Ransomware lands on the MBR

Discussion in 'malware problems & news' started by Triple Helix, Dec 10, 2010.

Thread Status:
Not open for further replies.
  1. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada

    Full Story: http://www.prevx.com/blog/163/Ransomware-lands-on-the-MBR.html

    TH
     
    Last edited: Dec 10, 2010
  2. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Ransomware can be subverted through proper Windows Securityware.
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    MBR Ransom (Seftad)

    As a test I installed MBRguard in a Win 7 VM then ran this variant with the VM rebooting straight back into desktop.

    Before installing MBRguard:

    Ransom.JPG
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Triple Helix

    Thanks for the link etc :thumb: Turns out it's NOT encrypted at all :D Cheeky ! Also clever that you can't use the usual “fixmbr” to restore the MBR :( Trying to fix this would be a nightmare for most people out there and so i guess they would probably pay, which is of course the MO :mad: unless they got pro help.

    Indeed, if set up properly and the user isn't tricked into clicking etc.

    @ Franklin

    Good to see that MBRguard protected in the VM case :thumb: Do you know if it's VM aware, and if MBRguard would protect in normal mode ?

    *

    rbn.gif

    FAQ's -http://safe-data.ru/faq_en.html
     
  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    No i don't think it's VM aware as it does what it does as normal.

    This sample doesn't encrypt anything and one of the fellas over at KernelMode mentioned it could just be a test release before the real thing.
     
  6. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    If set up properly, the clicking by the user is rendered impotent.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Franklin

    Okay, thanks :thumb:

    Not always, because if someone mistakenly allows something they believe to be OK but isn't, then even though they have good protection in place **** can and does happen !
     
  8. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    "allows something" What does that mean?

    "good protection" How do you define that?
     
  9. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    would a low level format using dareks nuke boot remove this ~ Snipped as per TOS ~ malware??
     
    Last edited by a moderator: Dec 12, 2010
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    If you have the same one I tested you could try the unlock key or fixmbr command.

    Unblock key is aaaaaaciip.

    I noticed you posted in both the MBR and Screenlocker threads over at KM. Which one is it you're trying to get rid of.

    Some of the screenlockers are active in safemode so I would say you would would have to use a most recent live AV cd such as Dr Web or Avira or if you know what and where the main exe resides then a live cd that can mount the file system and delete it manually.
     
  11. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire

    its the mbr version i am trying to get rid off. it is on a clients pc and the unblock key does not work.
    i have tried all bootrec.exe commands but its still there, re-installation of win 7 fails half way through. any ideas?
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Have you tried deleting/recreating the partition first then reinstalling?
     
  13. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    yes i recreated partitions using partition magic and then deleted the partitions from the windows 7 setup menu. still no joy
     
  14. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Besides 0-ing the disk as a last resort, have you tried recreating a new partition table.
    Wilders' resident Mrkvonic has a concise explanation on his Dedoimedo website for GParted; check 'Task 4: Create Partition Table ' link.

    Mind you, 'seftad' is not something I'm familiar with, so it's just a suggestion.
     
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Have read that Partition Magic shouldn't be used for a Vista/7 install.

    You could give Partition Wizard a run which seems pretty good or GParted.
     
  16. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Franklin, how does sandboxie stand up to this?
     
  17. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    i tried it from a live cd so it should not matter, i'll give your suggestion a go along with baserk's suggestion
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Sandboxie, Geswall, Bufferzone, Returnil, Shadow Defender have no probs handling the sample I have.
     
  19. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks Franklin for your test. How about DefenseWall againt the sample?
     
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Run as untrusted then no probs stopping it.
     
  21. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Any chance you could test Mamutu? Interesting to see whether a behaviour blocker can handle it.
     
  22. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Mamatu - sheesh, what a pain to setup with email address/passwords :ouch: but wins against this sample.

    Mamm.JPG
     
  23. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Thanks Franklin!
     
  24. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks Franklin for test and expected promising result.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I played with it for a while.

    GesWall- - - - - Passed
    Win 7 UAC - - - - Passed
    CIS Defence Plus - - - - Passed both on default settings and paranoid maximal settings( though you get a prompt to sandbox it on default settings, you must choose sandbox then).
     

    Attached Files:

    Last edited: Dec 17, 2010
Loading...
Thread Status:
Not open for further replies.