Posted on 03/05/2008 1:26:03 PM PST by Ernest_at_the_Beach
HANOVER (03/04/2008)- A rootkit uncovered in the wild in December is proving to be a real headache to detect, according to Finnish security company F-Secure.Dubbed "Mebroot," the rootkit infects the master boot record (MBR), the first sector of a PC's hard drive that the computer looks to before loading the operating system.
Since it loads before anything else, Mebroot is nearly invisible to security software."You can't execute any earlier than that," said Mikko Hypponen F-Secure's chief research officer
A rootkit is a malicious program that hides deep in a computer's operating system and can be difficult to remove. Since December, Hypponen said they've seen alpha and beta versions of the Mebroot rootkit but believe it has now been RTMed, the term usually used for a legitimate piece of software that's entered production after testing. Once a machine is infected, the hacker controlling the rootkit has complete control over the victim's machine, opening up the potential for a variety of other attacks. For example, the hacker could try and download other malicious software to the machine to log a person's keystrokes and collect financial or personal data.F-Secure, which specializes in finding rootkits, says its technology is only able to "suspect" if Mebroot is on a PC. Hypponen said he couldn't reveal the techniques the company is using to make even that fuzzy guess.
The problem is that Mebroot isn't just a single file-- it injects itself into other processes running on a machine, masking its nefarious actions, Hypponen said.Mebroot, however, can be uncovered if F-Secure's security software CD is used to boot up the PC, Hypponen said. "The one who executes first has the upper hand," he said.
Mebroot is the manifestation of what researchers thought was just theoretically possible, although the MBR on older, MS-DOS systems had been infected with rootkits.
But in 2005, researchers Derek Soeder and Ryan Permeh of showed the idea was possible by producing proof-of-concept code, called "BootRoot."But Hypponen said it was thought the highly technical engineering needed for a successful attack was beyond the reach of today's malware writers. They were wrong.
Hackers are now creating Web pages that, if visited with certain browsers with security vulnerabilities, will automatically infect a PC with Mebroot-- a technique known as a drive-by download.
Hypponen said it's unknown how widespread Mebroot is. VeriSign's iDefense Intelligence Team has said 5,000 users were infected in separate attacks on Dec. 12 and Dec. 19.
Drive by Download.....ping!
The rootkit cannot be removed while the OS is running, as it must be removed while the rootkit code itself is not running. During our tests, running the “fixmbr” command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!
ping
OK,....now what do they say about detection?
May the bastards and their mothers that raised them rot in hell!
Not to gloat, but I am so glad I have a Mac : )
What is this Mebroot doing? Is it downloading other viruses, sending spam, keylogging or something else?
“Not to gloat, but I am so glad I have a Mac : )”
The only answer to problems like these is heterogeneity.
If 99.99% of the computers in a company are running Windows, then the odds of a virus propagating from one infected machine to another are almost certainty.
But if there is an equal distribution of OSes, say 25% Windows, 25% Mac, 25%Linux, 25% OS/2, the odds of propagating to several machines are (1/4) ** N, which approaches zero.
The Microsoft Windows monopoly is a very, very bad thing.
First it gets control....not sure what happens after that,....it probably phones home to see what the master wants to be done....
That ...to me .....means Internet Explorer...
"Plus ca change, plus c'est la meme chose."Back to basics... and the modern Windows-based "anti-virus" products can't touchit , because it's too old and simple for them.
I just have to laugh... but I can, because I'm posting from my MacBook... ;-)
From BootRoot to Trojan.Mebroot: A Rootkit in Your MBR!
There have been recent reports of an MBR (Master Boot Record) rootkit in the wild and, of course, we have been following up these reports and doing our own analysis. An MBR is the first sector of a storage device such as a hard disk, and is generally used for bootstrapping the operating system after the computer's BIOS has done its startup checks. Basically, if you can control the MBR, you can control the operating system and therefore the computer it resides on.
MBR-based attacks have been around since the MS-DOS era. Viruses such as Stoned, Michelangelo, Junkie and Tequila used this technique to infect systems, and it is quite incredible to see that almost ten years later, we are again facing attacks on the MBR. As we have seen, malicious code that modifies a system's MBR is not a new idea – notable research in the area of MBR-based rootkits was undertaken by Derek Soeder of eEye Digital Security in 2005. Soeder created “BootRoot”, a PoC (Proof-of-Concept) rootkit that targets the MBR.
In 2007, Nitin and Vipin Kumar of NVLabs published a second PoC MBR rootkit called “Vbootkit” , which was able to exploit the latest version of Microsoft Vista. So, where do we stand right now? The bad news is that this time the MBR rootkit is not in the form of a PoC demonstration, but is an active threat found in the wild and infecting computers through drive-by exploits via Web sites. Symantec detects this threat as Trojan.Mebroot.
Trojan.Mebroot takes control of the system by overwriting the MBR with its own code. Analysis of Trojan.Mebroot shows that its current code is at least partially copied from the original eEye BootRoot code. The kernel loader section, however, has been modified to load a custom designed stealth back door Trojan 467 KB in size, stored in the last sectors of the disk.
The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska. The attack is called the “Pagefile Attack”.
Rootkits themselves are hardly a new threat, but the inclusion of the MBR as part of the infection is not considered common. They were previously demonstrated as possible, but were not identified in the wild. Now that this has changed, we expect to see more variants targeting the MBR to appear in the future.
