Author Topic: MBR Trojan  (Read 13307 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
MBR Trojan
« on: January 09, 2008, 10:32:43 PM »
Just so everyone is aware of a new nasty making the rounds
Quote
Trojan.Mebroot takes control of the system by overwriting the MBR with its own code. Analysis of Trojan.Mebroot shows that its current code is at least partially copied from the original eEye BootRoot code. The kernel loader section, however, has been modified to load a custom designed stealth back door Trojan 467 KB in size, stored in the last sectors of the disk.

The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska. The attack is called the “Pagefile Attack”.

Rootkits themselves are hardly a new threat, but the inclusion of the MBR as part of the infection is not considered common. They were previously demonstrated as possible, but were not identified in the wild. Now that this has changed, we expect to see more variants targeting the MBR to appear in the future.

For now, Trojan.Mebroot seems to run successfully only on Windows XP (all Service Packs) due to some hard-coded values inside the attack code. For a complete analysis of the threat, please refer to our writeup for Trojan.Mebroot.

There appears to be a link between Trojan.Mebroot and Trojan.Anserin. Similarities such as the main distribution Web site and the polymorphic packer used in both threats suggest that they may be closely related.

Note: The rootkit cannot be removed while the OS is running, as it must be removed while the rootkit code itself is not running. During our tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!
More data http://www2.gmer.net/mbr/

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: MBR Trojan
« Reply #1 on: January 09, 2008, 10:59:00 PM »
MBR... Oh my God! I'll backup mine with Acronis Disk Director... At least I seem to be safe at Vista. GMER and avast, when will the marry?
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: MBR Trojan
« Reply #2 on: January 09, 2008, 11:24:45 PM »
As long as you have the recovery consol on XP you shoud be OK.  Need to check Vista though 

EDIT : Found it
Quote
/FixMbr
The /FixMbr option writes a Windows Vista-compatible MBR to the system partition. This option does not overwrite the existing partition table. Use this option when you must resolve MBR corruption issues, or when you have to remove non-standard code from the MBR.
http://support.microsoft.com/kb/927392
« Last Edit: January 09, 2008, 11:28:44 PM by essexboy »

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6957
Re: MBR Trojan
« Reply #3 on: January 10, 2008, 12:52:03 AM »
This is becoming uncontrollable! It looks like pretty soon Windows machines will be totally doomed  ;D
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: MBR Trojan
« Reply #4 on: January 10, 2008, 01:27:33 AM »
This is becoming uncontrollable! It looks like pretty soon Windows machines will be totally doomed  ;D

Maybe, but then we'd have to deal with McTrojans.  ;)

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6957
Re: MBR Trojan
« Reply #5 on: January 10, 2008, 04:22:00 AM »
Not a single one here... comparing to my Windows machine, working on and using my Mac is real pleasure.
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: MBR Trojan
« Reply #6 on: January 10, 2008, 01:02:30 PM »
If you surf safely then the great majority of these infections will not affect you - but if you like crakz - p**n sites and use p2p without scanning then I will await your visit

But a lot of this is, in a way paranoia, I mean I just have an AV and windows firewall and have yet to be unintentionally infected, and the times I tried to get myself infected I found it hard.    Be safe

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: MBR Trojan
« Reply #7 on: January 10, 2008, 01:36:38 PM »
As long as you have the recovery consol on XP you shoud be OK.
Will the fixmbr restore the information of all the partitions on my disk? Even Linux ones?
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: MBR Trojan
« Reply #8 on: January 10, 2008, 01:39:52 PM »
It will replace the old MBR with a clean version from the recovery consol, but I am not sure how that would affect Linux.  But doesn't Linux have its own version of MBR or am I thinking of Bootstrap  ???

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: MBR Trojan
« Reply #9 on: January 10, 2008, 02:38:29 PM »
But doesn't Linux have its own version of MBR or am I thinking of Bootstrap  ???
Yes, Linux has. But when you have a dual boot system, some of them should control the MBR. Windows has its own boot loader, and Linux has LILO or GRUB. My system uses the Windows loader at the boot sector of the first partition and it is redirected to Linux in another partition.
Maybe I'm messing MBR and boot sector ???
The best things in life are free.

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re: MBR Trojan
« Reply #10 on: January 10, 2008, 07:24:13 PM »
good news there is detection , it would be bad if not lol
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: MBR Trojan
« Reply #11 on: January 10, 2008, 11:31:14 PM »
good news there is detection , it would be bad if not lol
Plus it is easy peasy to remove

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33632
  • malware fighter
Re: MBR Trojan
« Reply #12 on: January 10, 2008, 11:31:37 PM »
Hi folks,

Avast can handle this now, but of course a cure for this is using the fixmbr command which is a recovery console command that is available in the below Microsoft Operating Systems.

Windows 2000
Windows XP

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

sanctuary24

  • Guest
Re: MBR Trojan
« Reply #13 on: January 12, 2008, 04:57:09 PM »
So Avast can detect this new Mebroot rootkit trojan?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: MBR Trojan
« Reply #14 on: January 12, 2008, 07:18:54 PM »
So Avast can detect this new Mebroot rootkit trojan?
As far I can understand, yes.
The best things in life are free.