New MBR rootkit goes undetected

Readers of this thread may be interested in a paper jointly authored by Symantec and F-Secure: Your Computer is Now Stoned (...Again!): The Rise of MBR Rootkits.

 

Of course I know your company isn't out to con anybody.

With regards to the free MBR rootkit cleaner,that's a very fair deal.

 

Thanks for that info.

 

This is related to the old MBR rootkit

http://www.prevx.com/blog/75/Master-Boot-Record-Rootkit-is-here-and-ITW.html

http://www.prevx.com/blog/84/MBR-Rootkit-new-tricks-added.html

 

PrevxHelp, the only thing I'm curious about is, if I'm unlicensed, and Prevx detects something - will it put the system on hold and let you buy a license to never be infected at all? That would be one really neat way to get customers IMO.

 

If not then it's an excellent idea.

 

It doesn't, but that is indeed a good idea I'll see how feasible it is (the issue is that it could lock up the system if we try and hold up a program loading for that long).

 

Yeah, I thought about some of those things, so what about a built-in tool for purchasing a license so that only the malware is stopped for the moment?

 

Definitely possible, I'll forward the request on

 

That would be a nice feature for the free version.

 

This is a good thing IMO, and kudos to Prevx guys for the improvement on their products (actually i'm not a user at all). However, at their homepage they sell their products as:

..where the most known av programs are listed there along with their 'non detected threats'. This could lead some new users to think that Prevx detects that number of malware over and above those nasties already detected by the av's. How would be the results the other way around?
And at us$30 per year subscription versus the price of any av...

 

The main concern with this approach would be that it would make us look rogue, as if we were blackmailing the user to buy NOW or else we will unleash the infection on them. Its a risky line to try and cross - right now we're very "black and white" where we will not block anything in realtime, which prevents any confusion.

We are considering alternate approaches, however, and are always open to input on the topic

 

This also have another problem because that graphic doesn't indicate what is the number of users that use each AV.

That should made the comparison more fair.

 

Its hard to say really, but the fact still remains that no AV out there protects against 100% of threats (not us either, and we openly admit that )

If any other AV company has this data against us, we would be more than happy to see it to improve our products but I believe ours is the first realtime assessment of the antivirus industry from real world data seen by real users on a day-to-day basis.

Regarding the size of the userbases - that is a factor in interpreting the statistics but rather than obfuscating the data by showing the % of the userbase infected, we provide the raw statistics. We aren't looking to compare each vendor to each other vendor, rather, comparing every vendor to the infections themselves.

 

My motherboard is also a MSI with the AMI BIOS. When I first built this rig I also received an alert when first installing the OS which is weird considering the feature is for BIOS protection. I have no idea if it would protect against this rootkit. I guess an optional way to test it is installing a safe program that modifies the MBR.

 

I had an old Asus Mobo in the past, with AMI-Bios and it protected against kill MBR (one of better moments in life when I downloaded it first with DefenseWall, and on the other image with GesWall, totally forgetting I had to mark it untrusted first, since it was not downloaded when GW was active)

 

Thanks for the input Kees1958. I may have to look into this a bit further. Also, glad to hear it saved your machine .

 

i dont really know how prevx rates software for how bad it is or whatever but if prevx blocked say 10 serious threats then the trial would run out sounds pretty good. serious meaning like trojan/rootkit/virus or something thats pretty bad. after the 10 serious blocks maybe just notify the user when something bad infects and prompt them to buy. damn i should run this show
never used prevx or trialed it but it seems pretty effective i may look into it.

 

In hopes of steering this thread back to it's intended topic....New MBR rootkit goes undetected....and lesson the one vendor discussion, I have moved numerous posts to a thread of their own for further discussion.

