We've all heard about the Mebroot rootkit and it's ability to manipulate the Master Boot Record (MBR) in order to hide itself. The MBR plays a very important role in the starting up process of a computer. After the BIOS has run it is the MBR code that the computer first looks for when booting the operating system. Before the new variant of Mebroot was released the rootkit used to hide itself by hooking functions in the disk.sys driver, but now according to research, it searches for whatever lower device \Device\Harddisk0\DR0 is attached to then hooks the respective driver.
In order to hide itself from detection the rootkit would hook the dispatch routines of disk.sys, being IRP_MJ_READ and IRP_MJ_WRITE. You see once the rootkit has managed to infect a machine, it creates a copy of the MBR and stores it somewhere on the hard disk. This is done so that when someone tries to read the MBR the rootkit will reveal the stored clean version of the MBR and not its actual infected status. Another strength of the rootkit is that it does not come with files, processes or registry keys, so there is not much to hide.
Direct Kernel Object Modification (DKOM) is a technique not used as often by attackers due to its complexity, but is brilliant for hiding the existence of infections. It involves the modification of data structures in the kernel memory. Kernel memory always keeps a list of all running processes, but by using the DKOM technique the rootkit can remove itself and any related processes from the process list in order to keep their existence hidden.
According to preliminary tests results issued by Prevx last year, Windows Vista is not as vulnerable to the rootkit as Windows XP. Apparently when the UAC function is enabled the rootkit will not be able to overwrite the MBR. It went on to say that even if the malicious code were to be written into the MBR, the rootkit would still not be able to obtain full control due to the fact that Vista and XP's boot loading processes are not similar.
Whatever method the creator of Mebroot is using to hide the infections existence, it is clearly working and keeping security software manufacturers and end users on their feet.
Here is a list of Alias names for the Mebroot rootkit:
| Software Vendor |
Alias |
| F-Secure |
Backdoor.Win32.Sinowal.kv [AVP] |
| a-squared |
Backdoor.Win32.Sinowal.ie |
| AntiVir |
BOO/Sinowal.A |
| Arcavir |
Trojan.Sinowal.Ku |
| AVAST! |
Win32:MBRoot-G [Rtk] |
| AVG |
Crypt.NM |
| BitDefender |
Trojan.Mebroot.B |
| Fortinet |
W32/Sinowa.A!tr |
| Kaspersky |
Backdoor.Win32.Sinowal.kv |
| McAfee |
Generic PWS.y |
| Microsoft |
PWS:Win32/Sinowal.gen!L |
| Norman |
SinowalMBR.A |
| Panda |
Trj/Torpig.EZ |
| Sophos |
Troj/Mbroot-A |
| Symantec |
Trojan.Mebroot |
| Trend Micro |
TROJ_MEBROOT.AE
|
User Comments
thnaks alot