Malware

MBR rootkit Mebroot: A tough threat to security

Security firm Finjan has raised a warning on rootkit "Mebroot," which it believes has entered the Release to Manufacturing (RTM) phase.

Security firm Finjan has raised a warning on rootkit "Mebroot," which it believes has entered the Release to Manufacturing (RTM) phase -- a term used for software that has entered production. It's extremely difficult for security software to detect this rootkit because it overwrites the master boot record (MBR) of the harddisk.

An excerpt from InfoWorld:

Dubbed "Mebroot," the rootkit infects the master boot record (MBR), the first sector of a PC's hard drive that the computer looks to before loading the operating system. Since it loads before anything else, Mebroot is nearly invisible to security software.

"You can't execute any earlier than that," said Mikko Hypponen, F-Secure's chief research officer.

F-Secure goes on to mention that its security software could at best only guess on the infection of a PC by the Mebroot rootkit. However, booting from F-Secure's software CD makes it possible to detect the malware since then the security software gets the upper hand.

What makes Mebroot a greater threat is that it injects itself into other system processes and all it requires to get the PC infected is to visit a Web page with unpatched Web browsers. This type of MBR infecting rootkits have been in the news for some time now, but the scale of infection is yet to be ascertained.

Crafting such targeted malware takes a high engineering effort and goes to show how lucrative the malware "business" is becoming. Malwares represent a big threat to the shifting of software services online.

Do you feel it's high time that an industry framework was formulated to make security integral to the design of the Internet?

44 comments
JackOfAllTech
JackOfAllTech

I install XOSL (www.xosl.org) on all my PCS even if they only have on O/S. If anything takes over the MBR, the bootloader won't run and I'll know instantly. FDISK /MBR is your friend!

bigloooser
bigloooser

Perhaps better educated end users would make some difference. The main people that are going to get infected with this virus, because it requires an unpatched system, are the individuals that do not update their systems on the advice of some backyard tech who thinks he is a computer guru. The end user is not aware that the alleged genius in question has just put an illegal copy of windows on their system. Needless to say when they make it to me with this illegal system, they are educated and they pay for it. They understand do it right the first time or dont do it at all.

Neon Samurai
Neon Samurai

.. so that takes care of my workstation. Now to figure out how to take care of the other systems in my care. Anyone know if protecting the BIOS and having it scream if the MBR is changed prevents the attack vector?

pr.arun
pr.arun

Do you feel its high time that an industry framework was formulated to make security integral to the design of the Internet?

pepoluan
pepoluan

Nice piece of opensource program. Too bad it's no longer being developed. I ran smackdrab against 2 problems: 1. Since it use a primary partition, I can't put 3 OSes that all demands a primary partition. 2. Somehow it conflicts with a computer of mine using AMD690 chipset; the display is plain garbage and barely usable. *sigh* It seems I can't rely on XOSL's "inherent protection" on my AMD690-based systems...

Jacdeb6009
Jacdeb6009

Here's a scenario. I run a laptop computer, no floppy available & cannot boot from USB, so what to do?? Can the concept of booting GRUB / LILO from a floppy or SDIO be extended to a CD ROM. Yes, it would be read only so changing GRUB / LILO would mean a new disk, but would it work? I run XP and Linux (Ubuntu) in a multi-boot setup using GRUB. This is all installed on the hard drive. I am really new at the Linux game (about 1 week "new") how would I transfer this setup so that GRUB boots from a CD ROM (assuming that this is possible). Any ideas ??

pr.arun
pr.arun

That is an interesting take on the issue Neon Samurai. But would not that lock you down to a specific OS?

Stovies
Stovies

This idea has I am sure crossed many minds of people sick to their back teeth with malware and criminals, but it is probably something that open source programmers could come up with. The idea is to have a computer destroying bug to retrace the steps back to the origin and destroy everything it enters. A bit drastic? Yes, but since I have had four computers suffer from ireparable damage following attacks I would like to know that the criminal is being targetted in a big way. People who get their computers taken over because of low security need a big lesson in the real costs of computing in this crime infested environment. One wipeout and they will know it. Some may argue that this would not trace back to the perpatators of the crime, but it would knock out there bot banks and give them some hassle. We tend to wait until it happens to us before we do anything, and even them some people do not want to do anything. "Evil men prosper because good men do not speak" someone has written. So all you heroes of mine out there, who do so much great work helping the computing community, do your stuff. If it needs funding, pass the word through websites like TechRepublic and I will contribute a whack of my pension to keep the systems open for industry and the younger generations.

