Slashdot Mirror
New "Mebroot" MBR-Modifying Rootkit Analyzed
I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."
Didn't Sony learn their lesson last time?
After seeing rootkits spring from many sources (yes - including Sony) would the introduction of EFI bring greater barriers to this sort of exploit, or would it just be a matter of time before the crackers have their hooks into this to the same extent as well?
The Mothership
Of course, back in the day we called it "stealth" and a "root kit" was what you used to "get root" on a unix box.. but hey, language changes. How about adding some infection routines to that puppy and letting it live?
Not that I'd ever encourage such behavior.
How we know is more important than what we know.
the originators should have no reason to sell this technology. The more crackers that use it for their purposes, the more likely antivirus companies are going to take notice and take more immediate, drastic steps to stop it. If it's just one group using one new rootkit that's different than a bunch of people using it for all different stuff. Btw that sounded so racist lol. CRACKER!
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
> ...would the introduction of EFI bring greater barriers to this sort of exploit...
EFI is more complex than the simple boot block / partition table that fits in a single disk sector. More complex means fewer people who will fully understand it, more bad implementations in firmware with potential security problems, etc.
Of course there are good reasons for it to replace the MBR/partion table, like running into a brick wall on the max drive size.
Democrat delenda est
Lawyer for victim: "The accused here caused massive financial damages to my client by putting in a rootkit and stealing bank account information thus enabling 3rd parties who used the rootkit to steal money from my client's accounts."
Lawyer for accused: "Your honor, i present for your perusal, information from earlier such cases where the corporate was trying to protect intellectual property and was as much a victim. Request dismissal of case."
Judge: "This accused being a corporation, i cannot sentence it to jail or sentence it to hang. I hereby ORDER the corporation to pay the victim an amount of $300/- towards computer repair and to tender an apology in writing to court."
"Doing what i can, with what i have." ~ Burt Gummer
there are proof of concept EFI rootkits out there
http://it.slashdot.org/article.pl?sid=06/01/27/1327228
As of Postgres v6.2, time travel is no longer supported.
Googled, but guess its too new, does AVG and Clam scan for mebroot yet?
From the article:
I'm pretty sure you can only do that when you're Admin.... Use "Limited User" for crying out loud!
Why include this swipe at amateur software development?
Nearly all of the "professionally produced" code that I've read is horrendous and looks like it's been coded by rabid gibbons on LSD, while the best code I've read has been written by people for whom it's a labor of love. Yes, there is also plenty of ugly open-source code, but the fact that it's well written just means that the programmer cared about it.
<sigh>
Was I the only one a little unnerved by that bad boy's description? Attacking the MBR *and* hiding in free disk space?
Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
Maybe it's just me remembering the good old days of DOS viruses but none of this actually seems "new", except for "calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs", which is just a shortcut to direct hardware access... it's basically loading another copy of a library to use it seperately from the OS (and therefore, presumably, OS security) to access the network card. It's a nice way to access a network card from "below" the OS in a hardware-independent way (i.e. let's pinch the Windows driver rather than try to work out what card we are using and create 1000 drivers for each different brand of card.). But on the whole, this is hardly "new" or "shocking".
:-)
Having said that, it's nice to see something where people have actually invested time and skill into creating a program that bypasses the OS in such a way, rather than just another re-written script with a couple of variables changed.
Lines like:
"This malware is very professionally written and produced. Which of course means it's not written for fun."
might annoy some, though. The old DOS viruses NEVER really acheieved anything useful (even with blackmail attempts while holding your boot sector to ransom) etc. and were written "just because" by teenagers. That didn't stop them from appearing professionally written and breaking genuinely new ground for the time. Just because people are now using such malware for financial gain, doesn't mean that it's ALWAYS the case. And Linux zealots are sure to jump on the above quote with all their hearts.
And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.
...but does it boot Linux?
That sounds a little naive. It's wrong for several reasons:
http://home.no.net/tkos/info/embr.html
And the Bios has supported 64 bit LBA addresses in int 13 for ages, so there is no disk size problem for a very long time - probably many decades. Seriously, you don't need EFI to get 64 bit LBA support.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Except corporations can be sued for millions if they damage other people's computers. They are a much more inviting lawsuit target than some penniless hacker. Particularly class action lawsuits which allow people to sue them without being individually able to afford lawyers.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
The Drain virus taught a lot of noobs that disk drives are not washer/dryers. The cascade virus brought new meaning to the saying that what lights up must come down. Early viruses were very educational.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Wow! I did not know you could have such low-level access with Visual Basic. These kids nowadays...
-dZ.
Carol vs. Ghost
Name one case where a corporation was convicted of being a hacker and made to pay out millions.
Now go and count the cases where a poor individual hacker was convicted of hacking?
"Doing what i can, with what i have." ~ Burt Gummer
What about its effects on the well-being of us, the humans?
(Provided energy use is bad for the planet, the increase of that might be important, if it's large.)
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
At the bottom of the linked article, there is another link: Gmer -- MBR. At the end of that long technical article it says: "Rootkit removal: To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr."
/? for parameters. Save the MBR (Master Boot Record) first.
To use it, you first go into the Windows XP Recovery Console. Then run FixMBR
Here is a discussion on the Microsoft web site about tools for fixing the MBR without the Recovery Console. I've never tried them; I've always used the FixMBR utility that comes with the Recovery Console.
