mbr rootkits survive reinstallation?

Doesn't reinstalling usually write a new MBR to disk?

from http://blog.trendmicro.com/2010-in-review-10-most-remarkable-malware-in-2010/

Does "could" mean "only under certain conditions"? For example if you only repair the OS or install to the same partition (and move the old one to Windows.old).
What about deleting the (first) system partition and recreate that in the installer?

 

Nasty stuff, I would think wiping the disk would kill it. I use BC Total Wipe Out.

 

Re-installing or Re-formatting doesnt write a new MBR.
With Re-partitioning or Zero-Fill, you can erase the current MBR.

 

Is there a technical reason for that? Couldn't the OS installer automatically run fixmbr* for you to rule out this possible risk once and for all?

*assuming this is safe to do and does clean the MBR of any infection

Personally I always wipe the first few hundred MBytes to be on the safe side but that means separating OS and data into two partitions on one disk is no real option as that way the complete partition layout is lost.

 

What if it were capable of changing the native max size of the drive and load drivers from beyond the native max size?
Most wiping programs do not reset the native max size when wiping, except for one!

 

Which one?

 

Some other software that will wipe a hard drive (write zeros to all hard drive sectors):

1. The hard drive manufacturer's bootable diagnostics disk (freeware).

2. Terabyte's CopyWipe (freeware).

3. Partition Wizard bootable CD (freeware).

 

Whatever may be lurking there can't get executed, something needs to tell the rootkit where to look for the hidden code. That something is the MBR you just overwrote... HDD firmware rootkit/backdoor would be an option but that's really difficult to pull off if possible at all. But if we go there, why stop at MBR/HDD rootkits? You could infect the BIOS, the graphic card firmware or put a backdoor on the motherboard or even into the CPU itself. The big problem about that is: what's feasible for an automated attack by a 3rd party? Highly hardware dependent rootkits aren't, infecting the MBR is pretty reliable.

I'm pretty sure there's more than one way to reset the drive. hdparm can do it and it's open source. You could write your own implementation of it, there's nothing rocket science about it.

 

Attacker's loop:

1. Gain access
2. Do work
3. Go to 1

There is a lot of effort involved in #1. What is a hole today could get patched tomorrow, so doing work (#2) is just as important as providing a path to return (#3). Your #3 has to be rock solid so that your victims actions can't affect the #3.

Altering the native max size may be a way to leave a part of your code behind and survive all wiping methods save one, so then the question: Is the loader limited to being just on the native max sectors of the drive? No.

Besides the sectors of the native max size we have:

HDD Firmware (what is the market share of each firmware type, how often is the firmware upgraded?)
The BIOS (What is the market share..)
The Graphic Card Firmware (What is the market share..)
The CPU (What is the market share..)

Also, if the attacker can modify the system:
System RAM (semi-persistent)
Graphics RAM (semi persistent)
Network Card Firmware (What is the market share..)
ACPI NAND (What is the market share..)
USB Bus cache NAND (What is the market share..)
Router (What is the market share..)

AFAIK, these 10 are the only persistence locations not affected by wiping the HDD. How difficult would it be, once infected, for a malware to gather the details from these 10 locations?

With enough time and effort (Gongfu) attacker or attackers could develop a database of persistence locations for their infected group outside of the HDD. Once you develop just 1 area off of the HDD sectors your chance of being discovered and removed drops dramatically.

The Secure Erase Function, accessed by hdparm or HDDErase.exe, is the only wiping program that will reset Native Max Size when wiping.
You can also reset Native Max Size with SeaTools, I think it can also wipe the first and last 100MBs.

 

[FONT=&quot]Check HERE[/FONT].

1) To Detect/Remove this rootkit, please use latest version of mbr.exe tool or GMER.

2) To Remove MBR from infected machine, you can simply use "Recovery Console" command:fixmbr

 

Great pick, I also use it. Jetico BCWipe Total WipeOut does the most complete job, as it also wipes the Host Protected Area (HPA) and DCO hidden sectors, which most other similar tools simply ignore.

 

Searching_ _ _
We know about this stuff for a long time, yet it remains sci-fi for the most part. There simply are no reports on these sort of attacks being in the wild. Why?
Because it's really hard to do and any failure results in an unbootable system, a sure way to drop out of that loop.

 

The ability to detect it's presence is limited by such a low level position.
According to Jamie Butler, a hardware based rootkit that loads early would be difficult to detect by software. Analyzing the memory dumps are the only means of discovery, if memory dump is taken using software while rootkit is active there is no guarantee for discovering it. Hardware acquisition of memory is the only solution.
Any one can run GMER, but what is the number of users out of a thousand that could analyze a memory dump and acquire one via hardware?
How many computers out of a thousand are checked for malware by analyzing memory dumps via hardware acquisition?
I'm going to guess those numbers are extremely low.
Getting a Firewire Memory Dump

Router attacks are in the wild, there are at least 4 botnet malwares, 2 of which are PoC, 1 of the PoC can attack the WAN side on some routers.

Attacking the router doesn't affect the bootability of the system.
Pincczaco built a BIOS rootkit and a Network Card Rootkit, he did state the Network Card Rootkit is easier to reproduce than the BIOS version.
One is all that is required to make discovery and removal near impossible for the every day person.

OT @ katio

Are you going to check out "Kingpin" when it's released in February?

 

Attacks against routers might have a certain similarity (reinstalling the OS on your computer doesn't get rid of an intrusion in the router) but they actually are a completely different beast. Most routers run Linux and any hack is no different from an ordinary software based exploitation. Usually it's not even a rootkit but just some DNS server modification, a forwarded port or remote admin access backdoor which you can fix over webui or ssh.
Reflashing the firmware is successfully in every case, unless we are talking about hardware rootkits on the router itself...

Kingpin? Sorry, I had no idea there's something coming out in February. Should I know about it?

 

I only listed the router for completeness of persistence locations outside of the HDD. Unfortunately I diverged a little.

Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen

 

Yes sir, that's why I purchased it.

 

BCWipe

 

To expand on this, does that mean that if one was re-installing Windows and deleted all the partitions during the Windows setup (then added new ones) that the MBR threat would be removed? Would removal of a partition or creation of a partition overwrite the MBR or simply write to it?

 

The MBR code section is in the first 446 bytes of sector 0, the next 64 bytes belongs to partition table, removal or creation of a partition changes the partition table, the program used to do that *may* overwrite the MBR code(e.g. when they see the MBR code section is empty, implying that the disk hasn't been partitioned before), but that's not always the case.