MBR

Discussion in 'other security issues & news' started by starflame, Jul 28, 2009.

Thread Status:
Not open for further replies.
  1. starflame

    starflame Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    20
    Am I right in saying that rootkits can hide from being seen in Windows?

    How do you check / protect your MBR?
     
  2. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    a HIPS software wuld probably be the best, or some sort of sandbox (policy restriction/virtualizer). i believe prevx also protects the MBR iirc.
     
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    A full image would also contain the MBR
     
  4. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    a full image with mbr didn't restore properly in my case. i just tested yesterday one of the most destructive malwares, the one they called killdisk trojan.

    yaiks! yup, a bootvirus(?) or rather a mbr(masterbootrecord)trojan called killdisk wiped out my entire hard disk drive! it is a hard disk nuker.
    i intentionally played around this specimen given to me which i requested in order to test my defences or security set up. upon testing, the Host Intrusion Prevention System(HIPS) detected this trojan trying to have a lowlevel disk access and I denied it having that privelege. out of curiosity, i intentionally disabled all my security protections and tested this malware once again to see how the malware wipes out my entire hard disk drive being confident that i can restore from my image back ups later on. it even bypassed the ISR.
    too late to find out, that i haven't downloaded some lowlevel formatting software to completely erase that malware in order to have a successful recovery. tried deleting all partitions and a few rounds of doing the usual formatting (high-level formatting using acronis disk director) and trying to restore from an image back up. unfortunately, acronis true image can't recognize my hard disk drive for a full sector by sector restore even though it was newly formatted and thus, the hard disk drive is as good as gone or dead from a layman's standpoint. i have also used the linux-based gparted but also to no avail. since i don't have a low level formatting software at hand like DBAN etc and extremely bad at linux CLI's, i tried installing the user-friendly ubuntu linux over it. the installation of ubuntu has an option in wiping the entire partitions as well as the bootsectors and replace it and install with its own bootloader. by doing a linux install, the bootable acronis true image can now recognize the newly resuscitated hard disk drive. using the image back ups, i have restored back the system with all the applications installed and tweaks in just a couple of minutes. so now, the system is back to normal, back to where it all started- before the malware testing. anyone adventurous enough to try this malware? he he
    __________________
     
    Last edited: Jul 29, 2009
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Q " Am I right in saying that rootkits can hide from being seen in Windows? "

    Absolutely !

    You need to check with ARK's = Antirootkits

    Here's just a few of the better ones.

    RKUnHooker, RootRepeal, Radix, NIAP XRay System, GMER, Icesword

    I know Avira has a feature which boots early to help detect MBR nasties, maybe other AV's do too.

    Here's some info which you might find interesting, and could be useful.


    Interesting new malware http://forum.sysinternals.com/forum_posts.asp?TID=15413&PN=4

    Stealth MBR rootkit http://www2.gmer.net/mbr/

    Free scanner/fix = mbr.exe

    -

    UnHackMe

    " The main difference between UnHackMe and other antirootkit software
    is the detection method.

    UnHackMe tries to detect the hidden rookits by watching the computer from early study of the boot process till the normal Windows mode.

    UnHackMe is a first bootwatch antirootkit.

    Most modern antirookit programs try to detect the rookits when the rookit is already active. They use the very complex methods for detecting hooked system functions. But the rookit authors creates the new tricks and this war will not have the end. "

    http://www.greatis.com/unhackme/detail.htm

    -

    I have used mbr.exe a number of times, but havn't tried the latest version of UnHackMe. But i have DL'd it to try.

    Edit, there's always this as well.

    fixmbr command of Microsoft Recovery Console

    Windows XP instructions http://support.microsoft.com/kb/314058

    Windows Vista instructions http://support.microsoft.com/kb/927392

    -

    trismegistos

    You might like to test again with mbr.exe & UnHackMe? It would be nice to see what they do, or don't.
     

    Attached Files:

    Last edited: Jul 29, 2009
  6. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    yes, i have scanned for any traces of mbr rootkits or trojans with those softwares including mbr.exe, hdhacker and gmer etc, and its totally clean. Plus the fact, that what I did was a full restore from a previous totally clean Image back up of Windows XP FAT32. Prior to the restoring, sector by sector, I've done rounds of formatting and the complete linux install had rewritten the entire bootsectors, MBR, partition tables, where a stealth rootkit could possibly hide. The latter could have solved the limitations of a high level formatting where partition tables, bootsectors are unharmed(thus, the necessity of a low-level format).

    Anyways, this is from a killdisk malware specimen I requested in order to test my security set up and not from any circulating in the wild or zero day killdisk trojan-like malware or any drive by downloads. This is not a stealth MBR rootkit(who knows?) and is detectable by any decent antivirus.

    StevieO, thanks for the advice and the genuine concern. More power to you, buddy.
     
    Last edited: Jul 29, 2009
  7. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    In addition to piles of security software to protect your MBR from your admin rights, there's another solution. If you're using a limited user account, malware can't mess with the MBR, and neither can you. :)
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    What Killdisk does is corrupt the partition table. Reason images can't be restored is at least in XP, there is a bug in the microsoft routines that check the partition table. They are fine if the table isn't there or okay. But if corrupt they crash, and thus the imaging program fails.

    Solution is use some tool, that allows you to delete the partition table. A windows CD will work.

    Once you delete the partition table, the image can then be restored.

    Pete
     
  9. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Thanks for the clarification. Though a windows CD will work and since this is a MBR malware, I have already put my trust on a lowlevel formatting software.

    From this exercise of testing this types of malwares affecting MBR, a lite and yet a very strong HIPS is capable of intercepting a malware trying to have a lowlevel disk access even if it would have a driverless kernel land access. But it would take a miracle for it to come into the system in realworld scenarios, as it must bypassed a strongly configured firewall, a strongly configured sandboxed browser with web filterings of active contents(incl.iframes)and the default-deny policy rendered by the HIPS in a shield of a virtualizer. This layered approach (an overkill yet incredibly light on my system's resources) surely spells the end for all malwares.
     
    Last edited: Jul 31, 2009
Thread Status:
Not open for further replies.