New "Mebroot" MBR-Modifying Rootkit Analyzed

I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."

Would these issues affect EFI to the same degree?

[The Ancients]

After seeing rootkits spring from many sources (yes - including Sony) would the introduction of EFI bring greater barriers to this sort of exploit, or would it just be a matter of time before the crackers have their hooks into this to the same extent as well?

Re:

[ILuvRamen]

the originators should have no reason to sell this technology. The more crackers that use it for their purposes, the more likely antivirus companies are going to take notice and take more immediate, drastic steps to stop it. If it's just one group using one new rootkit that's different than a bunch of people using it for all different stuff. Btw that sounded so racist lol. CRACKER!

Re:

[Anonymous Coward]

Btw that sounded so racist lol. CRACKER!

We prefer the term "honky".

Re:Would these issues affect EFI to the same degre

[VitaminB52]

the originators should have no reason to sell this technology. The more crackers that use it for their purposes, the more likely antivirus companies are going to take notice and take more immediate, drastic steps to stop it.

That sounds a little naive. It's wrong for several reasons:

• Not all computer users use (up-to-date) anti-virus software
• Even fewer computer users use (up-to-date) anti-malware software
• And, even if computer users use both up-to-date anti-virus and anti-malware software, they will be vulnerable in the time frame between the release of the rootkit and the release of the anti-rootkit software upgrade that fights it - in this time frame the rootkit writers will 'make' more money than most Slashdot users during their whole life

Re:

[stonecypher]

Naivity belongs to you, not grandparent.

Not all computer users use (up-to-date) anti-virus software

No, but about 85% of computer users do, and financial information is a question of hitting as many people as possible.

Even fewer computer users use (up-to-date) anti-malware software

This isn't worth saying seperately, and this is an AV issue.

And, even if computer users use both up-to-date anti-virus and anti-malware software, they will be vulnerable in the time frame between the release of the rootkit and the

Re:

[BobPaul]

No, but about 85% of computer users do, and financial information is a question of hitting as many people as possible.

Bullshit. AV penetration might be that high, but what's the percentage when expired 90-day "came with my computer" trials are excluded? I work at a University, and if college students are any indicator of what they're parents are doing, even with our best efforts to educate them and provide campus purchased AV for use on personal computers, a large number either have nothing or don't realize

Re:

[stonecypher]

Bullshit.

You're guessing. Acting like you know someone else is wrong, when you don't, makes you look like an asshole.

I work at a University

As a janitor, maybe. People don't get university jobs of quality when they can't sort out the difference between "they're", "there" and "their".

and if college students are any indicator of what they're parents are doing

They aren't.

even with our best efforts to educate them

Given your surreal quality of language and your seeming unawareness that you're supposed to bring

Re:

[BobPaul]

Give me back my jacket, you fat lard! I said you could borrow it, not keep it!

Re:

[stonecypher]

That's one of the dumbest things I've ever seen anyone say on slashdot, including trolls, and I've been here for more than a decade.

Congratulations: you're the first slashdotter to genuinely disappoint me in more than a year.

Re:

[BobPaul]

Ha! I knew you were at least as much of a pedant as I am. "Don't bother replying because I won't read it" my ass. You even replied!

Re:

[VitaminB52]

Naivity belongs to you, not grandparent.

Not all computer users use (up-to-date) anti-virus software

No, but about 85% of computer users do, and financial information is a question of hitting as many people as possible.

According a recent survey only about 50% of computer users do use AV software, the % of up-to-date AV software is even lower.

Even fewer computer users use (up-to-date) anti-malware software

This isn't worth saying seperately, and this is an AV issue.

According to afore mentioned survey, far less than 50% of computer users do use anti malware software.
Anti malware isn't a AV issue. Yes, sometimes anti malware comes bundled with an AV package, but it isn't the same as AV software.

And, even if

Re:

[stonecypher]

According a recent survey only about 50% of computer users do use AV software, the % of up-to-date AV software is even lower.

Please show me this survey that contradicts CERT by 35%.

According to afore mentioned survey, far less than 50% of computer users do use anti malware software.

Please show me this survey that contradicts CERT by 35%.

Anti malware isn't a AV issue.

That's funny, MBR viruses like this show up all over Norton's and Kaspersky's lists. Funny how the antivirus authors seem to disagree with you

Re:Would these issues affect EFI to the same degre

[jmorris42]

> ...would the introduction of EFI bring greater barriers to this sort of exploit...

EFI is more complex than the simple boot block / partition table that fits in a single disk sector. More complex means fewer people who will fully understand it, more bad implementations in firmware with potential security problems, etc.

Of course there are good reasons for it to replace the MBR/partion table, like running into a brick wall on the max drive size.

Re:Would these issues affect EFI to the same degre

[Hal_Porter]

Of course there are good reasons for it to replace the MBR/partion table, like running into a brick wall on the max drive size.

