From BootRoot to Trojan.Mebroot: A Rootkit in Your MBR!
There have been recent reports of an MBR(Master Boot Record) rootkit in the wild and, of course, we have beenfollowing up these reports and doing our own analysis. An MBR is thefirst sector of a storage device such as a hard disk, and is generallyused for bootstrapping the operating system after the computer's BIOShas done its startup checks. Basically, if you can control the MBR, youcan control the operating system and therefore the computer it resideson.
MBR-based attacks have been around since the MS-DOS era. Virusessuch as Stoned, Michelangelo, Junkie and Tequila used this technique toinfect systems, and it is quite incredible to see that almost ten yearslater, we are again facing attacks on the MBR. As we have seen,malicious code that modifies a system's MBR is not a new idea – notableresearch in the area of MBR-based rootkits was undertaken by DerekSoeder of eEye Digital Security in 2005. Soeder created “BootRoot”, a PoC (Proof-of-Concept) rootkit that targets the MBR.
In 2007, Nitin and Vipin Kumar of NVLabs published a second PoC MBR rootkit called “Vbootkit”, which was able to exploit the latest version of Microsoft Vista. So,where do we stand right now? The bad news is that this time the MBRrootkit is not in the form of a PoC demonstration, but is an activethreat found in the wild and infecting computers through drive-byexploits via Web sites. Symantec detects this threat as Trojan.Mebroot.
Trojan.Mebroot takes control of the system by overwriting the MBR with its own code. Analysis of Trojan.Mebrootshows that its current code is at least partially copied from theoriginal eEye BootRoot code. The kernel loader section, however, hasbeen modified to load a custom designed stealth back door Trojan 467 KBin size, stored in the last sectors of the disk.
The main problem is that some versions of Microsoft Windows allowprograms to overwrite disk sectors directly (including the MBR) fromuser mode, without restrictions. As such, writing a new MBR into Sector0 as a standard user is a relatively easy task. This issue has beenknown for quite some time, and still affects the 2K/XP families, whileVista was partially secured in 2006 (after Release Candidate 2) after asuccessful attack demonstration made by Joanna Rutkowska. The attack iscalled the “Pagefile Attack”.
Rootkits themselves are hardly a new threat, but the inclusion ofthe MBR as part of the infection is not considered common. They werepreviously demonstrated as possible, but were not identified in thewild. Now that this has changed, we expect to see more variantstargeting the MBR to appear in the future.
For now, Trojan.Mebrootseems to run successfully only on Windows XP (all Service Packs) due tosome hard-coded values inside the attack code. For a complete analysisof the threat, please refer to our writeup for Trojan.Mebroot.
There appears to be a link between Trojan.Mebroot and Trojan.Anserin.Similarities such as the main distribution Web site and the polymorphicpacker used in both threats suggest that they may be closely related.
Note: The rootkit cannot be removed while the OS isrunning, as it must be removed while the rootkit code itself is notrunning. During our tests, running the "fixmbr" command from within theWindows Recovery Console successfully removed the malicious MBR entry.To help prevent similar attacks in the future, and if your system BIOSincludes the Master Boot Record write-protection feature, now is a goodtime to enable it!
I would also like to thank Silas Barnes for his contribution to this analysis.