Alternative Corrective MBR Procedures

Hi All.

The tale of MBR disruptive malware is already been heavily discussed and many security apps have rushed in to shore up protection against the possibility of these MBR breakers in XP, NT Systems.

But i want to touch on any alternative methods to undoing an MBR attack after it's already been distorted.

Can anyone offer an ideal recovery method should say a KillDisk or any other MBR scrambler has run it's code effectively rendering your system unbootable.

I was thinking along the lines of turning to simple utilities maybe like MBRWhiskey, Beeblebrox or the like where a user has SAVED the partition table and/or MBR to a file on a floppy which could be used to start up the PC so affected and just overwrite/replace the malware code with either the Saved PartitionTable file or whole MBR itself.

Couldn't even a backup program that restores the MBR to default setting reset the MBR enough that a user could then at least boot up again from such an attack?

This is out of my line of expertise completely and why i pose this question now for a workable alternate solutions.

In my opinion, and i could be wrong, a virus can so disrupt the code of an executable file that "cleaning" is useless, could the same happen with tampering of the MBR/Partition Table? leaving as an only alternative a complete restore via a back up image?

Since the MBR Code contains only a few lines it doesn't seem that big a task to re-write former values back again but realize it would have to be done from a ladder so to speak such as floppy or CD Utility Disk i assume. Can XP Install in Repair mode fixmbr/fixboot also discharge the bad code for good again?

Thanks

 

Microsoft's disk drivers have a rare bug that only appears when you try to access certain kinds of corrupted partitions/partitions tables. This bug causes a BSOD when you use any software which relies on those drivers to access fixed storage, including the XP install disk and any disk-imaging app that uses BartPE/WinPE/VistaPE as the recovery environment.

 

Yes but a person who is in urgent need to fix the MBR,has no need for your explanation,though it maybe correct.
What do you mean by '' certain kinds '',could it be virus of some kind or tampering with it yourself (bootloader stuff) ?

 

Let's eliminate for the time being bootloaders and i'm focused more on MBR viruses/trojans specifically such as the type Peter2150 tested on FD-ISR i believe this last summer. Now if i understand it right his predicament was made more complicated due to his RAID setup, or maybe i'm wrong in that assumption. He will surely read this and can offer more in the way of details of how he handled it, which i believe deleted the infected partition entirely and restored with ShadowProtect w/ all pertinent MBR/Partition Table code preserved included.

I want to review if exists an alternative method for dealing with such a severe attack on the MBR for topic's sake from at least a single drive overview/setup perspective only.

It was of my belief that the KillDisk trojan (here we go again LoL) rendered his disk or rather partition table so disrupted that the only choice was to completely dismiss it by deletion with DiskPart? i think? My mind is not so clear on the exacts, since this is been awhile back, but i'm curious if third party programs on CD disks or Floppy for those who still use them, would be able to counter such a disruption/corruption by virus/trojan that a user might could just enter his O/S alternatively and simply restore back those files provided of course they were saved to begin with using apps like Beeblebrox maybe, MBRWhiskey to name two (modified to save important MBR/Partition Sectors and even Heads wherever that comes into play.

We go about depending on apps that been improved to better prevent these type problems but the curiosity and question is can they still be successfully dealt with by other means i just mentioned AFTER already affected without resorting to a restore image and/or deleting MBR/PT to affect the removals of such a boot virus.

Thanks

 

I know where you going with this in answer to your first post. Yes a recovery solution can be available. Modifying the MBR is possible from within Windows. I have done it this way. MBR recovery doesn't have to be run from another storage source so the MBR can be easier to fix. These Rootkits have there main code living in the MBR even if they didn't, if you restore the MBR you take out the Rootkit.

I haven't been reading the threads on MBR rootkits and i know you asked for a cure which i'll address also. I am aware of certain rootkits like MebRoot and what immediately springs to mind thinking about protecting the MBR and eliminate 'anything' including rootkits writing to the MBR is using the 'Boot Block Protection' BIOS option which most motherboards have. Nothing can write to the BIOS if this is enabled. If you have it enabled you can't install Windows as this needs to install a MBR and XP does warn you if you do, which is good if you forget to turn it off when you decide to reinstall. You could get a similar error or warning restoring an image but haven't tested this. If you got into the habit of turning this BIOS option on after installing Windows but this would prevent certain recovery software working that updated the MBR from time to time like Eaz-Fix.

 

hmm not sure but erm my paragon linux based recovery cd has an update mbr option?

also if its a trojan that has modified the mbr soon you will be able to use the drweb live cd based on linux to cure the mbr. its in beta atm.

 

I not sure where you going with this..The bug is very rare. This same bug would still manifest itself if partition software accessed it. What's that got to do with writing a standard MBR back? How can you boot into Windows if the partition table is corrupted so bad? You can write to the MBR from within Windows. You don't need to use it from a recovery disk unless certain software prevented you from writing there and then you could do it from Dos or Windows Recovery Cd.

