MBR Rooted

Something we were tinkering with at another forum,this is one for the AV/FW specialist to figure a countermeasure.

Unless it stumbles,you wont see it at all,if you just so happen to have a packetsniffer running direct WAN to a router,you may see the traffic.

All in All,I think Gmer did a great job with this one and it will prove most useful to have the repair feature in new gmer,outside that,your gonna need a cd and fixmbr or format just wont do.


Gmers write up can be found here
http://www2.gmer.net/mbr/

Cheers folks,
MJ

 

Scarey stuff MJ but kudo's to you and Blender for the bust of the ITW dropper and GMER for the excellent writeup

 

In theory,sounds good to me,as long as MBR is re written by whatever means,it would have the disable effect on the infection but leave some droppings around to clean up,I did not have time to fully test against a format or image process,it was enough to gather up enough information to pass along to Gmer whom knows what all these means in the end.

To see if this evolves will be the interesting part.

 

Hello,
I wonder how this thing behaves if the MBR is taken up by another bootloader, like GRUB, LILO ...
Mrk

 

Would you like to find out,it is possible to find a loader again if you have the enviroment and time to investigate.

 

tmpms45.exe or ldo2?

 

tmpms45.exe in userprofile folder works.

 

nice

Thanks,

Chris

 

That,s really great!

 

Interesting, the plot thickens again as well as some in the interceptor's group.

Could it be this MBR disruptor thing is beginning to try to gain some steam?

 

Am I correct in assuming that Prevx CSI finds and tackles this particular nasty rootkit (according to the screenshot above it does, but I'd like to be certain)?
What version of Prevx CSI has this detection (the latest version I have been able to download is v1.2.101.109)?

 

This new version of Prevx CSI will be released *really* soon

 

Can you test Prevx 2.0 too or is the result same?

[OFFTOPIC]Why Prevx CSI and Prevx 2.0 price is same?[/OFFTOPIC]

 

You can use Gmer to make a false positive Stealth.MBR:

Go into System Pid 4 thread:
suspend gmer.sys => manual creation of false alarm.

(Offtopic: Hey NAS the thing you use as avatar I hit and burried sometimes ago in my dreams.)

 

How does one use GMER? I have downloaded gmer.zip from the site, but from there I don't really know what to do. I can scan but the info in the screen is not clear to me and I even think that the scan hangs at some point.
Am I missing something?

 

Hi EraserHW, at the moment Prevx CSI determines three OA files as 'threats'. These are clearly FP's since the three files (OADriver.sys, OAmon.sys, OAnet.sys) are legit drivers. Will this be fixed as well?

 

Thanks for the report. I should have fixed them. Anyway, if not, please send me CSI log.

Best regards,

Marco

 

would have been nice to see an answer to this question.


Mike

 

I'm running version 1.2.101.109 of CSI. Is it fixed in that version as well? The new version isn't available yet, right?

 

Gmer handles OA as threat too.

Beside this screen is from june 2007, I already had sector errors on my hd, maybe this had a relation to stealth.mbr, don´t know:
http://i27.tinypic.com/ckuoy.jpg

 

What exactly do these MBR Rootkits do (apart from infecting your MBR)?

 

Latest drop found in the wild,scan results.

~VT link removed. - Ron~

All this BS....we detect this in the wild can be fixed up in a matter of seconds by these clowns.

There is yet another I have to circulate,only 2 detect,the root itself looks modded allready and it did its job quite efficiently without any reboots.

Nothing left in pending,nothing in tmps and if i had not been searching for the service,Id not have known what was onboard.

Good luck out there folks..

EDIT:

~VT link removed per Policy. Ron~

Next guy in line after this,trashes most all AVs,so how would one defend against that....LUA?