MBR Rootkit versus HIPS/ Sandboxes

Discussion in 'other anti-malware software' started by aigle, Jan 10, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Isn't this that Ring 0 thing, which also modified the MBR. IF so Defense Wall and Sandboxie did fine. The other HIPS also did if you answered the questions right.

    Pete
     
  3. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    Hi Pete, have you tested the Sandboxie/Defense Wall with the cleanMBR?

    I am thinking if the Sandboxie virtualization will prevent the directly hardware port I/O.

    Thanks.
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I can check it out with DW in case I had this sample.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ilya, I have PMed u the link for this rootkit.
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Lol, logical.
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    For the record, TF failed to detech this trojan thanks to no low-level disk access protection.

    Perhaps they'll finally add some rules for this, as well as some other long-since much-needed ones. :)
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039

    Sandboxie has protected against this yes. With the version of DF I tested I'd be surprised if it didn't also pass. I don't remember testing. May do some retesting to verify, but Sandboxie, has passed anything I've done with it.

    Pete
     
  9. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    I already sent a sample to Ilya a couple of days ago. His response was that the latest version of DefenseWall(v2.10) was able to contain and prevent it from doing any damage.


    Peace & Gratitude,

    CogitoErgoSum
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Just runed it though DefenseWall 2.10 under Virtual PC and VirtualBox- had no single issue with it. Unfortunately, I couldn't make it write to MBR, but anyway... Naturelly, this test is not really independent :), so, you may try it by yourself.
     
  11. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    With Vista 32, Shadow Defender in "Protected Mode" and Primary Response SafeConnect disabled, I personally tested and can confirm that DefenseWall v2.10 does in fact contain and prevent the mbr rootkit from doing any damage.


    Peace & Gratitude,

    CogitoErgoSum
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    This is interesting.

    After some further testing on my copy of the sample, I couldn't detect any write requests to the boot sector either.

    Does your copy drop a file to the temp folder and install it as a global hook, too, by any chance?
     
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, but trying to erase its own file directly and with "delayed delete" it is the right behavioural sequence.
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Now I'm beginning to get the feeling that what we have on our hands here isn't the bootkit at all.
     
  15. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, I have the same feeling. OK, lets dig for the right one. Other hand, I just sent the sample to virustotal and Symantec said it is the right Mebroot trojan sample.
     
  16. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hey guys,you might have the right kiddie afterall but trust me this no biggie to do battle with for any software such as HIPS/sandboxing and VM ;)

    RE MBR infection.

    Once the first file is executed it drops a .tmp file in <userprofile temp> folder.
    It then registers a service to load this file at boot.

    http://img174.imageshack.us/img174/6369/autorunsiv0.jpg

    This .tmp file if uploaded to VT service will return a lot of hits as Sinowal C/Gen type.

    Here's the biggie where it falls over as an efficient RK(or malware) installer,inorder for the service(file)to run it needs a reboot:D

    FWIW on the next session on a properly configured SW firewall will capture svchost phoning to the mothership for more goodies.
    http://img338.imageshack.us/img338/333/keriozp5.jpg

    1x .DLL + .exe + .tmp will drop in <wind temp> both exe+dll= Sinowal flag@ VT.On my infections they have been titled "ldo2."

    The service entry then goes AWOL and MBR rootkit has landed:thumb:
    http://img207.imageshack.us/img207/6866/gmeryu4.jpg

    But seriously guys this thing is no biggie from a prevention point of view versus your chosen software afterall it has to perform so many tricks inorder to go live that it will trip over so many intercept points;)
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Nice show ;-)
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Hot damn! Nice work fcukdat. :thumb: I restored a clean image before reboot, and failed to see anything after that. :(
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi fcukdat! Thanks for the nice work. So it doesn,t seem to be a clever rootkit.

    @ Solcroft, I wonder why TF is not catching it, so many malicious actions indeed. BTW what is the SHA1 hash for ur sample?

    Thanks
     
  20. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    Hi Pete, Thanks.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Anyone knows if it is possible to detect( and possible remove) this rootkit by a scanner ATM?

    Thanks
     
  22. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    GMER latest beta build detects MBR RK :D
    It also has a restore function which resets MBR thus killing the active RK :thumb:
     
    Last edited: Jan 11, 2008
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s great. So what about so many AV scanners with rootkit scanning capabilities?

    Symantec, KAV, Antivir, FSecure, etc

    Anyone tried with them?

    Thanks
     
  24. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    If I am not mistaken, Prevx CSI+ can detect and remove the MBR RK.


    Peace & Gratitude,

    CogitoErgoSum
     
  25. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
Loading...
Thread Status:
Not open for further replies.