MBR Rootkit
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: MBR Rootkit

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246

    MBR Rootkit

    MBR Rootkit, A New Breed of Malware - F-Secure Blog

    Yup, Master Boot Record rootkits. Run screaming for the hills...

    This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.

    The MBR rootkit — known as "Mebroot" — is very advanced and probably the stealthiest malware we have seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.
    Hit the above link to read up on its "stealth features"...

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Wow I was reading that stuff for a bit and its intense... Only if I was smart enough to right something like that..

  3. #3
    Senior Member
    Join Date
    Oct 2007
    Location
    do a whois search on my ip...
    Posts
    268
    Wow is right... it's very ingenious. Good read, thanks phernandez

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    So, besides TPM, how can one be sure their systems are not infected by this?
    PXE boot environment to scan the MBR of the HD and partitions and then when it's found clean, then boot to the HD?
    Last edited by phishphreek; March 6th, 2008 at 02:56 AM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Yeah, very interesting article. I've been searching around for about an hour now and found no simple solutions. The seemingly easiest solution was the BIOS write protect option for the MBR. Obviously not all BIOS's have this feature including my own system.

    How hard would it be for companies to put out an updated BIOS with this option?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  6. #6
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Very good.

    I will check if Panda knows anything about this.

    Thanks for the heads up.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmmm,

    I have not tried this yet but it might help:

    http://www.gmer.net/files.php

    Protecting the MBR in BIOS sounds pretty cool, except from the last time I looked at that (back in the days of 486 chipsets ) IT DIDN'T ACTUALLY PROTECT.

    What would happen is the next time you booted you would get a message along the lines of: "MBR has been changed, possible virus, boot? [Y]/[N]"

    Obviously, the majority of users will click [Y], given the result of taking the alternative option

    When everything "seems" to work OK, they will just forget about it, and carry on as normal.

    I am not running Vista at the moment, but I wonder if this is something that UAC would block. IIRC IE runs in protected mode and you need admin to modify the MBR?

  8. #8
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246
    Quote Originally Posted by ShagDevil
    How hard would it be for companies to put out an updated BIOS with this option?
    I wouldn't go holding my breath...

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Did some more searching and no direct solutions have appeared. I'll try and keep an eye for anything I find and post it here.

    I wouldn't go holding my breath...
    Yeah, I kind of thought it might be a pipe dream. I guess at this point, one can only hope that the code can be caught prior to any MBR alterations.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Yow, that's not pretty. Rewriting the MBR won't do much good
    with a corrupted kernel. Couldn't the module hook in the kernel
    be detected somehow?
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Similar Threads

  1. Lavasoft Releases Sony Rootkit Fix
    By hesperus in forum Spyware / Adware
    Replies: 6
    Last Post: December 20th, 2005, 01:34 AM
  2. Inline hook code randomization - Bypassing rootkit detectors.
    By warl0ck7 in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 17th, 2005, 08:15 AM
  3. Hacked Red Hat 7.3
    By t3gilligan in forum *nix Security Discussions
    Replies: 18
    Last Post: February 28th, 2004, 02:31 AM
  4. Rootkit Scanner
    By Agent_Steal in forum *nix Security Discussions
    Replies: 9
    Last Post: December 13th, 2003, 07:34 PM
  5. LKM Rootkits
    By GrApHiCTrOn in forum *nix Security Discussions
    Replies: 1
    Last Post: June 12th, 2003, 12:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •