New "Mebroot" MBR-Modifying Rootkit Analyzed

I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."

Would these issues affect EFI to the same degree?

[The+Ancients]

After seeing rootkits spring from many sources (yes - including Sony) would the introduction of EFI bring greater barriers to this sort of exploit, or would it just be a matter of time before the crackers have their hooks into this to the same extent as well?

Nice Job

[QuantumG]

Of course, back in the day we called it "stealth" and a "root kit" was what you used to "get root" on a unix box.. but hey, language changes. How about adding some infection routines to that puppy and letting it live?

Not that I'd ever encourage such behavior.

Re:Nice Job

[Gideon+Fubar]

you know, that's one piece of language drift i don't mind.. the windows rootkit is a totally different beast to an elevation exploit..

you're totally right tho. Back in the day, this would have just been called a boot infector with some interesting stealth. I gotta say, i'm really surprised that stuff like this still works..

Re:Would these issues affect EFI to the same degre

[jmorris42]

> ...would the introduction of EFI bring greater barriers to this sort of exploit...

EFI is more complex than the simple boot block / partition table that fits in a single disk sector. More complex means fewer people who will fully understand it, more bad implementations in firmware with potential security problems, etc.

Of course there are good reasons for it to replace the MBR/partion table, like running into a brick wall on the max drive size.

Re:Would these issues affect EFI to the same degre

[sigxcpu]

there are proof of concept EFI rootkits out there
http://it.slashdot.org/article.pl?sid=06/01/27/1327228

From the article

[Corporate+Troll]

From the article:

In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.

I'm pretty sure you can only do that when you're Admin.... Use "Limited User" for crying out loud!

"not written for fun"

[ph0enix]

This malware is very professionally written and produced. Which of course means it's not written for fun.

Why include this swipe at amateur software development?

Nearly all of the "professionally produced" code that I've read is horrendous and looks like it's been coded by rabid gibbons on LSD, while the best code I've read has been written by people for whom it's a labor of love. Yes, there is also plenty of ugly open-source code, but the fact that it's well written just means that the programmer cared about it.

DOS Viruses

[ledow]

Maybe it's just me remembering the good old days of DOS viruses but none of this actually seems "new", except for "calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs", which is just a shortcut to direct hardware access... it's basically loading another copy of a library to use it seperately from the OS (and therefore, presumably, OS security) to access the network card. It's a nice way to access a network card from "below" the OS in a hardware-independent way (i.e. let's pinch the Windows driver rather than try to work out what card we are using and create 1000 drivers for each different brand of card.). But on the whole, this is hardly "new" or "shocking".

Having said that, it's nice to see something where people have actually invested time and skill into creating a program that bypasses the OS in such a way, rather than just another re-written script with a couple of variables changed.

Lines like:

"This malware is very professionally written and produced. Which of course means it's not written for fun."

might annoy some, though. The old DOS viruses NEVER really acheieved anything useful (even with blackmail attempts while holding your boot sector to ransom) etc. and were written "just because" by teenagers. That didn't stop them from appearing professionally written and breaking genuinely new ground for the time. Just because people are now using such malware for financial gain, doesn't mean that it's ALWAYS the case. And Linux zealots are sure to jump on the above quote with all their hearts. :-)

And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.

Re:DOS Viruses

[jfim]

And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.

Except in Vista, this isn't true. You need to either have elevated privileges(or have disabled UAC so that everything runs as administrator) to be able to write to the MBR, at least according to this website. Of course, UAC does not mitigate the issue if they attach to a publically available installer(say kazaa-super-deluxe-installer.exe), since you'll need elevated privileges to run the installer and thus will click "Accept". However, since writing to the MBR is a highly unusual operation, they could bring another box that clearly marks the operation as unusual before allowing the write to the MBR.

Also, since the article mentions that the rootkit does not modify the registry, it would appear that all that is required to remove it is to do a "fixmbr" from the installation CD to overwrite the MBR with a clean copy(which is corroborated by Symantec).

Yes...

[sonicattack]

...but does it boot Linux?

Re:Would these issues affect EFI to the same degre

[VitaminB52]

the originators should have no reason to sell this technology. The more crackers that use it for their purposes, the more likely antivirus companies are going to take notice and take more immediate, drastic steps to stop it.

That sounds a little naive. It's wrong for several reasons:

• Not all computer users use (up-to-date) anti-virus software
• Even fewer computer users use (up-to-date) anti-malware software
• And, even if computer users use both up-to-date anti-virus and anti-malware software, they will be vulnerable in the time frame between the release of the rootkit and the release of the anti-rootkit software upgrade that fights it - in this time frame the rootkit writers will 'make' more money than most Slashdot users during their whole life

Re:Would these issues affect EFI to the same degre

[Hal_Porter]

Of course there are good reasons for it to replace the MBR/partion table, like running into a brick wall on the max drive size. Actually you don't need to change the Bios to get that. Currently the Bios loads sector 0 into memory and jumps into it. There's no reason why sector 0 couldn't be a GPT MBR. Pre GPT people worked out ways to allow for 64 bit LBA addresses in the partition table

http://home.no.net/tkos/info/embr.html

And the Bios has supported 64 bit LBA addresses in int 13 for ages, so there is no disk size problem for a very long time - probably many decades. Seriously, you don't need EFI to get 64 bit LBA support.

I disagree.

[jd]

The Drain virus taught a lot of noobs that disk drives are not washer/dryers. The cascade virus brought new meaning to the saying that what lights up must come down. Early viruses were very educational.

The fix is free:

[Futurepower(R)]

At the bottom of the linked article, there is another link: Gmer -- MBR. At the end of that long technical article it says: "Rootkit removal: To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr."

To use it, you first go into the Windows XP Recovery Console. Then run FixMBR /? for parameters. Save the MBR (Master Boot Record) first.

Here is a discussion on the Microsoft web site about tools for fixing the MBR without the Recovery Console. I've never tried them; I've always used the FixMBR utility that comes with the Recovery Console.

Re:Would these issues affect EFI to the same degre

[CastrTroy]

Couldn't you just have a USB stick with a physical switch to set it as readonly, and then set the computer to only boot off that device? Most (all?) new computers support booting off the USB device. Using this method of booting, along with having /usr and other places mounted as write only, you could probably stop most stuff from infecting the system. You might still have a problem with things infecting your home directory, but that can be more easily removed.

FIXMBR -- trust chain

[sconeu]

Yeah, but you've got to boot off of CD to use it, otherwise you're suspect, since you've booted off the bogus MBR to get to the recovery console.

Re:Would these issues affect EFI to the same degre

[stonecypher]

Naivity belongs to you, not grandparent.

Not all computer users use (up-to-date) anti-virus software

No, but about 85% of computer users do, and financial information is a question of hitting as many people as possible.

Even fewer computer users use (up-to-date) anti-malware software

This isn't worth saying seperately, and this is an AV issue.

And, even if computer users use both up-to-date anti-virus and anti-malware software, they will be vulnerable in the time frame between the release of the rootkit and the release of the anti-rootkit software upgrade that fights it

And since time and the physical universe stop forever when a rootkit gets defeated, it doesn't matter that they'll lose enormous amounts of money afterwards by being shut out afterwards.

in this time frame the rootkit writers will 'make' more money than most Slashdot users during their whole life

Since we're talking hours here, then if you really believe there's that rate of transfer (there isn't - the more you take per day, the higher the chance you get detected by other means) - then surely you can see why they'd want this door open for months instead of hours?

Honestly. Whoever modded that insightful wasn't thinking at all.