Slashdot Mirror
New "Mebroot" MBR-Modifying Rootkit Analyzed
I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."
After seeing rootkits spring from many sources (yes - including Sony) would the introduction of EFI bring greater barriers to this sort of exploit, or would it just be a matter of time before the crackers have their hooks into this to the same extent as well?
The Mothership
Of course, back in the day we called it "stealth" and a "root kit" was what you used to "get root" on a unix box.. but hey, language changes. How about adding some infection routines to that puppy and letting it live?
Not that I'd ever encourage such behavior.
How we know is more important than what we know.
Maybe it's just me remembering the good old days of DOS viruses but none of this actually seems "new", except for "calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs", which is just a shortcut to direct hardware access... it's basically loading another copy of a library to use it seperately from the OS (and therefore, presumably, OS security) to access the network card. It's a nice way to access a network card from "below" the OS in a hardware-independent way (i.e. let's pinch the Windows driver rather than try to work out what card we are using and create 1000 drivers for each different brand of card.). But on the whole, this is hardly "new" or "shocking".
:-)
Having said that, it's nice to see something where people have actually invested time and skill into creating a program that bypasses the OS in such a way, rather than just another re-written script with a couple of variables changed.
Lines like:
"This malware is very professionally written and produced. Which of course means it's not written for fun."
might annoy some, though. The old DOS viruses NEVER really acheieved anything useful (even with blackmail attempts while holding your boot sector to ransom) etc. and were written "just because" by teenagers. That didn't stop them from appearing professionally written and breaking genuinely new ground for the time. Just because people are now using such malware for financial gain, doesn't mean that it's ALWAYS the case. And Linux zealots are sure to jump on the above quote with all their hearts.
And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.
Couldn't you just have a USB stick with a physical switch to set it as readonly, and then set the computer to only boot off that device? Most (all?) new computers support booting off the USB device. Using this method of booting, along with having /usr and other places mounted as write only, you could probably stop most stuff from infecting the system. You might still have a problem with things infecting your home directory, but that can be more easily removed.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Honestly. Whoever modded that insightful wasn't thinking at all.
StoneCypher is Full of BS