Stovies
Stovies

I ran a scan yesterday, as I do everyday and found the usual group of uninvited tresspassers/burglars. AdRevolver, Blue Streak Clickbank and so on. Why can't the webpage makers integrate a filter against these? I know some are necessary for access to sites, but they should all have to be accepted on entering a website for the first time. Also I have tried to find a list of these malware to find out what they actually do. As a marine engineer I was always telling customers how to better protect their machinery, even though some of the advice would inevitably cost me money for loss of work required because of neglected servicing by the customer. We need the same mentality in the web industry. If they do not stop this cancer their very soon will not be a web industry, because I for one would go back to the old form of communication especially for dealing with confidential and financial transactions. I wpould like to see these companies and individuals named and shamed in daily bulletins.

mathew.gauvin
mathew.gauvin

Who would we trust to accomplish this monumental task? Government?

JCitizen
JCitizen

For primary partitions on those file systems? (edited) As in Expert Partitioner (EP) included in YaST?

JackOfAllTech
JackOfAllTech

I know there are other bootloaders out there, I just like the XOSL interface.

Neon Samurai
Neon Samurai

Other's probably know better than this humble respondent mind you. As I see it, you can direct LILO and GRUB to whatever bootable storage media you can mount. If you can't write directly to a CD then create an empty ISO and mount that directly. Setup your boot loader and direct it to the phisical writer device or ISO. In the later case, simply write the ISO to your disk and your set. My BIOS won't take usb boot either.. booo. The only hitch I'd have to do some reading on is how to have the ISO appear as a device during initial setup or confirm if LILO/GRUB will write to a mounted media location. I'd also consider using LILO in that case so that you know the whole boot loader is on the removable media; I learned that in this very same discussion (thanks again). Damn I'm missing "joe lilo.conf && lilo" since since this discussion started. PlanB I have a work issued notebook and cutting a partition for my prefered OS is not an option. When out of the office I use a liveCD to keep my mucking about and any network I may connect to (cofee shops, friend's homes) seporate from the companie's hard drive. At home, I run the notebook of the liveCD because of the paritition thing and too use the notebook as a thin-client for my workstation when I prefer to sit on the couch infront of the TV. With X, networks are transparent and any program I need uses the workstation hardware while simply displaying locally. Rdesktop get's me into my win32 VM if needed but I've not touched VNC for my *nix installs for a very long time. I even had Firefox die when the notebook went to sleep; darned if it didn't ask to restore session when I opened it the next time directly on my workstation (it broke my little mind for a moment).

Jaqui
Jaqui

GRUB = GRand Unified Bootloader. it will load any os you have on the hard drive, just like LILO [ LInux LOader ] and the chain bootloader used by winxp. Grub and Lilo both can be accessed off a single floppy disk.

Neon Samurai
Neon Samurai

Very much the oposite, it seems to expand the potential OS available and how many are installed along side each other. Maintenance still has to be done through the particular OS you used to setup the boot loader but that's my primary partition. From the Windows side, Norton or some other utilities offer boot loaders but I'm not sure if they can be installed too a floppy. The habbit started back when I first began with dual booting machines. I'd instal LILO on the floppy drive too keep the MBR untouched. If I chewed my LILO config and couldn't select one of the multiple OS installed, I'd pull the disk and let the MBR boot the original Windows partition. (Heck, if I pull the diskette and keep it with me then the primary OS on my machine becomes hidden. We all know the lack of value of obscurity though.) The same setup remains now except that my prefered distribution has taken to using GRUB instead of LILO. Having had a look over GRUB, I understand why. I've even managed to chew my group config once but fixed it easily with the superGRUB boot disk. My next step will probably be using an older SD card once I have a BIOS that supports boot from USB. That way I can still have a physical read-only switch on the storage media. I have an old 512 meg flashdrive I could use instead but it's currently my Damn Small Linux since it also has a phisical read-only switch making it handy for untrusted machines I may boot or run windowed emulation with. The liberating part is being able to have as many OS as I have partitions for available easily through the boot loader menu. In some cases, I have several kernels available within the same OS partition. In this case, I figure the diskette is write protected so it's not going to be affected by MBR viruses unless they manage to sneak in at some time when I'm making a change to the boot loader. The hard drive MBR is still exposed but it's left dormant unless I can't boot from the floppy; a potential exception may be if GRUB is simply using the MBR when I select the windows partition. If the BIOS protection can block changes to the MBR then that should also be a way to harden the system against a breach.