 

Thanks lodore for the notice on the upcoming DrWeb Live CD, but markymoo hit on a real concern here, and thats the partition table corruption ordeal, and i know there are third-party apps suited to save an NT Based O/S PT, it's just a matter of getting all these ducks sorted and in a roll and especially some proof they will make for an always reliable suitable recovery of an affected PT.

 

Ask to Peter and Osaban. Some type of corruptions render the system unbootable and when you try to access it with MS-based tools (even the XP install CD), you get a BSOD. Nate of StorageCraft discovered that it's a Microsoft bug in the disk driver.

 

EASTER, are you looking for a tool like hdhacker here:
http://dimio.altervista.org/eng/

 

Boot loaders aside, let's say you running XP. A generic XP MBR boot record restored back would kill the Rootkit and boot you back into XP fine.

The MBR is 512 bytes. MBR software backups and restores those 512 bytes. The last 64 bytes of those 512 bytes contain the details of the primary partition table.

Now if you backed up the MBR(those 512 bytes) which would include the partition data and saved it on your drive for later recovery from such a MBR rootkit attack. You could restore it back and you back in Windows successfully rootkit free

Now what if you did the same backup of the MBR as above and then at some stage modify your partition size to smaller or bigger or create extra partitions and then sometime after that you got a MBR rootkit infection. You would restore back the saved MBR backup and reboot but now all your data is screwed, corrupted and the partition size(s) is wrong. The last saved MBR didn't have the updated new partitions or size . You must update the MBR after doing any partition changes.

Now if you just backed up the MBR the first 446 bytes of the 512 bytes this wouldn't include the partition table. The partition table is the last 64 bytes. You wouldnt destroy the partition table but you would destroy the rootkit .

So...if you backup the first 446 bytes and sometime later you resized or created new partitions and then sometime later you get infected with a MBR rootkit infection and you restored the same MBR backup you partition tables would still be valid and all your data would still be intact .

As an even extra safety i recommend not just backing up the MBR which is the first sector but also backing up the entire first 63 sectors. That way when you restore sectors 1 to 63 back you get rid of the actual rootkit code.

 

I believe the Ultimate Boot CD for Windows has a number of partition tools for saving and restoring the MBR.

 

If you have dual boot with a unix system, or a linux live CD, you can use dd to save the MBR.
See http://www.sysdesign.ca/guides/partitions.html for details (and warnings!).

 

Now Easter you say Boot loaders aside but a MBR rootkit is really a nasty boot loader and can occupy more than the first MBR 512 bytes storing the real rootkit code at the end of the disk. The other 63 sectors is all boot code useable space for the rootkit to use. In those first 446 bytes where the rootkit hangs out is a jump code to an address location in the other 63 sectors. Now the reason fixmbr from the XP recovery console works and kills it is it just restores back a standard XP MBR to the first 446 bytes and not over the other 63 sectors, and in doing so it overwrites the jump code to those other 63 sectors which would run the rootkit. It doesn't write over the actual rootkit, but overwriting the first sector it disables it. So a safe standard MBR has no code in those 512bytes to tell it to read past sector 0 , it jumps to the start of the partition at sector 63. The rootkit wouldn't mess with the partition tables as it would still want Windows to boot for it carry out it's nastiness.

 

I suggest a better recovery solution to using the XP recovery console fixmbr or other to manual way would be a 'automated' backup and recovery that would launch MBR software from CD or USB which backups the MBR and partition tables first time use and then in the future an automated restore of the MBR killing the rootkit and protecting the partition tables or a choice of restoring as well and another option for wiping the entire 63 sectors so the nasty rootkit is gone for good .

 

This one is perfect-Super F disk-will do all that plus a lot more very simply-freeware.

Use and restore from floppy or CD

Will also carry out disk surface tests.

get it here

.

 

Why dont you try it-small download etc.

Doubt if that array is that common.

It will also make toast

 

Thanks Hairy Coo. That looks like exactly the alternative that i'm trying to achieve in such a case. My worse fear of all is if some malicious drive disruptor code is devised to gibe a user that dreaded I/O Fault, i hate those and only been able to recover from only one of those deadly warnings because if nothing can even identify the disk at all, theres nothing there to work with. And i run into a few of those before and chalked it up as a bad drive but you and i know thats really not always the case.

A smart programmer can chart an exact course to produce that error when in reality the drive may be perfectly sound after all.

 

Easter,
Hope it works

 

I see create boot disks, i assume thats expected but i sure don't find anyplace at all in it to SAVE or RESTORE Partition Tables. Am i missing something? IT ALSO briefly throwed out a demo mention while installing. Got it from major Geeks, is this the same one?

REVIEWS!

 

Easter,

When you are at MajorGeeks-DONT get it from the authors site-use the first MG site-the download should be 2.5mb and be called SDisk ,as a zip file.

Had the same prob,at the main site,what you get is a trial version of Partition Manager only!

The current version of Super FDisk is 2-as far as I'm aware its fully functional but havent had a need to use it for restore.

 

Looks like the author raided all the mirrors with the demo version now, but thats ok, theres still others, in fact markymoo has some pretty impressive app references that save and restore PT Table etc. i need only to run a Wilder's search for sure to find them.