New MBR killer on the loose

Discussion in 'malware problems & news' started by CloneRanger, May 3, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    And it's potentially very nasty

    Mebratix.B aka Ghost Shadow

    Quote by EP_X0FF of RkUnhooker etc fame

    http://www.kernelmode.info/forum/viewtopic.php?f=16&t=151

    http://www.symantec.com/connect/pt-br/blogs/trojanmebratixb-ghost-mbr
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    If anyone knows how to get it, pls PM me.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @aigle

    See your PM ;)
     
  4. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Agile/Clone Ranger,

    Can you PM me too? Required to test it.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I hope you're testing it on an isolated PC not a VM ;)
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Does MBRGuard block this? can somebody test?
     
  7. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Why not in VM? Will it infect my original MBR ? I don't think so...If it is like that then i will test it on isolated environment...
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Try reading the 4th line of the first post... Now maybe it's talking about the VPC MBR, but personally I don't trust malware in a VPC/sandbox. Always on an isolated PC that's fully recoverable.
     
  9. ivankov

    ivankov Registered Member

    Joined:
    May 1, 2010
    Posts:
    4
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  11. ToasterS

    ToasterS Registered Member

    Joined:
    Mar 20, 2010
    Posts:
    1
    Aloha,

    I have analyzed Mebratix.B: http://web17.webbpro.de/index.php?page=analysis-of-mebratix:

    Code:
    Sector 0: Malicious MBR, relocates itself to 0000h:0600h
    Sector 1: Will be loaded by mbr to 0000h:7C00h and relocates to fixed address 9700h:0000h
              Installs int 13h hook, reads 59 sectors from sector 2 and decrypts first 3 of them
              Loads original mbr from encrypted sector 2 to 7C00h and executes it
              Patches NT Loader code integrity verification and hooks ntldr to jump to sector 3
    Sector 2: Original master boot record (encrypted)
    Sector 3: Protected mode bootkit code, called by ntldr hook
              Restores interrupt 13h vector
              further code (not analysed yet)
    Sector 4: further code (not analysed yet)
    Sector 5+: PE image, kernel driver, 16544 bytes (~ 16 KB)
    
    Reversed code can be found here. Only Windows XP is affected btw, because it only contains the signatures for Windows XP startup files.
     
  12. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Can someone please test this against shadow defender?
     
  13. icr

    icr Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    1,588
    Location:
    Mumbai
    Thanx for the source code it helps me in studying it:D I am learning assembly language programming;)
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi aigle,

    join KM and you will see the files. Usually all the malware talked about on KM will have some analysis with the sample attached to the post.
     
  15. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It destroys the VM MBR,the Host system is unaffected.
    As was explained in the referenced thread the Host can only be infected by malware that's specifically coded to exploit a vulneability in the particular VM software it's run on,or by accessing a shared folder.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    OK, thanks. Got a sample, will see if it,s correct sample or not.
     
  17. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    I'd like a piece of that as well. Please PM it to me.

    Thanks.
     
  18. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    Please PM it to me as well.

    I want to add it to a personal collection of malware that I'm building to test AVs and firewalls.
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    Please read the Terms Of Service for using these forums.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Pls don,t ask for samples in public.
     
  21. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Some request to Wondershare Time Freeze, since it has a MBR protection...
     
  22. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    it's probably a coincidence, but after searching & downloading (but not executing) samples of this malware (for testing), I lost one of my partitions (it was missing after I restarted the computer...). The files I downloaded were ro.exe and mebratix.zip. I also clicked on several links for "infected" sites (to obtain the malware) before acquiring those files, but got blocked by my security apps, or the site was down, or something - at least it looked like the access failed.

    Anyway, I booted to BartPE which I have available from my boot menu, ran Acronis Disk Director to recover the missing partition and I also put ro.exe inside a rar archive just in case. No (related) problems after that; no data loss or corruption as far as I can tell. As I said, probably coincidence, but it made me wonder...
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Toaster

    Hi thanks for posting :thumb:


    @CogitoTesting, pajenn, et al

    Just to let you know, and anyone else, i fully expected to retrieve the file from one of the malware www's i had knowledge of at the time. When i got round to visiting them the file had gone, or the www didn't work anymore. It would have been nice to see some testing with it, but stuff happens, sometimes you win sometimes you don't :p Maybe next time ;)

    Looks like aigle has it, so PM him ;)

    @pajenn

    I had ro.exe the other day https://www.wilderssecurity.com/showthread.php?t=274488 but after uploading it to VT got rid of it :D

    Sorry to hear about you losing a partition, makes me wonder too, could be a coincidence but ? Anyway the good thing is you were able to get it back in one piece, with no "apparent" side effects :thumb:
     
  24. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    I'm sorry about being a persistent pain in the neck, but I would highly appreciate it if someone would just PLeaSE run it against Shadow defender and report back. i've started another thread in the virtualization subforum w/o any replies.:blink:
    Thanks guys


    Ow, 1 more thing,im curious about? how does MBRguard fare?
     
  25. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    I appreciate that malware samples can be used for research and educational purposes, however, I'm afraid we can not have public links to malware hosting sites here. It's not just our rule but the rule imposed on us by our hosting company. Live malware samples just can't be shared from here.

    Linking to samples shouldn't be necessary anyway, since anyone with the skill to analyze and test malware should also be able to find samples on their own. If they don't know how to find malware files then it is highly unlikely they can do any kind of serious analysis of it. So, let's let them find the files on their own and call that the bar of entry they have to get over to move on to testing and analysis.
     
Loading...
Thread Status:
Not open for further replies.