Neon Samurai
Neon Samurai

It's true that most anything can be traced back to a source and nothing is truly anonymous on the internet. Too really trace something back to it's original source would require participation from every machine in the chain assuming it retained it's logs for a long enough period of time. Coordinating that participation would beurocratically take too long. Software could not simply make a stop at each machine and harvest the logs it needed without an Internet wide system in place and that would be far too easy to abuse will ill intentions. The target computer could not be confirmed. Is it an innocent home user's computer that got zombied? Is it actually a computer some place in between? A traceroute can stop part way back to the machine your trying to confirm a path too but is that the last machine in the chain or is that just where the traceroute get's stopped. Maybe it was a machine in a coffee shop that someone used in passing that released the virus. It could have been a school computer or home computer if the home owner has really crappy friends. Maybe it was a terminal in a hospital that got broken into and has information on it that is not replacable. There is frequently a question from someone wanting people to help them destroy someone else's machine. Not here; but around the forums in general. The result is the same though, vigilante responses can't be sure they are hitting the guilty party. The result is more damages rather than justice. There are too many ways for an innocent person or companies machine to be used or spoofed as the source of the damages. Indiscriminate damages are what virus writers cause. If there was a way to find the indavidual responsible then fantastic. In the end, it really comes down to user education. Not being in the situation where one is easily hit by a virus in the first place rather than responding after the fact. Back up your files. Run current AV and firewall. Don't click on every popup and be aware of what websites your going too. OSS developers are pretty inventive on average but all they can do is continue to use the development model to provide better software benefiting the end user. Other users have to free choose to use a BSD or Linux based distribution or other posix like operating system. If they stick to osX, there are benefits but it's not bulletproof either. If they stick too Windows then they have to at least learn about AV/Firewall/Malware scanners and be aware of what they are doing. There's no license required to buy a computer though so until it makes a higher priority on Microsoft's agenda, bugs will continue to be exploited. Viruses will continued to be viewed as a blemish on closed source vendor's reputations rather than a proof of concept for something that needs an update. Put simply; MS and other closed source companies have to work with in limited budgets, limited developer staffing and whatever profits initial sales of there product earns. They stick to advertising and developing the new shiney product for retail. OSS is available and focuses more on the quality, security and function of the software but are limited to what is available as open source; they can't help it if non-OSS products are released to users with poor quality control and have there hands tied for helping the situation. That is how it seems to be anyhow.

Neon Samurai
Neon Samurai

Lazy website developers and marketeers who leave cookies laying around or misuses the function suck rocks. In my database too website developing days, I never left a cookie open if the user logged out and always used a short time to live encase they didn't. The mallware you speak of is a whole other story. The first time I saw such a thing, and long before the term "malware" existed, the first thought was; but that's a viral attack, why is a legitimate company using viruses? There is no legitimate excuse for having your software (they're software) installed on my machine without my knowledge and express permission to do so. And now for something completely different (er.. off topic): I miss the days when one could email an administrator from there own account to explain the security hole left open but the best modern analogy is considering a home owner. One comes home to find a note on there fridge saying; "Hi, noticed your security was setup pretty good but back gate can be jumped and back door was unlocked. Didn't eat anything in the fridge or use the bathroom. Just a friendly note." Of course, the intent is to help the analogous home owner but I know I'd be hoping they tried again when I was home with swords in hand. One gets the same sick feeling in the gut when you discover a server breach.

Daniel.Muzrall
Daniel.Muzrall

The internet was "designed" to be an open network...at least after DARPA let it go into the "wild". Since it's such a ubiquitous, internation beast, I don't think that you'd be able (or want for that matter) any one government determining how to build security into the Internet. I think at this point it the responsibility must fall to the W3C or some other web standards community. It would/will be a monumental undertaking, and will require support from EVERYONE to implement, since security is only as good as we weakest link.

robertjtownley
robertjtownley

i looked at Gujin, but it does not specifically mention NTFS support. It indicates that it can find files in Fat32 and Ext3 among others, but does not mention NTFS. Anybody got this to work with an all NTFS drive?

JCitizen
JCitizen

Thanks! and I'm sure pepoluan thanks you as well.