New thread---> I applaud Prevx’s openness to sharing information

Bubba

 

Hi,

This thread is already hijacked to an off topic discussion..
Which is the threat exacly? the new MBR variant or PrevX?
I suggest to Einsturzende (Neubauten?), innerspace and co to follow my future antimarketing post on the AM area.
Off course there is no need PrevX or any other AV/HIPS to counter this rootkit and other kernel level ones.
OS hardening as suggested by Lucy, white list approach via SRP or HIPS as suggested by "the teacher near the blue valley" are possible prevention solutions.
There is also a forensic way to protect the PC in real time with zero soft and default configuration, a way to use instant back up solution stored in a restricted and secure zone of disk (HPA) and which can be helpful to restore its computer in a clean state (mbr included).
From Melissa to Conflicker/new MBR RKT, AV are loosing the malware game since years, and any good HIPS like DW, PrevX, SnS, OA and co is better than any pure av scanner based protection.
I have not taken a look at this last variant.
DKOH and IRP hooking are not new, but this new variant seems more vicious in playing the man in the middle game.
Each time the detector checks and knock (is there something wrong ?), the man/rootkit intercepts the request and returns fake or invalid parameters ( no no tovaritch, everything is ok!)...
Regarding detection, i have not seen a kernel rootkit that resist to a live or post mortem physical memory analysis.
But detection is not victory in security, especially with this variant which targets financial logins.
Once detected, it might already be too late.
And sorry to repeat one of my favourite intrusion mantra:
"That which can not be detected should be prevented; That which can't be prevented should be detected."

The comment of PrevX blog is true, there is more to be afraid of Ring0 rkts than of onceptual ones like SMM, or VM Rkts ( i have some forensic analyst contacts Russia, Germany...and none has reported this in real incidents).
There is always a big difference between what is possible in a labotory and its in the wild industrialization...
Well...a lot of blah blah for my concern without help for the end users...
So i suggest a few easy to use tool that could help to backup and restore the MBR in case of infection or corruption
MBR wizard http://www.mbrwizard.com/
MBRFix http://www.sysint.no/nedlasting/mbrfix.htm
HDHacker, for thos who wants a gui tool http://dimio.altervista.org/eng/
MBRTool http://www.diydatarecovery.nl/mbrtool.htm
With its various features like the ability to create a boot CD, this is the more suited for non experimented users.

rgds

 

Were you meaning me? If so, I'm not sure I follow you. Are you going to be starting a new thread or are you lumping me in with way off-topic posts?

 

kareldjag

Easter here.

As always your exceptional in-depth analysis and recommendations borders on a some mass publication to your credit but your website is served that purpose satisfactory IMHO. I must admit that i also miss like many others the very concise and strict testings during your many efforts to pit various vendors security apps thru painstaking (for them) scrutiny and the results have always been worth professional review from them and the customers/users alike. For that we are grateful indeed. In my estimation those competitions of sorts always not so much compared A is better then B but exposed both weaknesses & strenghts that demanded immediate attention should the respective programs survive as a worthy endeavor or else sadly left as a gamble which is a remedy in the end for either disaster or time consuming efforts on the user's/customers end to pick up after the limitations pointed out in those reviews.

Now to topic: I endeavor to safeguard against MBR disruption in any form be it O/S malfunction or malware tampering by use of turning to a simple floppy that i SAVE both MBR & PARTITION TABLE of each Hard Drive that is occupied by a Windows System, chiefly, XP Pro. Also DVD/CD can serve the same purpose of course.

Are you aware of now an older method of saving and repair as MBR whiskey, MBRwiz, and MBR.exe which i have used to saved these critical codes to dat file on a floppy and whats your opinion of them if any.

EASTER

 

With a GNU/Linux livecd you can use dd. I saved a note on it, i hope it's correct. At least the mbr part is, i used it quite recently to restore the mbr after the usual XP fix/reinstall..

Backup MBR (if hda is the primary):
dd if=/dev/hda of=mbr.img bs=512 count=1

Imagine hda3 partition, backup its boot sector by:
dd if=/dev/hda3 of=hda3.img bs=512 count=1

Only the boot program:
dd if=/dev/hda of=mbr.img bs=466 count=1

To restore mbr:
dd if=mbr.img of=/dev/hda bs=512 count=1

To restore just the boot program:
dd if=mbr.img of=/dev/hda bs=466 count=1

'if' means input file, 'of' output file, i think.

 

One post removed. Let's keep the commentary grounded in reality.

Blue

 

Just a small correction. On the hda3 example, i made an error and put hda5 in the command. Sorry about that..