Old Hack, New Twist: When Rootkits Grab Hold of MBRs

Discussion in 'malware problems & news' started by ronjor, Feb 7, 2008.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,724
    Location:
    Texas
    Article
     
  2. larryb52

    larryb52 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    1,126

    good read, thanks Ron...
     
  3. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    And a scary read at that...:oops:
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very informative!

    Some quotes:

    (my emphasis)

    (Why should this be just "temporary"?)

    Firms are "studying" use of white list? Discussion and implementation of this has been in effect at least as far back as 2004:

    www.infosec.co.uk/ExhibitorLibrary/123/An_Ounce_of_Prevention.pdf
    ----
    rich
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    That on the prevention side. What about removal?
    My bold.
    So what are the best tools for this operation? After wiping, then what?
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    'old hack new twist'.....yeah an old attack vector is back!
     
  7. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    soon enough antivirus companies will provide removal of these threats.
    as we know drweb already does.
    im sure the rest will follow suit.
    lodore
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    - Every tool that overwrites the MBR: DBAN, the zero tool from your HDD manufacturer, the built-in HDDerase command, a Linux tool CD, etc.
    - After wiping, do a normal installation.
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Thank you Lucas.
    That DBAn i knew, but it erases the whole HD. A bit extreme :D , although i see its usefulness. Is there a tool .. ah forget it, i'm going to search.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Sounds terrifying, but all you need to do is simply put something into good ole MBR / Sector 0. Can be a different boot loader - BSD sounds a good choice. You can use any bootable CD to purge the sins. You can even restore the MBR by overwriting it with fixmbr from recovery console.
    Mrk
     
  11. controler

    controler Guest

    MBR viri go way back as we all know, the only new twist is ROOTKIT.

    I always wondered when that would come. BIOS attacks go back as far as I know to the late 80's. Why not combine a MBR-BIOS-Rootkit?
    We ourselves may be teaching these new thieves how to operate right here at Wilders.

    con
     
  12. BananaJones

    BananaJones Registered Member

    Joined:
    Feb 3, 2008
    Posts:
    7
    I'm assuming that when the machine has a non-standard bootsector, e.g. when FDISR is installed or GRUB is present, such an MBR infection would be visible, because the non-standard MBR would have been gone... right...?
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Remember that it makes a copy of the original MBR to disguise itself and keep the PC working normally.
    From the Symantec Research blog
     
    Last edited: Feb 10, 2008
  14. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    All it has to do is create a folder/partition, hide it, and store our mbr, to call it and boot as usual (with the added code running). Then store executables for both OS's. Am i making correct conclusions?
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    AFAIK, this MBR rootkit stores its code in the end of the disk, so the MBR hijack is only used as a loader. I think that using low-level routines one can place a relative large amount of code (for the Linux/BSD/Solaris/OS X/Windows variants) at the end of disk and lock it with the same low-level routines (marking the section as damaged for example)
    Quite scary indeed and much more feasible than BIOS rootkits.
     
  16. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
    excellent rootkit detection with gmer. its free and simple..u can use it with all major AV programms. personaly i love it

    http://www.gmer.net/index.php
     
Loading...
Thread Status:
Not open for further replies.