[lotuseclat79]

MBR Rootkit, A New Breed of Malware
F-Secure article here.

Gmer, Prevx and two Symantic article links at bottom of article.

This kind of malware is an outstanding example of why Windows users should acquire familiarity with using Linux Live CD's, reorder their BIOS to boot from CD before hard disk, and know how to issue dd commands to save off the original MBR for a Windows hard drive (and their Linux dual boot hard drive) after a clean installation before any connection to the Internet.

A Linux Live CD environment with at least a 1GB RAM can activate a safe environment without any hard drives mounted or accessed. From there as root:

# dd if=/dev/sda of=/mnt/linux/root/Mbrs/sdambr bs=512 count=1

The above dd command assumes that a Windows OS is installed on /dev/sda and a Linux hard drive is mounted at the mount point /mnt/linux of the Linux Live CD environment. The MBR of the Windows hard drive is saved on the Linux hard drive in the file /root/Mbrs/sdambr, and has a block size of 512 bytes for one count.

The restoration of the Windows MBR in a Live CD envronment is:

# dd if=/mnt/linux/root/Mbrs/sdambr of=/dev/sda bs=512 count=1

The above example assumes that the Linux hard drive is first mounted into the Live CD environment by:

# mount -v -t ext3 /dev/sdb2 /mnt/linux (or a similar partition name that holds the Linux distribution identified with the command: fdisk -l which is issued by root account).

Note: The Linux hard drive used in this example could be any hard drive like device such as a USB flash drive, external hard drive, dvd or cd.

-- Tom

[lotuseclat79]

Shedding (Black)Light on the Master Boot Record (MBR Rootkit)
Article here.

F-Secure's Blacklight now detects the MBR Rootkit infection and cleans it.

Download Blacklight here.

-- Tom

[tomdkat]

Thanks for the links. Since this rookit lives in the MBR, I wonder if Linux would be as susceptible to this kind of infection. The MBR is filesystem "neutral", meaning there won't be any NTFS vs ext2/ext3 vs whatever issues to deal with and if it can start when Windows starts I don't see why it wouldn't start when Linux started. Of course, I mean if the rootkit was targetting Linux as well.

I wonder what the feasibility of developing this kind of malware for Linux would be. There were several Windows exploits mentioned that allow infection on a Windows box. I wonder if a fully patched Windows system would be "immune", to any degree, to this rootkit.

Peace...

[lotuseclat79]

Hi tomdkat,

This kind of rootkit highlights yet another reason to keep backups of any MBRs on a system - I have two, one on my WinXP Pro SP2, and another on my HD installed FC3. When I kicked out early from a parallel reinstall of my WinXP system, it trashed my MBR such that my Grub boot menu did not appear anymore. When I was able to reinstall my saved MBR with an Ubuntu Live CD using the dd command - it was worth it bigtime. Now I just run in a Live CD environment that I have adapted with iptables, no AV, no Spy Sweeper or other costs.

Since this rootkit only targets Windows systems, maybe Linux is in the clear until there are a lot smarter miscreants that have the talent to tackle Linux/Unix - not that there aren't rootkits out there like Suckit, etc - that's why I also run chrootkit and rootkithunter.

-- Tom

P.S. A fully patched Windows system is still Swiss cheese!