That, or "Just plain American because that's where I was fucking born" American.
Couldn't you just have a USB stick with a physical switch to set it as readonly, and then set the computer to only boot off that device? Most (all?) new computers support booting off the USB device. Using this method of booting, along with having /usr and other places mounted as write only, you could probably stop most stuff from infecting the system. You might still have a problem with things infecting your home directory, but that can be more easily removed.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The unethical in IT,so frustrating and destructive,amongst the most hated in the world.
It wouldn't surprise me to find legislation in many countries,unopposed by the citizenry(even the U.S.) for capital punishment or at least cutting off their hands.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Yeah, but you've got to boot off of CD to use it, otherwise you're suspect, since you've booted off the bogus MBR to get to the recovery console.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Honestly. Whoever modded that insightful wasn't thinking at all.
StoneCypher is Full of BS
http://www.techcrunch.com/2007/07/27/iphone-class-action-lawsuit/
This one seems more sympathetic - a judge ordered a bunch of spam companies to pay $1bn, presumably bankrupting them. As far as I can tell the guy they spammed had given them the opportunity to stop earlier.
http://www.computerweekly.com/Articles/2004/12/22/207606/judge-awards-isp-1bn-in-spam-damages.htm
My guess is it would be hard to find a big company that actually let it go this far though, and that the spammers had a bunch of disposable companies they could afford to ditch because their business model only worked if they could ignore lawsuits like this.
If you are a big company it's cheaper to pay off anyone who complains early than to risk being obliterated if they actually win the lawsuit. Of course, it's cheaper still to not be evil. And it's interesting that the few evil companies I've personally dealt with tend to collapse suddenly due to a dispute with some third party, whereas the more pragmatic ones tend to survive.
Deep pockets is a recognized legal term by the way, meant to describe the sort of companies that are plagued by class action lawsuits. My point is that once you get big your lawyers will hopefully advise you not to piss off people who might sue you, and you'd be well advised to take that advice.
And individual hackers get away with a lot more than you'd think from reading slashdot. I've dealt with big pragmatic companies who've been advised not to sue 'hobby' hackers, even though their hacks leak to other commercial entities and end up costing the big company a fortune. Actually my point is that the real world works very differently than slashdot would have you believe.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Bullshit. AV penetration might be that high, but what's the percentage when expired 90-day "came with my computer" trials are excluded? I work at a University, and if college students are any indicator of what they're parents are doing, even with our best efforts to educate them and provide campus purchased AV for use on personal computers, a large number either have nothing or don't realize AV can expire. I don't have statistics, but it's something I see daily. I can only imagine their parents are at least as clueless as they are.
Regardless of that, even with your stats, that leaves 15% of internet users, or some 150 million, completely unprotected. That's a lot of credit cards, especially when you can steal the same person's identity over and over until they finally clean the virus off their computer.
Huh? You're reading about this on Slashdot. The AV companies are going to take notice and do something about this. That will happen to the same degree regardless of how many customers the virus authors take.
Don't forget--botnet owners often sell out usage of their networks to many customers, and they're working entirely within the percentage of unprotected internet users. (As defined by no AV or out of date AV).
aren't some of these usb memory device's read-only switch just an indicator to the OS to not allow writing, so that it's possible for malware to override it?
If you're paranoid enough (or if like me your USB key is a cheapie that doesn't have a switch), load your image, make sure it works, crack open the key, then lift the WE# pins from the TSOP flash devices (specs on-line, just look up the respective chip).
That way my boot & nuke / clean-up key never gets accidentally formatted by someone.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Yes, you're right. Boot CD: Ultimate Boot CD for Windows
According a recent survey only about 50% of computer users do use AV software, the % of up-to-date AV software is even lower.
According to afore mentioned survey, far less than 50% of computer users do use anti malware software.
Anti malware isn't a AV issue. Yes, sometimes anti malware comes bundled with an AV package, but it isn't the same as AV software.
Most rootkits spread in a random way, and sooner or later they infect a honeypot run by an AV / anti malware vendor. That's when the AV / anti malware vendor starts analysing the rootkit. If a rootkit writer can't prevent the rootkit to infect a honeypot, then there is a real chance one of the first infected machines is a honeypot.
Another way AV / anti malware vendors get informed about new rootkits is the new-malware-reporting functionality built into most packages. If the rootkit spreads to a machine protected with such a AV / anti malware package, then the AV / anti malware vendor get's a report about the rootkit. And this could be one of the first machines the rootkit spreads to.
So the rootkit writer wants to spread fast and wide before the AV / anti malware vendors have a fix for the rootkit.
My Symantec AV updates itself once every day - as do most other AV packages. And the time between discovering a rootkit and writing a cure against it can take weeks - so the timeframe is larger than you think.
Don't bother replying. It won't get read.
StoneCypher is Full of BS
Jesus, I get sick of people who do their argument based on assumptions and guesswork. Slashdot would be so much nicer a place if people like you had the good sense to be ashamed when caught this way.
StoneCypher is Full of BS
Give me back my jacket, you fat lard! I said you could borrow it, not keep it!
That's one of the dumbest things I've ever seen anyone say on slashdot, including trolls, and I've been here for more than a decade.
Congratulations: you're the first slashdotter to genuinely disappoint me in more than a year.
StoneCypher is Full of BS
Ha! I knew you were at least as much of a pedant as I am. "Don't bother replying because I won't read it" my ass. You even replied!