Help! Do I have a MBR Rootkit?

Discussion in 'Prevx Releases' started by ssmithct, Jul 31, 2009.

Thread Status:
Not open for further replies.
  1. ssmithct

    ssmithct Registered Member

    Joined:
    Jul 31, 2009
    Posts:
    6
    Prevx 3.0 has removed the same file 3 days in a row. I believe I got it from my buddy's copy of Adobe Illustrator CS3. I don't know where he got it...

    [28/7/2009 15:48] The file [\\.\PhysicalDrive0\MBR] has been removed and contained a threat of type [Possible MBR Rootkit] - Identity: 0000000000000000000000000000000000000000

    [29/7/2009 17:36] The file [\\.\PhysicalDrive0\MBR] has been removed and contained a threat of type [Possible MBR Rootkit] - Identity: 0000000000000000000000000000000000000000

    [31/7/2009 12:53] The file [\\.\PhysicalDrive0\MBR] has been removed and contained a threat of type [Possible MBR Rootkit] - Identity: 0000000000000000000000000000000000000000

    Interestingly, I did not use Adobe Illustrator on 7/30 and no threat was detected / removed that day.

    Anyone know what's going on here and what I can do to fix it? Will simply uninstalling the Illustrator software clear it up or is this thing now fully entrenched in my system?

    Thanks in advance for any input.
     
  2. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    Hello ssmithct;

    I don't believe a rootkit will be dependent on whether or not you run a particular application;
    either it's there or it's not.

    Have you submitted this information to Prevx ?

    In case you haven't done so yet, scan with another security application;
    MBAM and A-Squared (free versions of both will do nicely) and see if either or both detect the same suspect file.

    Submitting to VirusTotal would also be a good idea.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Since Prevx is reporting this problem, I have moved the thread to the Prevx support forum.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    I'd suspect that your copy of Illustrator is infected with something that is infecting the MBR. If you'd like us to try and find the source of the infection, could you send us the executables which you received originally that installed Illustrator (to report@prevxresearch.com)? We will analyze them to see what is causing the infection to be dropped and report back. Also, if you could send a scan log to report@prevxresearch.com as well by clicking Tools > Save Scan Results, we will see if there are any obvious signs of infection.

    The MBR rootkit check is quite reliable so I do suspect something is modifying your MBR and the fact that it is coming from Illustrator increases my suspicion... unless Adobe has started integrating operating system loaders as part of their JPEG processing :D
     
  5. ssmithct

    ssmithct Registered Member

    Joined:
    Jul 31, 2009
    Posts:
    6
    Ok, I sent two .exe files my buddy said were "cracked" (one for photoshop and one for illustrator) as well as a scan log to report@prevxresearch.com. Prevx removed the same file again tonight...

    Will one of the free security apps find this infection if prevx has removed it? I believe that it is reinstalled every time I launch illustrator or photoshop using these "cracked" .exe files...

    Thanks so much for looking into this...
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Hey buddy the first thing is that you should not be using CRACKED programs, that's why you keep getting infected! :mad:

    TH
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Indeed :doubt: However, we haven't received the samples, ssmithct - could you please try sending them with the restrictions in this post: https://www.wilderssecurity.com/showthread.php?t=245129 or by using a file sending service?

    But in general, it would definitely be advisable to stay away from cracked software, especially Adobe Illustrator which is a massively feature-full and complex program that has required many years and millions of dollars to develop. As many economists will tell you, there is no such thing as a free lunch and if you think you're getting software for free that other people have paid money for - you aren't.
     
  8. ssmithct

    ssmithct Registered Member

    Joined:
    Jul 31, 2009
    Posts:
    6
    You're right TH. I learned my lesson. I wasn't sure what he meant when he said "cracked" and to be honest, I didn't want to know. I was more concerned with using the software. I just assumed "cracked" was his way of saying that he did something so that I wouldn't need to register it using his license key. This is what I get. Let it be a lesson to everyone... it's not worth the hassle. I'll follow the instructions to send the exe's.
     
  9. ssmithct

    ssmithct Registered Member

    Joined:
    Jul 31, 2009
    Posts:
    6
    ok file went through. I had to change the .exe to ".xex" in the RAR archive so that gmail would let it go through.
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks - we've analyzed the file and you have managed to avoid the majority of the infection because you're using a 64bit operating system. Its hard to say what else has been added/changed in the program itself so we do recommend that you use something else (i.e. the free Paint.NET http://www.getpaint.net/download.html#download) and not run these programs anymore.

    However, it does not appear that the infection has spread elsewhere so your system should otherwise be fine.
     
  11. ssmithct

    ssmithct Registered Member

    Joined:
    Jul 31, 2009
    Posts:
    6
    So what exactly does this infection do? Can you tell what its endgame is? How were you able to determine that the 64 bit OS prevented further damage? Can you see evidence of it in the scan log? I'm just curious...

    Thanks so much. And yes, the software has been removed.

    ss
     
    Last edited: Aug 3, 2009
  12. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Good to here :thumb::thumb::thumb::D:D:D

    TH
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The MBR rootkit installs itself below Windows in the area of your harddisk where the operating system loads from, and then jumps into the operating system to infect directly. While this is a very powerful technique for malware authors, it is also very system dependent and therefore it frequently won't work on different computers. Because of the low market share of 64bit operating systems, the malware authors aren't focusing much on them and definitely not focusing on them for the in-the-wild MBR rootkits.

    So, the 64bit OS didn't directly prevent it, per-se, but the unpopularity of that architecture prevented that variant from operating properly.

    Please let me know if you need anything else! :)
     
  14. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    PrevxHelp

    What's this, favourtism or what ?

    " Please let me know if you need anything else! "

    You never asked me that. A hundred $ would be nice lol.
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :'( :doubt: :( :oops: You can let me know if you need anything else also of course :D
     
  16. ssmithct

    ssmithct Registered Member

    Joined:
    Jul 31, 2009
    Posts:
    6
    Im just wondering what this infection does once its on your system. Does it steal information and send it somewhere? Is there a way to figure that kind of thing out?

    Thanks again for all your help.
     
  17. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Use one Computer to work as a server. Connect another Computer to this "server" and infect it with the sample. Use Wireshark and several other tools to detect what is going on...

    Btw.: Very often the infected PC will be part of a "Bot-Net".
     
Thread Status:
Not open for further replies.