Actually you don't need to change the Bios to get that. Currently the Bios loads sector 0 into memory and jumps into it. There's no reason why sector 0 couldn't be a GPT MBR. Pre GPT people worked out ways to allow for 64 bit LBA addresses in the partition table

http://home.no.net/tkos/info/embr.html [no.net]

And the Bios has supported 64 bit LBA addresses in int 13 for ages, so there is no disk size problem for a very long time - probably many decades. Seriously, you don't need EFI to get 64 bit LBA support.

Re:Would these issues affect EFI to the same degre

[CastrTroy]

Couldn't you just have a USB stick with a physical switch to set it as readonly, and then set the computer to only boot off that device? Most (all?) new computers support booting off the USB device. Using this method of booting, along with having /usr and other places mounted as write only, you could probably stop most stuff from infecting the system. You might still have a problem with things infecting your home directory, but that can be more easily removed.

Re:

[speculatrix]

aren't some of these usb memory device's read-only switch just an indicator to the OS to not allow writing, so that it's possible for malware to override it?

Re:

[networkBoy]

If you're paranoid enough (or if like me your USB key is a cheapie that doesn't have a switch), load your image, make sure it works, crack open the key, then lift the WE# pins from the TSOP flash devices (specs on-line, just look up the respective chip).
That way my boot & nuke / clean-up key never gets accidentally formatted by someone.
-nB

Re:

[freedom_india]

including Sony

So, you recommend i incorporate myself as a corporate so that i may successfully produce rootkits without fear of conviction?

Lawyer for victim: "The accused here caused massive financial damages to my client by putting in a rootkit and stealing bank account information thus enabling 3rd parties who used the rootkit to steal money from my client's accounts."

Lawyer for accused: "Your honor, i present for your perusal, information from earlier such cases where the corporate was trying to protect intellectual

Re:

[Hal_Porter]

Except corporations can be sued for millions if they damage other people's computers. They are a much more inviting lawsuit target than some penniless hacker. Particularly class action lawsuits which allow people to sue them without being individually able to afford lawyers.

Re:

[freedom_india]

They are a much more inviting lawsuit target than some penniless hacker

Righhht ! And how many have paid millions out as a result of lawsuit judgements going out against them?
Name one case where a corporation was convicted of being a hacker and made to pay out millions.

Now go and count the cases where a poor individual hacker was convicted of hacking?

Re:

[Hal_Porter]

Name one case where a corporation was convicted of being a hacker and made to pay out millions

Large companies with deep pockets are hit with lawsuits all the time. This one seems frivolous to me, someone sued Apple because the battery in the iPhone was non replaceable. But that's something he should have checked before he bought it. I don't like my iPod touch, but there's no way I'd sue Apple for all the misfeatures.

http://www.techcrunch.com/2007/07/27/iphone-class-action-lawsuit/ [techcrunch.com]

This one seems more sympathetic - a judge ordered a bunch of spam companies to pay $1bn, presumably bankrupting them. As

Re:Would these issues affect EFI to the same degre

[sigxcpu]

there are proof of concept EFI rootkits out there
http://it.slashdot.org/article.pl?sid=06/01/27/1327228 [slashdot.org]

Nice Job

[QuantumG]

Of course, back in the day we called it "stealth" and a "root kit" was what you used to "get root" on a unix box.. but hey, language changes. How about adding some infection routines to that puppy and letting it live?

Not that I'd ever encourage such behavior.

Re:

[Gideon Fubar]

you know, that's one piece of language drift i don't mind.. the windows rootkit is a totally different beast to an elevation exploit..

you're totally right tho. Back in the day, this would have just been called a boot infector with some interesting stealth. I gotta say, i'm really surprised that stuff like this still works..

Re:

[ledow]

Back in my day, Windows was a WIMP GUI. Now they call it an operating system.

But yes, the old-style viruses tend to have lost out the past few years. I can remember quaking in fear when I read about a virus that was polymorphic, stealth, boot-sector infecting, "hold your partition table to ransom", able to transfer to floppies, hard disks and even CD's (WOW!), plus across IPX networks, randomising data destruction etc.

Now THAT was a virus to be scared of.

Re:

[Corporate Troll]

I can remember quaking in fear when I read about a virus that was polymorphic, stealth, boot-sector infecting, "hold your partition table to ransom", able to transfer to floppies, hard disks and even CD's (WOW!), plus across IPX networks, randomising data destruction etc.

And all that in less than 512 *bytes* code...

Re:

[QuantumG]

http://www.wiw.org/~meta/vlad.php?read=ARTICLE.5_6&issue=5&desc=Fame [wiw.org]

For example.

Re:

[smallfries]

How far back are you talking? I'd always heard the phrase rootkit as the code you downloaded after an exploit to hide your tracks and make sure that you keep root. Of course on windows getting root in the firtst place isn't such a big deal so some language drift is understandable...

