MBR Rootkit Anatomy

[LabZero]

A rootkit MBR has these features:


• Obtains control in bootup before the OS is loaded

• No files: the code is hidden in some areas of the disk and can not be deleted as a normal file

• Requires no registry changes or other alterations to get auto-start: becomes part of the boot process

• It can hide by controlling only a few disk blocks


The MBR rootkit consists of 6 elements:


1. Installer

2. MBR Loader

3. Kernel patcher

4. Kernel driver loader

5. Sectors hider/protector

6. Kernel driver


1. Installer


The installer writes the kernel driver malware in the last sectors of the disk, and then change sectors


2. MBR Loader


The loader is put in the sector 0 (MBR) after the original MBR was copied to another disk sector


3. Kernel patcher


At this point the MBR rootkit creates a function to control the sectors loaded by NTLDR. Are thus modified kernel areas


At this point the rootkit carries its original function and then loads the rootkit driver.


4. Kernel Driver Loader


The rootkit reads from disk data about the rootkit driver to install. Once loaded into memory driver driver calls the entry point of the driver itself.


5. Sectors hider/protector


The rootkit is not a rootkit if it had the ability to hide the anti-virus. To do this put into practice some diversionary tactics:

When some program (probably a anti-virus) tries to read the MBR rootkit modified by the function returns the original MBR stored previously in another area

Modifies the write function to prevent MBR is deleted or overwritten


6. Driver Kernel


Finally the rootkit driver is active and takes care of networking operations management and protection of areas to hide.


I conclude by saying that, in order to hide a rootkit in MBR does have one very powerful tool difficult to detect.

 

[hjlbx]

Yeah tell me about it . I feel like a poor man begging for help all over the internet and people look at me like I have leprocy or some kind of disease. Im about ready to throw it all in the trash and go linux or chromebook sick of this stuff....especially after getting exactly just what you said on my thousand dollar samsung all in one pc. Also for one to think, I was running comodo in pro active mode, sandboxie, winpatrol , avast in hardened with virtualaztion tech, and numerous other third party tools . Just out of no where, defenseless and helpless now ,after the rootkit dug itself in on my mbr and 3rd re install of windows itself to find its drivers back on immediatly with no internet connection. ----fyi i did start thread in forum. also did command prompts and other techniques to check and verify mbr was ok with no result.

Just out of curiosity - did you look back at your Comodo logs to see when and where the rootkit was installed ? That's if it even shows up in the logs.

 

[Mr.X]

No. I this rootkit is so advanced i am critical in thinking it would even show this in some kind of anomaly. Its so advanced i am uncovering that when i fix mbr command and do a complete re install of windows after i delete any old partition data tables other than one im loading on it still surviving possibly by leaving a hook on some data in case its overwritten. Not 100% sure if thats the case but circumstantial evidence is pointing me that direction. One biggest thing i notice is its infected drivers it still has on system right after clean install and no internet connection.

Interesting with all that security stuff you had watching the gates... By any chance do you know how you got that rootkit?

 

[Tony Cole]

This advanced rootkit, it seems very odd that TwinHeadedEagle was unable to find it, after all he is a malware expert and helps people who have nasty rootkit's. Em very strange, how do you know it's a rootkit, if you have 'no' proof?

 

[Terry Ganzi]

If it's a rootkit you may what to try this: http://avs.nprotect2.net/nsp2010/downloader/nPMBRGuardSetup.exe
You can read about it & see it in action here:http://hummingbird.tistory.com/m/post/4519