MBR Rooted

Discussion in 'malware problems & news' started by Cretemonster, Jan 2, 2008.

Thread Status:
Not open for further replies.
  1. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    Something we were tinkering with at another forum,this is one for the AV/FW specialist to figure a countermeasure. :eek:

    Unless it stumbles,you wont see it at all,if you just so happen to have a packetsniffer running direct WAN to a router,you may see the traffic.

    All in All,I think Gmer did a great job with this one and it will prove most useful to have the repair feature in new gmer,outside that,your gonna need a cd and fixmbr or format just wont do.


    Gmers write up can be found here
    http://www2.gmer.net/mbr/

    Cheers folks,
    MJ :gack:
     
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Scarey stuff MJ but kudo's to you and Blender for the bust of the ITW dropper and GMER for the excellent writeup:thumb:
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    So presumably restoring an image that restored mbr and track 0 from the image would nail this thing. Correct??
     
  4. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    In theory,sounds good to me,as long as MBR is re written by whatever means,it would have the disable effect on the infection but leave some droppings around to clean up,I did not have time to fully test against a format or image process,it was enough to gather up enough information to pass along to Gmer whom knows what all these means in the end.

    To see if this evolves will be the interesting part.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    I wonder how this thing behaves if the MBR is taken up by another bootloader, like GRUB, LILO ...
    Mrk
     
  6. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    Would you like to find out,it is possible to find a loader again if you have the enviroment and time to investigate.
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    tmpms45.exe or ldo2?
     
    Last edited: Jan 3, 2008
  8. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    tmpms45.exe in userprofile folder works. :p
     
  9. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    csi_mbr.jpg
     
    Last edited: Jan 25, 2008
  10. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s really great!:thumb:
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Interesting, the plot thickens again as well as some in the interceptor's group.

    Could it be this MBR disruptor thing is beginning to try to gain some steam? :ouch:
     
  13. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Am I correct in assuming that Prevx CSI finds and tackles this particular nasty rootkit (according to the screenshot above it does, but I'd like to be certain)?
    What version of Prevx CSI has this detection (the latest version I have been able to download is v1.2.101.109)?
     
  14. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    This new version of Prevx CSI will be released *really* soon
     
  15. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    :thumb: :thumb: :thumb: :thumb: :thumb:
     
  16. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Can you test Prevx 2.0 too or is the result same?

    [OFFTOPIC]Why Prevx CSI and Prevx 2.0 price is same?[/OFFTOPIC]
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    You can use Gmer to make a false positive Stealth.MBR:

    Go into System Pid 4 thread:
    suspend gmer.sys => manual creation of false alarm.

    (Offtopic: Hey NAS the thing you use as avatar I hit and burried sometimes ago in my dreams.)
     
  18. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    How does one use GMER? I have downloaded gmer.zip from the site, but from there I don't really know what to do. I can scan but the info in the screen is not clear to me and I even think that the scan hangs at some point.
    Am I missing something?
     
  19. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Hi EraserHW, at the moment Prevx CSI determines three OA files as 'threats'. These are clearly FP's since the three files (OADriver.sys, OAmon.sys, OAnet.sys) are legit drivers. Will this be fixed as well?
     
  20. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Thanks for the report. I should have fixed them. Anyway, if not, please send me CSI log.

    Best regards,

    Marco
     
  21. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    would have been nice to see an answer to this question.


    Mike
     
  22. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    I'm running version 1.2.101.109 of CSI. Is it fixed in that version as well? The new version isn't available yet, right?
     
  23. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Gmer handles OA as threat too.

    Beside this screen is from june 2007, I already had sector errors on my hd, maybe this had a relation to stealth.mbr, don´t know:
    http://i27.tinypic.com/ckuoy.jpg
     
  24. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    What exactly do these MBR Rootkits do (apart from infecting your MBR)?
     
  25. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    Latest drop found in the wild,scan results.

    ~VT link removed. - Ron~

    All this BS....we detect this in the wild can be fixed up in a matter of seconds by these clowns.

    There is yet another I have to circulate,only 2 detect,the root itself looks modded allready and it did its job quite efficiently without any reboots.

    Nothing left in pending,nothing in tmps and if i had not been searching for the service,Id not have known what was onboard.

    Good luck out there folks..:thumbd:

    EDIT:

    ~VT link removed per Policy. Ron~

    Next guy in line after this,trashes most all AVs,so how would one defend against that....LUA?
     
    Last edited by a moderator: Feb 4, 2008
Loading...
Thread Status:
Not open for further replies.