Re:

[WaXHeLL]

A "root kit" has never been what you used to get root on a box.

Originally a root kit was a set of tools to hide your tracks, like replaced versions of 'ls', 'ps', etc so that it became that much harder to detect you.

AVG, Clam

[BrookHarty]

Googled, but guess its too new, does AVG and Clam scan for mebroot yet?

The fix is free:

[Futurepower(R)]

At the bottom of the linked article [f-secure.com], there is another link: Gmer -- MBR [gmer.net]. At the end of that long technical article it says: "Rootkit removal: To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr."

To use it, you first go into the Windows XP Recovery Console [microsoft.com]. Then run FixMBR /? for parameters. Save the MBR (Master Boot Record) first.

Here is a discussion [microsoft.com] on the Microsoft web site about tools for fixing the MBR without the Recovery Console. I've never tried them; I've always used the FixMBR utility that comes with the Recovery Console.

FIXMBR -- trust chain

[sconeu]

Yeah, but you've got to boot off of CD to use it, otherwise you're suspect, since you've booted off the bogus MBR to get to the recovery console.

Ultimate Boot CD for Windows

[Futurepower(R)]

Yes, you're right. Boot CD: Ultimate Boot CD for Windows [ubcd4win.com]

From the article

[Corporate Troll]

From the article:

In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.

I'm pretty sure you can only do that when you're Admin.... Use "Limited User" for crying out loud!

Re:

[hcmtnbiker]

Or if you use vista:

Mebroot boot loader modifying rootkit is attempting to modify the MBR.
[Cancel] [Allow]

Re:

[Corporate Troll]

Yeah, but the novice user will click "Allow" to get back to work.... Doesn't help. Limited User on XP simply doesn't allow you to do anything that's dangerous. No dialog boxes, no passwords: simply "Access denied" which is how it should be. You want to install something of change configuration login as Admin or use RunAs.

Of course, that would mean that the user knows what he's doing, and we're back to the weakest chain in the link... *sigh*

Re:

[LoadWB]

ISTR a number of motherboard BIOS which protect the boot block of a hard drive. Would this not then protect the MBR?

If so, I will refrain from asking, "then why don't people use it?" because I know why. And I know why I have not enabled this feature. Simply put, lack of motivation to do so. But since I'm not loading an OS onto my computer every day I use it, or my servers, I could level-up my responsibility stats by write-protecting the MBR. (Of course, any cracker worth his salt (HA!) would find a way

Re:

[Corporate Troll]

Hmmmm... With the multitude of different BIOSes out there, I doubt it is possible to have code that would work on every machines. From time to time one hears of BIOS viruses and the like, but I frankly think they're urban myths.

On the other hand, the MBR is on a fixed position on your harddisk and modern operating systems do not need the BIOS to write to it. It might thus be possible to write the MBR without he BIOS noticing.

Re:

[networkBoy]

"From time to time one hears of BIOS viruses and the like, but I frankly think they're urban myths."
Look up Blue Pill rootkit.
-nB

Re:

[Corporate Troll]

I know Blue Pill and Blue Pill isn't a BIOS virus. It doesn't infect the BIOS, it essentially installs a hypervisor under the operating system, which then runs the operating system itself in it. At no point this needs a BIOS modification. MBR is enough.

"not written for fun"

[ph0enix]

This malware is very professionally written and produced. Which of course means it's not written for fun.

Why include this swipe at amateur software development?

Nearly all of the "professionally produced" code that I've read is horrendous and looks like it's been coded by rabid gibbons on LSD, while the best code I've read has been written by people for whom it's a labor of love. Yes, there is also plenty of ugly open-source code, but the fact that it's well written just means that the programmer cared about it.

Re:

[dzfoo]

I agree: some of the most innovative viruses that were created back in the day, the ones experts collect and study for their brilliant and elegant design, were done basically for "fun", not profit.

This MBR infector could very well have been written by "professionals" with a specific agenda, but to reach that conclusion based solely on the apparent quality of the code is wrong.

          -dZ.

Re:

[stonecypher]

This malware is very professionally written and produced. Which of course means it's not written for fun.

Why include this swipe at amateur software development?

I didn't read it that way at all. The way I read that was "the person who wrote this did so to create a tool for a specific purpose; their goal was not mischief or proving their skill, as is so common in this arena, but rather to create an exploit to make themselves rich."

Intimidating

[Workaphobia]

Was I the only one a little unnerved by that bad boy's description? Attacking the MBR *and* hiding in free disk space?

Re:

[downix]

Reminds me of the one nasty little bug I ran across (DOS virus, mind you) which hid not on the HD, but in the SRAM buffer found on a particular brand of floppy drive (chinon or mitsumi I believe). Incredibly nasty in that nobody knew where it was coming from, or why a HD wipe didn't get rid of it.

