Stealth MBR Rootkit

Discussion in 'other anti-malware software' started by jdjudy, Feb 11, 2008.

Thread Status:
Not open for further replies.
  1. jdjudy

    jdjudy Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    26
    Has anyone had any experiance with "Stealth MBR Rootkit". I ran a scan with GMER and it came up:

    \device\Harddisk0\DR0 ~ sector 00: MBR rootkit detected !!!
    \device\Harddisk0\DR0 ~ sector 22: rootkit-like behavior
    \device\Harddisk0\DR0 ~ sector 22: rootkit-like behavior

    Avira Premium, Windows Firewall, SAS Free & EAZ-FIX are used on this machine. Windows XP SP2, IE7 and alot of uTorrent.

    I have read that recovery console FIXMBR can correct this, though I concern that it may have something to do with EAZ-FIX. Any insight?
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    While I have not used EAZ-FIX, based on the way it works, I'd say odds are good this is the cause of the alerts.

    Blue
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yup :)
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I run RAW stealth MBR sandboxed today and it choked, puked, and fell flat on it's face. I done the same with some pretty mean malware sandboxed and the result always returned the same, no posibility of escape and easily erased, i use ERASER to fully wipe %Sandbox% contents. No chance for $m to mysteriously ressurrect them after that.

    With SandboxIE, i am thoroughly impressed!
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    MBR Rootkit, A New Breed of Malware
    F-Secure article here.

    Gmer, Prevx and two Symantic article links at bottom of article.

    This kind of malware is an outstanding example of why Windows users should acquire familiarity with using Linux Live CD's, reorder their BIOS to boot from CD before hard disk, and know how to issue dd commands to save off the original MBR for a Windows hard drive (and their Linux dual boot hard drive) after a clean installation before any connection to the Internet.

    A Linux Live CD environment with at least a 1GB RAM can activate a safe environment (assuming the Internet connection to the computer is temporarily disconnected) without any hard drives mounted or accessed. From there as root:

    # dd if=/dev/sda of=/mnt/linux/root/Mbrs/sdambr bs=512 count=1

    The above dd command assumes that a Windows OS is installed on /dev/sda and a Linux hard drive is mounted at the mount point /mnt/linux of the Linux Live CD environment. The MBR of the Windows hard drive is saved on the Linux hard drive in the file /root/Mbrs/sdambr, and has a block size of 512 bytes for one count.

    The restoration of the Windows MBR in a Live CD envronment is:

    # dd if=/mnt/linux/root/Mbrs/sdambr of=/dev/sda bs=512 count=1

    The above example assumes that the Linux hard drive is first mounted into the Live CD environment by:

    # mount -v -t ext3 /dev/sdb2 /mnt/linux (or a similar partition name that holds the Linux distribution identified with the command: fdisk -l which is issued by root account).

    Note: The Linux hard drive used in this example could be any hard drive like device such as a USB flash drive, external hard drive, dvd or cd.

    -- Tom
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The article mentions that the attack vectors are drive-by sites with different exploit code embedded in the web page.

    Another article linked states,

    http://www.prevx.com/blog/75/Master-Boot-Record-Rootkit-is-here-and-ITW.html

    It's obvious that the rootkit has to download/execute in order to do its dirty work.

    Malware triggered by Remote Code Execution (Drive-by) can be easily prevented from executing by any number of White List solutions.

    One of the exploits mentioned is

    Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)

    An earlier use of this shows how the malicious executable can be blocked from downloading/executing -- here, using Anti-Executable:

    MDAC-htm.gif
    ______________________________________________

    MDAC-ae.gif
    ______________________________________________

    For other solutions, see the recent threads on LUA and SRP.

    Someone once wrote,

    "If it can't execute, it can't infect."


    ----
    rich
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Went to the same link hxxp://www.zj5173.com/qq.htm.

    Some chineese but nothing seems to happen.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It's an old exploit from a year ago -- just used to demonstrate White List blocking with one of the exploits listed in the article.

    I just checked some of my other links from past exploits but none are active.

    Keep your eye open for "Mebroot" exploits -- some might show up soon.

    Check the main weblog page of f-secure which posted the above article:

    http://www.f-secure.com/weblog/

    Also:

    http://isc.sans.org/diary.html

    -- they often get notified quickly when exploits surface in the wild.


    ----
    rich
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Oh, i thought it,s some recent one. :p

    Thanks
     
  10. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    The problem is that 'regular Joes' (myself included I guess) will never be able to do this and comprehend it.
     
  11. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    don't worry thats the geeky approach of the solution.just pop in your windows cd,open recovery mode nad type FIXMBR in the console and your done..now if you got more than one operating system in your hard drive thats another deal,you'll have to reload the bootloader you used to have.
     
  12. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Of course you have to discover that you're infected first...;)
    A lot of people won't even know they're infected with this MBR rootkit. I think I wouldn't notice it either. Or are there any tell-tale signs?
     
  13. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    well if you have many OS or any sort of ISR software,like EAZ-FIX ,first defence-ISR,rollbackRX e.t.c their boot screen will disappear since the rootkit will have overwritten ur MBR.
     
  14. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    I don't have any of those. I just have to be even more careful on the net I guess. :)
     
Loading...
Thread Status:
Not open for further replies.