Master Boot Record Rootkit
Original issue date: January 14, 2008
It has been observed that a rootkit named MBR Rootkit is spreading in the wild. The rootkit is hiding itself inside the master boot record of the system. It is exploiting various vulnerabilities to get into unpatched Windows system. The vulnerabilities exploited are described in Microsoft XML Core Services XMLHTTP ActiveX Control Code Execution Vulnerability (CIVN-2006-112), Microsoft JVM ByteVerify (MS03-011), Microsoft Data Access Components Code Execution Vulnerability (CIVN-2006-31) and Microsoft Internet Explorer Vector Markup Language Code Execution Vulnerability (CIVN-2006-92)
Certain compromised websites are reported to host the exploits for the above vulnerabilities and are propagating the rootkit via malicious iframes. Some malicious domains through which the malware is in propagation are found to be
BFF1TWE.COM, IMM2TWE.COM, FTT3TWE.COM, GUUATWE.COM, GFEPTWE.COM, ANOPLEV.COM, GFDTWE.COM
Aliases: Troj/Mbroot-A [Sophos], StealthMBR [McAfee], TROJ_SINOWAL.AD [Trend]
Once the dropper ( rootkit installer) executes on the system, it writes malicious kernel driver to the last sectors of the hard disk and modifies sectors 0 (MBR), 60, 61 and 62. It overwrites Sector 0 (MBR) with its own code and stores copy of original MBR at Sector 62. Also it prepends some code at sector 60 and 61.
After this initial infection, the malware reboots the system. On start-up the code at MBR hooks INT 0x13 to control content of sectors loaded by NTLDR. It gets full control of what is being loaded by the OS. It patches the kernel to load the malicious rootkit driver by the OS on to the system. The rootkit driver tries to make outbound connections to remote hosts.
To hide the real content of MBR and other sectors from Anti Virus scanners, the rootkit hooks "\Driver\Disk" IRP_MJ_READ. Normally, when API reads sector 0 (MBR), rootkit modifies disk IRP_MJ_READ call and returns copy of original MBR stored in sector 62. The second hook (IRP_MJ_ WRI TE) protects it from being deleted/overwritten.
It has been reported that the rootkit is packaged with Torpig Banking Trojan.
It may be noted that the writing to MBR by this Rootkit is successful when the logged in user has administrative privileges.
In view of rapid propagation and high damage potential of the malware, users are advised to implement the following countermeasures:
- Block the malicious domains mentioned above for both outbound and inbound HTTP requests.
- Install and run Anti Rootkit detection tools to clean the infected system.
http://www.gmer.net/index.php
- To help prevent similar attacks in the future, enable Master Boot Record write-protection feature from BIOS
- Fix the MBR by running the " fixmbr " command provided by Microsoft from within the Windows Recovery Console to successfully remove the malicious MBR entry.
- Patch the above described vulnerabilities that are being exploited by rootkit.
- Restrict administrative rights to designated Network/System Administrator only. Use Administrator account only when explicitly required
- Keep up-to-date on patches and fixes on the operating system and application software.
- Install and maintain updated anti-virus software at gateway and desktop level.
- Install and maintain updated anti-spyware software at desktop level.
References
http://www.symantec.com/enterprise/security_response/
weblog/2008/01/from_bootroot_to_trojanmebroot.html
http://www.symantec.com/business/security_response/
writeup.jsp?docid=2008-010718-3448-99
http://www.isc.sans.org/diary.html?storyid=3820
http://www2.gmer.net/mbr/
http://blog.trendmicro.com/mbr-rootkit-a-web-threat/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_SINOWAL.AD
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