For now, Trojan.Mebroot seems to run successfully only on Windows XP (all Service Packs) due to some hard-coded values inside the attack code. For a complete analysis of the threat, please refer to our writeup for Trojan.Mebroot.
There appears to be a link between Trojan.Mebroot and Trojan.Anserin. Similarities such as the main distribution Web site and the polymorphic packer used in both threats suggest that they may be closely related.
Note: The rootkit cannot be removed while the OS is running, as it must be removed while the rootkit code itself is not running. During our tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!
I would also like to thank Silas Barnes for his contribution to this analysis.
See, this is unnecessarily sensational and hence likely to be taken out of context in later accounts of the root kit. As the article later says, you can easily execute earlier than that with the simple use of a bootable CD.
As for what the root kit is doing, I imagine that depends on what the hacker responsible for it set it to do, ie. log keystrokes and email them to a remote server, hijack DNS entries, download additional software, etc. What I would like is a little more info on is the mechanism by which the root kit is infecting the victim systems.
What’s a MAC?
I use Firefox. I ran Spybot for the first time in 7 months this weekend. It found absolutely nothing.
bookmark
Unless you ran it from a bootable CD, then it wouldn't be able to find anything even if you did have it, as the root kit disguises itself before Windows (which is running Spybot) even boots up. IOW, you still don't necessarily know that you don't have it.
Uh, first the article says it "is proving to be a real headache to detect" and then there's the claim of all these infections.
Summin' don't add up.
I keep a minimum of software on my work machine and imaged the whole drive as soon as I had it set up like I like it. I now re-install the image every couple weeks as I sleep. Accordingly, I don’t worry about any of those nasties.
Do you rewrite the MBR?
Well, the whole disk goes through a deep reformat before the image is reapplied, so yes, the MBR is restored to the condition it was at the time I originally imaged the disk.
bttt
I don't know, a truck maybe? I have a Mac.
Diversity certainly helps a lot, but there are lots of examples of viruses spreading on small populations of computers.
The Microsoft Windows monopoly is a very, very bad thing.
Yes they certainly do have a big bulls eye pasted on their OS don't they? We Mac users thank all of you Microsoft users for all the suffering you are going through on our behalf : )
Thanks.
I want to quibble with your math in that your statement assumes that each OS is equally susceptible to being infected and propagating malware. This is not necessarily true.
For example, most Linux distributions (my chosen OS) get nearly all of their third party software from software repositories administered by the distribution creator. You use a client to download applications that are pre-packaged for your distro. My package manager is showing 23,151 packages currently available to me for installation. I just browse for a program I want, click install, let it work, and its there. While the possibility theoretically exists that a virus infected package could accidentally be placed in the repository, it hasn't happened to my knowledge, and such a situation is likely to be immediately resolved upon discovery.
Obviously there are going to be packages that a user desires that aren't in the repositories, the excellent game World of Padman for instance. While the user has to install it Windows style (download from the web, install) most Linux programs out there are "open source" which means that the source code is available for review, and alteration. So again, the odds are stacked against a malicious infection remaining undiscovered for long. Obviously the user is advised to exercise some judgment when doing things like this.
Thirdly, there is Linux's user privilege system, what Microsoft had in mind but hopelessly bungled with Vista's User Account Control. On Linux, downloaded executable files need to be affirmatively designated by the user as executable before the system will let them run. Programs that perform system wide changes, such as those that a virus or trojan would want to perform, need superuser, or root, privileges to run. This again requires the user to take affirmative steps to allow the program to run, which, of course, tends to significantly cut down on surreptitious malware installations.
Of course no system is perfect, and you can't absolutely stop a user from going to JoesViruses.com and using root to install NakedPics-NotAVirus-Honest.deb, but byte for byte, the very design of Linux leaves fewer vectors for malware to enter the system and propagate than currently exist for Windows.
Can't speak for Mac and OS2 as I'm not as familiar with them.
“Hiren’s Boot CD” has tools that will find it. Highly recommended free download.”
I looked for this once before and just looked again.
Do you have a valid link to it?
Yeah...somewhere. Gimme some time. I found one after some real digging. I can replicate my search but I'm at work and I'm not sure what will...and won't be blocked.
But fear not....you're on my list. Even if I have to wait until I get home in another 2 hours.
Good things come to those who wait.
*
http://www.hiren.info/pages/bootcd
Now what do we do? ;-)
Nope. that's not where I downloaded it. I did some looking and 80% of the possible sites are blocked for me here.
Sheesh...ya'd think I was trying to download porno or something.
I'll find it later on my home PC and post the link.
http://www.9down.com/Hiren-s-BootCD-v9-4-Incl-Keyboard-Patch-22256/
Page down about halfway searching for:
BT Download : Hiren's BootCD v9.4 incl Keyboard Patch
Download : Mirror
I went with the mirror link and Global Crossing at the bottom of the list - Very fast D/L. Now what? ;-
That ...to me .....means Internet Explorer...
Indeed. I noticed the glaring absense of the word "Microsoft" from the entire article.
http://www.sendspace.com/file/vnva76
Wait for the page to load, then scroll down to the pulsing red arrow for the link to the file. Not an extremely fast download.
Once you have it, unzip it, check the readme file(s). No keyboard patch is necessary for the US. Look for the ISO file then burn it to CD with Nero or some such. Then save the ISO file in a safe place after you've test booted the new disk.
If you've already downloaded it at the link you posted, just do the above...if it's a zip file.
If you want version 9.3 you can get it here:
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.