JCitizen
JCitizen

Although I got away with it for quite a few months. And my MCSE book said it wouldn't work! Of course Acronis should be way superiour than the Windows partitioning system. Hopefully for opensource anyway.

pepoluan
pepoluan

... and got Acronis OS Selector instead. Not free, but we got good bargain. Esp. since AOSS installs in a Logical Drive instead of a primary partition, so I can get 3 (yeah, read 'em, THREE) different OSes in their own Primary Partitions.

Jacdeb6009
Jacdeb6009

Thanks Neon! I shall have to do some more reading, learning and playing around... :) It's the usual thing.

Neon Samurai
Neon Samurai

That's why I love info security. It's the puzzle that never ends. 100 jigsaw pieces and you'll ever only be able to find 99 of the damn things. Get it all locked down and the next technology darken your door step. Heck, even learning to fly a chopper eventually ends with; take off, move, hover, land. Best of all, it's the one tech focus that touches all other areas of specialty for us generalists at heart. (now if only I could collect the certs that reflect my existing but undocumented experience) Info Sec; the hobby and employment that keeps on giving.

JCitizen
JCitizen

When it comes to security; it's like my daddy Rosanna Anna Danna always say "There's aaaallwaaays somethin'!!" Ain't that the truth!?

Neon Samurai
Neon Samurai

If you build an install you put tripwire on it while the system is still clean. A diskette is no different, you want to create it on a clean system the writeprotect it. Naturally, if you start with a dirty disk, your protecting the dirt along with what you wanted on it. If you start with a dirty machine and install tripwire; it's no better than practice for next time. I thought all 1.44 drives used a physical probe to check the write-protection possitionon the diskette but I can see there being an issue if you have a drive that uses a light to confirm or defaults to "unprotected" if it's not sure. (blast, now I gotta pull the floppy drive and see what it's using. Oh well, an excuse to pull it apart again.) In that case, consider SDIO cards with the physical write protect included as part of the chip and processor in the little critters. Maybe someone knows more about SDIO media than I do and can confirm where the protection setting is effecting the storage media within the wafer of plastic.

JCitizen
JCitizen

floppy protect does in the example MeadowsPV related to, do they? Here's a quote from his link: "Some think that a floppy disk that is write-protected could not get infected, but unfortunately, the write protection mechanism of disk drives does not always work, and when it doesn't work, the drive will write whatever the user (or virus) requests to a write-protected floppy. Some think that using a write-protected floppy protects their machine, but only read-protection can do that. Write protection protects a floppy from further infection; it also protects the virus on it from any cleaning efforts a scanner might make. Because write protection is a state, rather than permanent condition, a virus can infect when the diskette is not protected. We have found many viruses on write-protected floppies. We even found one in a machine that had hardware to prevent modification of its boot area. The virus infected the drive before the hardware was installed." Scary, no?

JCitizen
JCitizen

Thats great news! Best wishes and happiness forever more! Oh geese! I gave my last DSIO card to a buddy in Iraq; Oh well! He'll put it to better use than I.

JCitizen
JCitizen

One of the big selling points back then was bios-antivirus capability; that has dropped off the radar in recent years and I wonder how valid it is anymore with PXE. That is another hole in remote execution if it isn't disabled in the OS software. I've never caught up with new developments, hence my musings on it.

Dumphrey
Dumphrey

thats exactly what I have been looking for only I didn't realize it =) What I mean is I have been putting together a smoothwall box for my housemate (who will be leaving in 6 months or so when I get married). A read only usb disk to host smoothwall is just dandy, as updates are uncommon... mostly everything lives in ram. not to mention a read-only rescue distro...

MeadowsPV
MeadowsPV

Here is a piece of a thread from [The Risks Digest]. Re: Failsafe mode for 3.5" Floppies Andrew Klossner Tue, 10 Sep 91 13:03:38 PDT "If dust prohibits sensing the position, or the detector/light source fails, the drive will incorrectly assume that the disk should be writable." The RISK of assuming a particular implementation. My Panasonic 3.5" floppy disk drive senses the tab position by attempting to insert a metal probe into the hole. A successful insertion means that the disk can be written. The likely failure modes would falsely indicate unsuccessful insertion, i.e., write prohibited. -=- Andrew Klossner (andrew@frip.wv.tek.com) (uunet!tektronix!frip.WV.TEK!andrew) Since, most no longer have 5.25" floppies, I assume you are speaking of a 3.5" floppy. From ancient history in computing, there were TSR (Terminate and Stay Resident) viruses that would infect a protected boot floppy - if the machine did not reboot from a dead cold power start. I am having difficulty finding the exact name of the virus. One example of a virus that wrote to flash bios [ NAVRAM ] was [ Win95.CIH - http://www.strategos.com.au/virus/cihfix.htm ] A good article that shows the infection possibilities is here [ http://vx.netlux.org/lib/static/vdat/virpolic.htm#Badidea8 ]. Hope this is of use. Regards.. pvm

