New MBR rootkit goes undetected

Thanks much Rich. I have archive many of your posts from this forum and they always make for a great educational read when pc treats prevention matters arise. Keep it rolling, your contribution is big and essential asset for this community imho.

 

Hi

I've been reading about the malware here
http://www.trustdefender.com/blog/2...ally-undetected-and-more-dangerous-than-ever/

It seems that it did not create an executable ( *.exe file )?

In the latest version ( according to the link ) it seems to have created a process directly ?

Can anyone comment if this would be picked up by anti-virus software ?

Also the installation method of the first "beta" version was AFAIK via the creation of a *.tmp file in the windows temp folder.

Could/would an anti-executable type set-up have blocked these?

 

Sorry for disturbing you with my nab question ,will this BIOS option preotect us against this MBR rootkit or not?

 

No, we have always blocked the installation of it - we just wouldn't have detected it if you installed us AFTER you got infected. We don't have the more granular information in Edge and because of the very low volume of requests for it, we currently are not integrating it.

As for your second observation: so you do not get a prompt on every update

If you aren't getting re-prompted for each update of every piece of software you have on your system, then you are extremely vulnerable as it is trusting everything by filename, rather than looking at unique hashes. An infection could just copy over an existing file using a script or something which isn't intercepted and then it would have free reign over your system. (Correct me if I'm wrong, of course )

Our whitelisting is based on unique file hashes which is really the only safe way to do it - on every update, files need to be re-whitelisted as they have changed and need to be checked again to see if they are indeed still secure

 

I'll do what I can. Nice to be held in such regard. There are a couple of dinosaurs still here.

i dont want this to become another 'PrevX thread', so I'll make this my last post as such:

depends.
I still regard that as "control" and as stated, do not regard it as a burden.
Dont have that much software that wants to update itself that often. ( lol exception: MS)
Dont get me wrong: I am full of admiration for what PrevX has done recently.
MG's blog about this MEB and variants was terrific and your response has been terrific. Lots of "admiration" around the web for the coders of the MEB.

Hhmm??

Taking the 'burden' out of endusers experience. No issue there. But what about zeroday ?? What prompts does PrevX3 give for unknowns ?? Wont the user still install ??
However; as one of the expert members said to me about PX3: "stop your complaining:get over it: take it as is or get off the pot. "

Couple of interesting threads re MEB, easy reading for technodopes cest moi:
http://forum.sysinternals.com/forum_posts.asp?TID=18626
http://forum.sysinternals.com/forum_posts.asp?TID=18486

 

It depends on your definition of zero-day. If you use the maximum settings in Edge, you can block any program seen by less than x% of the Prevx population, effectively blocking any threat that would come through but this does generate extra prompting.

The levels below that all block other zero-day malware, but the definition of zero-day malware is very clouded now. In the past a "zero-day" threat was a wide spreading infection hitting a large number of users at the same time. Now it is just detecting the threat as soon as it comes out...

We add detection for literally thousands of brand new pieces of malware every day - all on the "zero-day".

If you're looking for zero-day protection as being 100% protection, we could never offer that, nor any other company besides your electricity company that can cut off your power

 

Hmm.. so far detection on VT is by :

DrWeb( Trojan.Packed.2447), McAfee+Artemis( Generic!Artemis), F-Secure( Trojan:W32/Mebroot.gen!A), Prevx1 v2 (High Risk Worm), VirusBuster (Trojan.DR.Sinowal.Gen.11) and CAT-QuickHeal( Suspicious- DNAScan).

It is for the dropper but I did not try to execute it yet.

Can someone tel me how can I detect and possibly clean it after it is allowed to execute and infect a test system.

Thansk

 

Well this is a pretty good description of how this MBR is different from the norm ( quality wise ).

http://www.f-secure.com/weblog/archives/vb2008_kasslin_florio.pdf

I think the one in the wild now will be a little different.

I'd be very interested to see in a LUA will prevent it or maybe TF ?

It does create an exe and dll so I think they should be able to be picked up ?

( see also my earlier post with Q's on this ).

 

The most reliable method to detect the presence of this would be to run a rootkit scanner such as rootkitty from a live cd and compare it with a scan from within Windows to find any discrepancies.Removal is simply a case of overwriting the MBR.UBCD4Win contains everything you need for the job.

 

That actually wouldn't be reliable as the rootkit doesn't hide any files, it just lives within the MBR - you would need to save the MBR from a boot CD and then boot into Windows and save the MBR and compare them.

 

Fair enough,it'd be even easier in that case.

you can download Mbrfix from here:
http://www.sysint.no/Download/tabid/162/language/en-US/Default.aspx

Then run the plugin on PE and compare.

Does CSI detect this btw?

 

The antirootkit for download from cmcinfosec posted by Meriadoc is detected as a rootkit by several av's at virustotal including avira and avast!. False Positive? Also to andyman35 what program do you use to compare the two MBR binary files?

 

Yes, all Prevx software detects/cleans/blocks this MBR rootkit and all variants

 

I just read it does,good news.

 

When will the free tool that some guys are speaking of be available - that's, the removal tool for this malware specifically?

 

I use a hex editor XVI32

 

We aren't making a standalone tool because that could lead users into a false sense of security so we've built it into the default scan of Prevx 3.0 which you can download from http://www.prevx.com/freescan.asp

 

Ah, now I remember that you said that - that that scan would remove the infection for free. Thx for the info.!

 

Thanks andyman. I did some searching and came across a freeware program that can compare 2 binary files side by side and shows the differences in color. But, it does not do any hex editing.

http://www.aptedit.com/aptdiff.htm

 

You can also take the easy route and use the "fc" program which comes with Windows

fc /b c:\file1.bin c:\file2.bin

will produce a listing of each byte which is different on any OS by default

 

Thanks for the tip Prevx. I will do that instead.

 

Today, April 15th, 2009: GMER Update: to detect and remove latest variant of rootkit please use mbr.exe v0.3.1: http://www2.gmer.net/mbr/ - link at the bottom of the page.

Thanks, PROROOTECT

 

Looks interesting i'll have a play with that.

 

We've tested it and GMER does indeed detect/clean this variant of the rootkit It is a bit specific to this variant, but it works well

 

I greatly appreciate your generosity of spirit, which is not partisan, but professional.

Congrats, PrevxHelp!


Respectfully, PROROOTECT