L
LabZero
Thread author
A rootkit MBR has these features:
• Obtains control in bootup before the OS is loaded
• No files: the code is hidden in some areas of the disk and can not be deleted as a normal file
• Requires no registry changes or other alterations to get auto-start: becomes part of the boot process
• It can hide by controlling only a few disk blocks
The MBR rootkit consists of 6 elements:
1. Installer
2. MBR Loader
3. Kernel patcher
4. Kernel driver loader
5. Sectors hider/protector
6. Kernel driver
1. Installer
The installer writes the kernel driver malware in the last sectors of the disk, and then change sectors
2. MBR Loader
The loader is put in the sector 0 (MBR) after the original MBR was copied to another disk sector
3. Kernel patcher
At this point the MBR rootkit creates a function to control the sectors loaded by NTLDR. Are thus modified kernel areas
At this point the rootkit carries its original function and then loads the rootkit driver.
4. Kernel Driver Loader
The rootkit reads from disk data about the rootkit driver to install. Once loaded into memory driver driver calls the entry point of the driver itself.
5. Sectors hider/protector
The rootkit is not a rootkit if it had the ability to hide the anti-virus. To do this put into practice some diversionary tactics:
When some program (probably a anti-virus) tries to read the MBR rootkit modified by the function returns the original MBR stored previously in another area
Modifies the write function to prevent MBR is deleted or overwritten
6. Driver Kernel
Finally the rootkit driver is active and takes care of networking operations management and protection of areas to hide.
I conclude by saying that, in order to hide a rootkit in MBR does have one very powerful tool difficult to detect.
• Obtains control in bootup before the OS is loaded
• No files: the code is hidden in some areas of the disk and can not be deleted as a normal file
• Requires no registry changes or other alterations to get auto-start: becomes part of the boot process
• It can hide by controlling only a few disk blocks
The MBR rootkit consists of 6 elements:
1. Installer
2. MBR Loader
3. Kernel patcher
4. Kernel driver loader
5. Sectors hider/protector
6. Kernel driver
1. Installer
The installer writes the kernel driver malware in the last sectors of the disk, and then change sectors
2. MBR Loader
The loader is put in the sector 0 (MBR) after the original MBR was copied to another disk sector
3. Kernel patcher
At this point the MBR rootkit creates a function to control the sectors loaded by NTLDR. Are thus modified kernel areas
At this point the rootkit carries its original function and then loads the rootkit driver.
4. Kernel Driver Loader
The rootkit reads from disk data about the rootkit driver to install. Once loaded into memory driver driver calls the entry point of the driver itself.
5. Sectors hider/protector
The rootkit is not a rootkit if it had the ability to hide the anti-virus. To do this put into practice some diversionary tactics:
When some program (probably a anti-virus) tries to read the MBR rootkit modified by the function returns the original MBR stored previously in another area
Modifies the write function to prevent MBR is deleted or overwritten
6. Driver Kernel
Finally the rootkit driver is active and takes care of networking operations management and protection of areas to hide.
I conclude by saying that, in order to hide a rootkit in MBR does have one very powerful tool difficult to detect.
Last edited by a moderator: