Master Boot Record Rootkit is here and ITW

We have to go a way back in our memories, a backward step to remember Brain, the first documented IBM-PC virus. Brain was a boot sector virus that hid itself by hooking INT 13h, an interrupt used to get direct access to the disk. When someone tried to read boot sectors of infected disks, Brain would instead show a copy of original boot sector.

Since Brain there are been thousand of viruses that have used same (and more advanced) technique to stay stealth in memory and to avoid detection, tampering basic functions and compromising the whole operating system.

It was the time of Brain, Stoned, Tequila and tons of other notorious names. These kinds of viruses disappeared, leaving the ground to other kind of malware.

Today, the most complicated type of malicious software is, without a doubt, the rootkit. Technically speaking, the way how they compromise operating system at the lowest level is quite fascinating and at the same time dangerous.

We've seen a lot of different techniques used to compromise the system and to hide infection components inside the pc. But everytime the war has been inside operating system, a fight between antivirus researchers and malware writers to who basically starts before the other so that he can own the machine. Only lately we've seen some proof of concepts of rootkits that can compromise machine from outside Windows - see Microsoft's SubVirt project and Joanna Rutkowska's Bluepill. Both really interesting but, luckily enough, still proof of concept - this means that ITW malware should have the priority.

Now something is going to change. In 2005, researchers from eEye Digital Security published a new project, called BootRoot. That was essentially a new kind of rootkit that tried to subvert Windows from the outside, overwriting the Master Boot Record with its own one, that has the ability to modify Windows driver ndis.sys since startup.

Some days ago GMER, author of one of the most famous free antirootkit software, published a nice and fully detailed article of what looks like the new trend of infections: sadly, that proof of concept called BootRoot is now in the wild.

We can confirm this because we've had reports of an infection during the same period shown by GMER paper and discovered by MR Team members Tammy and MJ .

The infection is spread through some websites that host exploits to hit older and out to date software and operating systems. This infection vector has been seen often during 2006 and 2007 - Gromozon is only one example.

After the dropper gets executed, it overwrites the master boot record with its own code and stores a copy of the original master boot record at sector 62 of the hard disk, prepending some of its code used to get the infection working. Code is added at sectors 60 and 61 too. The rootkit driver is then stored on a free unused space on the hard disk, usually on last sectors. Code stored on the MBR will be the responsible to get the driver loaded into the system.

At the next bootup (malware could schedule a reboot by itself) the new code stored inside the MBR will hook Int 13h, so that it can get full control of what is loaded by the operating system and can hook the Windows kernel on-the-fly.

The code patches the kernel so that the rootkit driver is loaded on the system. No registry key is needed, no file is present.

To hide itself from Windows, the rootkit hooks disk.sys's dispatch routines IRP_MJ_READ and IRP_MJ_WRITE. When an attempt to read master boot record is done, the rootkit instead will show the original mbr code stored at sector 62. Moreover, the driver will make outbound connections to remote hosts. Most of the MBR code is unashamedly copied from BootRoot project.

In our preliminary tests, Windows Vista is only partially vulnerable: if UAC is disabled, the rootkit can overwrite Master Boot Record code, but, if UAC is enabled, it is blocked. Even if the code is successfully written into the MBR, the rootkit can't get control because the boot loading process is different between Windows XP and Vista and the signature scan used by the rootkit to detect the right code to patch is ineffective.

Old school is coming again? Indeed the attack's technique is quite similar to Brain and other old viruses, but the rootkit's concept itself is quite old.

Now that this kind of rootkit is in the wild we can expect a new wave of these rootkits because a lot of known anti rootkit solutions are falling behind detecting this one.

Many antirootkit solutions still fail to detect rootkits which load from inside Windows as there are dozens of tricks and subversion techniques which are difficult to detect. Now, the battle is beginning to leave the operating system and a whole new war is beginning.

We're going to update our anti-rootkit engine to detect and remove this kind of rootkits.

Leave a reply