MBR rootkit - the story so far
During this week, there was quite a lot of talk about an MBR rootkit Trojan spotted in the wild at the end of December 2007. The Trojan uses techniques similar to old boot sector viruses to infect the system and remain active in memory. This method allows the Trojan, detected by Sophos as Troj/Mbroot-A to be hidden from the standard security tools such as anti-malware software as long as its code is started before the security software.
In addition to that, the rootkit hooks disk.sys IRP_MJ_READ and IRP_MJ_WRITE routines to hide the malicious sectors of the drive when they are read from the user mode. That way, the rootkit stays hidden and the detection requires either special anti-rootkit detection tools or booting from a clean bootable disk, as in the good old days of DOS.
So how does the rootkit gets installed in the first place? Troj/Mbroot-A is loaded by few malicious web pages hosting several older browser exploits. The exploits downloads and launches the Trojan dropper which writes its loader to MBR and sectors 60 and 61 of the hard drive. The original MBR is still used during the boot process and for hiding the infected MBR and it is saved to the sector 62.
Once the system is infected, the Trojan waits between 30 and 45 minutes before initiating the system shutdown. This ensures that the Trojan becomes hidden on the system. Once hidden, the rootkit starts communicating with a number of web pages using HTTP POST request. At the moment, it is not clear what is the purpose of these requests. The generated network traffic could be used by Network Intrusion Detection Systems such as Snort to detect potential infection of a system on the network (a number of randomly looking .COM domains are used to POST to /service/ URI).
The number of computer infected by Troj/Mbroot-A is yet unknown but SANS reports that it may as well be several thousands. Luckily, none of them would have Sophos Anti-Virus installed. Sophos already detected the rootkit proactively as Mal/Sinowa-A at the time it appeared. In addition to that, the rootkit will not be able to infect systems with up-to-date level of security patches and correctly administered systems that do not allow the standard users to run with local administrative privileges.
Unfortunately, there are still plenty of unpatched, mostly pirated Windows copies that could become infected with this Trojan. The extent of its success could make MBR infection popular with the virus writing groups once again, after many years, as it provides a good way of hiding malicious software. On the other hand, the method of loading is highly platform dependent, which also means unreliable, as the Windows loader and kernel may change significantly from a version to a version and even from a service pack to a service pack.
One thing is certain: after the Troj/Mbroot-A attack anti-malware companies, including Sophos, will have to seriously think about including detection of active MBR rootkits into their products.
Posted on January 12th, 2008 by Vanja Svajcer, SophosLabs, UKFiled under: General, Malware
Windows 7 security - A great leap forward or business as usual?
