MBR infecting rootkits: All the old things are new again.

Mar 04, 2008

It seems as if malware evolves just as fast as biological diseases anymore. Earlier this year, it was made public that batches of flu vaccine were probably ineffective against this year's upper respiratory plague that I've complained about more than enough lately (my apologies to house Laurelinde, though - Lyssa and I will bring over something tasty soon for you). Around the same time, a new strain of rootkit called Mebroot hit the Net that infects the Master Boot Record of boxen it's installed into. It compromises the machine below the level of the operating system because executable code referenced by the MBR is executed before the OS has a chance to spin up. The interesting thing about this new rootkit is that it's using a very old technique - it replaces the Master Boot Record of the system drive. MBR-infecting viruses have been around for better than fifteen years. It doesn't even have to edit the registry, any systemware, or the boot.ini file, so software that checks the integrity of the file system will miss these alterations in all probability. The ntoskrnl.exe hook that causes the kernel-mode portion of the rootkit exists for only a short period of time, and will be wiped out when the Windows kernel finishes loading itself into memory, so you can't look for changes to the nt!Phase1Initialization call. It doesn't store any files in the filesystem, either; instead it references absolute sectors of the disk to store other parts of itself, completely avoiding the NTFS drivers and consequently avoiding detection by scanning the system drives. In fact, it touches so little of the contents of kernel memory space that it's damnably difficult to suss out. The only thing that Mebroot has to hide is the altered Master Boot Record, and it does so by overriding only two routines of the Windows disk.sys driver.

As if that weren't enough, this little beastie goes well out of its way to avoid being noticed by host-based firewalls and IDSes - it implements its own network stack at layer 3 and above of the OSI model. By operating just below the level of the stack that personal firewalling software operates with an entirely different network subsystem, it can sneak past packet monitoring and filtering software running on the host (but not elsewhere on the local network, I hasten to add).

I have to admit, I admire the design of this badboy. Whomever designed it seems to know exactly what they're doing and has an unhealthy amount of knowledge about the architecture of Microsoft Windows.

Now, what does it mean to Joe and Jane User on the Net? The Mebroot rootkit isn't being used by professional crackers to compromise corporate hosts, it's being used by professional scammers with a dedicated web server loaded with remote exploits for various and sundry applications. Their MO seems to be, trick someone into going here, pop them, install the rootkit, and then they can do whatever they want with those machines. Mebroot has its own networking functionality, so it can hypothetically go out and download whatever other nasties the designers feel like, such as botnet agents, spambots, or anything else. Current strains of Mebroot are detected by a number of AV packages, thankfully, so all hope isn't lost if you do get hit.

As always, be careful what links you click on from your e-mail, and run an up to date antivirus package all the time.