that by pausing execution during install wouldn't break whole installation process. I wouldn't try to install something like Office that way. It would be just too much trouble.
     
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    Probably SS could be an answer for your needs - each alert while installation give us possibility to check the file on multiscanner...earlier it was VT, now it's Virus Jotti. But it can take a lot of time and becoms a bit boring or disapointed.
    Because we don't know about all files/processes launched during installation we just have to base on our experiance and trust/untrust when we want to have new app in system...when we know about app/developer we will just trust them, when we don't trust we should perhaps "to spy" each one action of new app with hope to stop danger/suspicious action.
    I think there is no other way - even if we test new app in isolated/virtualised enviroment we don't know about...we can't predict...all possible issue and consequences of job of new apps that could be happen in the future in real system.
     
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,157
    Location:
    in a remote land :)
    or just check the hash of the installer before executing it.

    yep "poof" always win ^^
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Yes, checking hash of installer with hash from some other source (if it is posted) is probably best way to avoid such problems. In case of intrusion, restore is IMO also the best course of action.
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,157
    Location:
    in a remote land :)
    Indeed , before cleaning an infected computer was easy, just some files and reg keys to delete; now malware becomes so complex and possess heavy obfuscation methods that you have to be very experienced and spend hours using sophisticated tools to be sure the system is really clean.

    Hours vs Minutes, a backup always wins (Even a clean install is faster.)
    i personally use Rollback RX, took seconds to discard changes to my system.
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I use an "old school" counter measure. Wrote a script that compares the "current/mounted system's" MBR to a saved copy, which is known to be solid and clean. Script quickly runs a sha256 against the two MBR files (current and proven) and reflects whether or not the checksums match. Even one byte changing would cause a mis-match and set off a flag. Simple and old school. Takes like a second or two to sha256 two 512 byte files! Every other sector on my drive is encrypted so this is the danger area and a vulnerable location for attack. This counter measure, while simple, is strong on security.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I'm not following you, malware will always try to achieve some goal and HIPS will alert about all possible suspicious behavior. But it depends on the users knowledge in order to decide if it's normal behavior or not. Let's say they replaced Classic Shell with a "Trojanized" version that didn't target the MBR, but wants to log keystrokes, accept incoming connections and install a service or driver. All of those actions would be suspicious for a tool like Classic Shell, so you would already know that there is something wrong. That's why I have always been a fan of HIPS, it's the last line of defense.
     
Loading...