Prevx Blog
Master Boot Record Rootkit is here and ITW
Posted by: Marco Giuliani
Since Brain there are been thousand of viruses that have used same (and more advanced) technique to stay stealth in memory and to avoid detection, tampering basic functions and compromising the whole operating system.
It was the time of Brain, Stoned, Tequila and tons of other notorious names. These kinds of viruses disappeared, leaving the ground to other kind of malware.
Today, the most complicated type of malicious software is, without a doubt, the rootkit. Technically speaking, the way how they compromise operating system at the lowest level is quite fascinating and at the same time dangerous.
We've seen a lot of different techniques used to compromise the system and to hide infection components inside the pc. But everytime the war has been inside operating system, a fight between antivirus researchers and malware writers to who basically starts before the other so that he can own the machine. Only lately we've seen some proof of concepts of rootkits that can compromise machine from outside Windows - see Microsoft's SubVirt project and Joanna Rutkowska's Bluepill. Both really interesting but, luckily enough, still proof of concept - this means that ITW malware should have the priority.
Now something is going to change. In 2005, researchers from eEye Digital Security published a new project, called BootRoot. That was essentially a new kind of rootkit that tried to subvert Windows from the outside, overwriting the Master Boot Record with its own one, that has the ability to modify Windows driver ndis.sys since startup.
Some days ago GMER, author of one of the most famous free antirootkit software, published a nice and fully detailed article of what looks like the new trend of infections: sadly, that proof of concept called BootRoot is now in the wild.
We can confirm this because we've had reports of an infection during the same period shown by GMER paper and discovered by MR Team members Tammy and MJ .
The infection is spread through some websites that host exploits to hit older and out to date software and operating systems. This infection vector has been seen often during 2006 and 2007 - Gromozon is only one example.
After the dropper gets executed, it overwrites the master boot record with its own code and stores a copy of the original master boot record at sector 62 of the hard disk, prepending some of its code used to get the infection working. Code is added at sectors 60 and 61 too. The rootkit driver is then stored on a free unused space on the hard disk, usually on last sectors. Code stored on the MBR will be the responsible to get the driver loaded into the system.
At the next bootup (malware could schedule a reboot by itself) the new code stored inside the MBR will hook Int 13h, so that it can get full control of what is loaded by the operating system and can hook the Windows kernel on-the-fly.
The code patches the kernel so that the rootkit driver is loaded on the system. No registry key is needed, no file is present.
To hide itself from Windows, the rootkit hooks disk.sys's dispatch routines IRP_MJ_READ and IRP_MJ_WRITE. When an attempt to read master boot record is done, the rootkit instead will show the original mbr code stored at sector 62. Moreover, the driver will make outbound connections to remote hosts. Most of the MBR code is unashamedly copied from BootRoot project.
In our preliminary tests, Windows Vista is only partially vulnerable: if UAC is disabled, the rootkit can overwrite Master Boot Record code, but, if UAC is enabled, it is blocked. Even if the code is successfully written into the MBR, the rootkit can't get control because the boot loading process is different between Windows XP and Vista and the signature scan used by the rootkit to detect the right code to patch is ineffective.
Old school is coming again? Indeed the attack's technique is quite similar to Brain and other old viruses, but the rootkit's concept itself is quite old.
Now that this kind of rootkit is in the wild we can expect a new wave of these rootkits because a lot of known anti rootkit solutions are falling behind detecting this one.
Many antirootkit solutions still fail to detect rootkits which load from inside Windows as there are dozens of tricks and subversion techniques which are difficult to detect. Now, the battle is beginning to leave the operating system and a whole new war is beginning.
We're going to update our anti-rootkit engine to detect and remove this kind of rootkits.
4 comments so far
- Laz on Feb 6 20:31, 2008
- ClickaNerd - MBR - Virus - Bad Ass on Jan 19 4:22, 2009
- MarkRight on Oct 23 9:09, 2009
I beleve I acquired one of these gems on Janyary 29 this year. It uses the CMOS, my Plextor DVD drive, and the disk drive as the vehicle. I first noticed something loading prior to the Windows start up procedure, followed by: "Booting from CD" message. When I disconnected the DVD drive, the boot process crashed during the POST process with a checksum failure indication. Replacing the drive with a different one produced the same results. Reconnecting the original DVD drive allowed tht boot process to continue, and Windows started normally.
I flashed the CMOS, put the new DVD drive in, then tried to start computer again. No success. The BIOS did not "see" the hard drive. Rebooting produced the same checksum error as above.
I tried several virus checkers, as well as a rootkit revealer. None of the comercial products detected the problem. The revealer found two entries:
%system root%\system32\dump rep 0-u
%system root%\system32\dump rep 0-y
according to the author's BLOG, these are normal, but undocumented installations by Microsoft.
Tried a low-low level format (0 fill) but the process crashed prior to termination. Interestingly, the HD size is now diminished by the exact size of the memory installed. I suspect this to be the hidden partition.
I have been battling this now since the end of January without a resolution. I hope others will have better luck.
I have not seen this sort of infection for 20 years. I came across a variant of this today. It's nice that sites like this keep us in check with the past. Your information was very useful. ClickaNerd.com spends its days fixing viruses and uses your information often. Thanks to the author.
Interesting blog you got here. I'd like to read a bit more about this matter.
Nice writeup. Unfortunately, when it comes to rootkits, it certainly seems to be a war that the malware writers are currently winning.
Now that MBR-Kit has been unveiled, it becomes a question of how long this bot has been ITW and how long it's been subverting systems.
Next up, Rustock.C/D.
P.S. Your RK detection in CSI has been shaping up quite nicely. I believe it currently only misses Nulprot (asc3550.sys+asc3550p.sys), and TR.inject/AllinOne(VideoAti0.sys+VideoAti0.dll+VideoAti0.exe), in addition to the "legendary" Rustock.C/D... oh and MBR-Kit (which obviously you're working on).
Keep up the good work.