MBR Rootkit reloaded
Posted by: Marco Giuliani
Almost two months are gone since when we have isolated the new variant of MBR Rootkit. We have already written a technical blog post about it and new techniques used by this nasty rootkit. I thought it could have been useful to who would write a detector for it.
Unfortunately, two months are off, only a couple of security vendors and independent researchers implemented a working detector for it. This is not good, especially if we are talking about the same threat that has infected ten of thousands of PC around the globe last year, stealing password, bank accounts and personal informations.
Actually, as written in one of my previous posts, first version of MBR rootkit could have still been used with a large success by its creators. In fact, the main problem for the attacker is the dropper because of antivirus detections. Anyway MBR rootkit droppers have been able to evade signature and heuristic detections of most of antivirus softwares - their creators know quite well how to do their dirty job.
Then, after the dropper infected the system, only a really small number of antirootkit softwares are able to detect it.
Anyway, rootkit writers decided to do a step ahead and they released what can be currently defined the worst rootkit in the wild. Almost every antirootkit has been bypassed.
Now, after two months, we've isolated another new variant of this MBR rootkit. Most likely its creators didn't like there were already a couple of vendors able to detect their creature, so they decided to wipe them off.
We have checked how many antirootkits are already able to detect the new version of MBR rootkit we've isolated two months ago. Result is that only five applications are able to fully detect this threat - included Prevx 3.0 which has been the first.
Now, after this update, we're the only one still able to detect and succesfully remove the infection.
New MBR rootkit includes a much stronger filtering engine, able to filter out more in depth every attempt done by security softwares to read the Master Boot Record.
Good news is that they have removed some routines used to hide the hook set by the rootkit for disk access filtering. Anyway I think it could be a temporary choice, because the DKOH technique previously applied is able to make the rootkit still more hidden.
The fancy idea to hook the lower driver to which \Device\Harddisk0\DR0 is attached is still a winning one, because it's quite difficult to be bypassed.
Even if you think to unhook it, then it will still be difficult to restore the original function because you are not going to handle always with the same hooked driver, but instead the driver could be a different one from system to system. For example, sometimes the lower driver next to Disk.sys is ACPI.sys, sometimes is vmscsi.sys, yet sometimes it's directly atapi.sys. You have to trace down which driver has been hooked and then you've to know which is the original function replaced. Annoying, indeed.
I didn't write this in the first blog post about new MBR rootkit but looks like this idea has been picked up from another proof of concept bootkit, called Tophet.A and presented at last XCon conference.
As written before, we started seeing this new MBR rootkit quickly spreading on internet as it is dropped by compromised websites that host malicious iframes and obfuscated javascripts.
Security vendors should take care of this threat instead of waiting the end of this 2009 and claiming that MBR rootkit has been the worst threat of the year, like happened last year.
Prevx 3.0 is able to fully detect and remove the infection for free.
7 comments so far
- Kazo on May 31 9:05, 2009
- curious on Jun 5 14:25, 2009
- Jarno on Jul 18 12:52, 2009
- Arjan on Jul 28 18:20, 2009
A big thank you for your great product! I would like to ask, what percent of the currently existing rootkits Prevx 3.0 can detect? For example can it detect Rustock.C?
Hi there,
just curious: Could you name the other rootkitscanners that are capable of detecting the new MBR rootkit?
regards
It's good that PrevX detect MBR rootkit\Mebroot! But at work, I sadly cannot run PrevX because of company policy.
So I have a question that can be stupid, but I hope not...
I have read all that I can about this dangerous rootkit and it looks like it uses three different ways to infect you.
1) 'raw access' with CreateFile
2) disk.sys hook
3) \Device\Harddisk0\DR0 method you write about in this post.
I know that 1) requires you to be administrator, but what about 2) and 3)? Can MBR rootkit use 2 and 3 to infect you if you are not administrator? At work I don't have PrevX, but there I have a 'restricted user' account or 'limited user', I don't know which you should call it in English but it is not administrator or 'poweruser'. My hope is that at work being 'limited user' prevents MBR rootkit from infecting the computer even when I do not have PrevX there.
Thank you!
The newest mbr.exe from GMER should also find this. That only puts my total on four though, I'm not aware of any other programs capable of fixing it. Care to enlighten us as to the fifth? :)
Thanks for the effort. That's why I like Prevx.