DOS Viruses

[ledow]

Maybe it's just me remembering the good old days of DOS viruses but none of this actually seems "new", except for "calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs", which is just a shortcut to direct hardware access... it's basically loading another copy of a library to use it seperately from the OS (and therefore, presumably, OS security) to access the network card. It's a nice way to access a network card from "below" the OS in a hardware-independent way (i.e. let's pinch the Windows driver rather than try to work out what card we are using and create 1000 drivers for each different brand of card.). But on the whole, this is hardly "new" or "shocking".

Having said that, it's nice to see something where people have actually invested time and skill into creating a program that bypasses the OS in such a way, rather than just another re-written script with a couple of variables changed.

Lines like:

"This malware is very professionally written and produced. Which of course means it's not written for fun."

might annoy some, though. The old DOS viruses NEVER really acheieved anything useful (even with blackmail attempts while holding your boot sector to ransom) etc. and were written "just because" by teenagers. That didn't stop them from appearing professionally written and breaking genuinely new ground for the time. Just because people are now using such malware for financial gain, doesn't mean that it's ALWAYS the case. And Linux zealots are sure to jump on the above quote with all their hearts. :-)

And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.

Re:

[jfim]

And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.

Except in Vista, this isn't true. You need to either have elevated privileges(or have disabled UAC so that everything runs as administrator) to be able

Re:

[ledow]

I don't have vast experience of Vista because I decided against deploying it on the last few networks I managed. However, it seems that it must still be incredibly easy to access the MBR even, as you point out, as a non-administrator user.

However I assume that "Boot sector protection" as available in most modern BIOS's should stop this stone dead (I know that I implement it but I doubt everyone does). It's like 1989 all over again...

Granted, the virus is easily cleaned, although it's potential effects may

Re:

[jfim]

I don't have vast experience of Vista because I decided against deploying it on the last few networks I managed. However, it seems that it must still be incredibly easy to access the MBR even, as you point out, as a non-administrator user.

Not really. UAC [wikipedia.org] is essentially like sudo, except that when you run in an administrator account, there is no password prompt, only a Allow/Cancel choice. From a non-administrator user, you have to enter the login and password of an administrator. Of course, if you disable

Re:

[InverseParadox]

UAC is essentially like sudo, except that when you run in an administrator account, there is no password prompt, only a Allow/Cancel choice.

This is only true if the built-in Administrator account has no password. If you enable the built-in Administrator account (which can apparently be done any of several ways, but the one I've always used is 'net user administrator /active:yes') and then give it a password, the UAC dialog will thereafter have a password prompt. This has always been the first thing I do on any Vista machine I've had to configure (which fortunately has not been many).

I also remove sudo from every *nix box I admin; 'su -c' does

Re:

[InverseParadox]

...unless, of course, that's just a mistaken observation on my part by virtue of never having bothered to run with a non-restricted account while Administrator had a password. (I somehow failed to think of this possibility before posting.)

Re:

[jfim]

This is only true if the built-in Administrator account has no password. If you enable the built-in Administrator account (which can apparently be done any of several ways, but the one I've always used is 'net user administrator /active:yes') and then give it a password, the UAC dialog will thereafter have a password prompt. This has always been the first thing I do on any Vista machine I've had to configure (which fortunately has not been many).

Interesting. I never enabled the Administrator account on my

I disagree.

[jd]

The Drain virus taught a lot of noobs that disk drives are not washer/dryers. The cascade virus brought new meaning to the saying that what lights up must come down. Early viruses were very educational.

Re:

[jgrahn]

Lines like: "This malware is very professionally written and produced. Which of course means it's not written for fun." might annoy some, though. [---] And Linux zealots are sure to jump on the above quote with all their hearts.

Not just Linux zealots. If you cannot write good code for fun, you cannot write it for money, either.

Yes...

[sonicattack]

...but does it boot Linux?

I'm impressed!

[dzfoo]

Wow! I did not know you could have such low-level access with Visual Basic. These kids nowadays...

        -dZ.

Do we only care about business?

[Bromskloss]

What about its effects on the well-being of us, the humans?

(Provided energy use is bad for the planet, the increase of that might be important, if it's large.)

Re:

[seramar]

you meant to post that over here I think http://slashdot.org/article.pl?sid=08/03/04/0241218 [slashdot.org]

Re:

[Bromskloss]

you meant to post that over here I think http://slashdot.org/article.pl?sid=08/03/04/0241218 [slashdot.org]

Oups, you are right. I'll creep back into my hole now.

Hackers,Phishers,Virii writers

[flyneye]

The unethical in IT,so frustrating and destructive,amongst the most hated in the world.
It wouldn't surprise me to find legislation in many countries,unopposed by the citizenry(even the U.S.) for capital punishment or at least cutting off their hands.