Jaqui
Jaqui

flexibility vs clean config. I still use lilo. I don't see a need to change to grub when I don't have problem(s) with booting. If I add a new distro to otherwise un-allocated space, then I just redo lilo with a new boot option added to support it.

Neon Samurai
Neon Samurai

I have my old floppy I move up into each new workstation I build. It looks a little funny how being white (ok, darkening beige from the years) against the black chassis it's currently in. Darn thing just won't seem to die but I'm ok with that. A floppy drive shouldn't be noticable against the cost of the rest of your parts if your putting a new box together. You could also look into one of the floppy plus everything else readers. I've seen a few with the floppy slot along side the various sizes for SD and other media. I think the last one I saw was in the 20$ range. In that case, you may be running your floppy through the USB bus so be sure your BIOS supports boot from usb. When the floppy finally goes and I can't replace it, my current plan B is moving to an SD card as a boot partition. I still get the physical write-protect switch that way at least. I'm also likely to be using SD with a little portable USB 20-in-1 reader for occasions when I need a write protected disk since USB flashdrives seem to have dropped the design feature. Hope it helps unless I'm just repeating previous posts.

JCitizen
JCitizen

Slap my chops anyway! This is just one more reason I need to include a floppy drive with my new desktop[if that ever happens], To me it is just easier than USB. Unless I'm on the road. Maybe after an F-Secure rootkit scan; and a file lookover through the recovery consol; hopefully the MBR will be clean before creating this! I'm just going to have to pony up the bucks for one of the file secure USB drives.

JCitizen
JCitizen

I completely forgot. I can always blame my brain damage, but its just cop out! :8}

Neon Samurai
Neon Samurai

lilo.conf is so much more strait forward and clean. That's really what I miss about using it. On the other side GRUB's config is not so clean and obvious but it does have more flexability in terms of finding other bootable partitions or manually picking something outside the boot menu. SuperGRUB also won me over when I chewed my boot and had it fixed in under five minutes. In the past with LILO, it's been more of a puzzle to avoid reinstalling. I guess I could just as easily have corrected a LILO config after getting the system back up and running with the SuperGRUB liveCD though. Good to know it doesn't install itself into the diskette's boot record. I'd figured both it and LILO where doing the same thing in terms of that. I'll have to keep this in mind when configing system which needs that last level of hardening.

Neon Samurai
Neon Samurai

It's the same reason I'm liking SDIO cards over direct USB flashdrives; physical read-only switch. In the case of the floppy, you write your GRUB, LILO too the floppy then flip the little square bit of plastic from read/write too write protected; tadaa.. As far as I know, the floppy drives still use a physical mechinism to detect the write protect whole being covered or open so software is not going to be able to find a way around it. As always, it is first setup on your machine it's known to be clean; if your already infected, you have bigger concerns. If your booting from a USB flashdrive without a physical write protect switch then there would be the risk of software modifying your boot.

Jaqui
Jaqui

the write protect tab that stops a floppy from being written to when you want it to remain unchanged? odd, I do. ;) a boot floppy doesn't need to be writable to boot. edit to add: and, in this case, lilo is better than grub. lilo's executable lives in the mbr / on the boot floppy, grub is on the hd, with only a hook to the executable on the mbr / boot floppy.

JCitizen
JCitizen

before some malware reads it and puts an unwanted deposit on it?

Neon Samurai
Neon Samurai

Even if it's just to better understand how the pulses pop from one chip down the chain. When I get my striker2 into a chassis, I'll have a whole not more hardware and up to date BIOS to explore rather than my humble ns7-s which is not even new enough to support usb boot. Any hardware genius out there have a better idea about the nvram step between controller and bios?

JCitizen
JCitizen

the bios and the motherboard? I would think a program there could trigger some kind of MBR data and geometry check through the SATA/IDE controller. I'm musing this because I seem to remember Cisco NVRAM has a lot of memory capacity for such checks; but the architecture is somewhat different of course.

Editor's Picks