1. /
  2. Security Response/
  3. Trojan.Mebroot

Trojan.Mebroot

Risk Level 1: Very Low

Discovered:
January 7, 2008
Updated:
August 8, 2012 10:54:16 AM
Also Known As:
Troj/Mbroot-A [Sophos], StealthMBR [McAfee], TROJ_SINOWAL.AD [Trend], StealthMBR!rootkit [McAfee]
Type:
Trojan
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2
Operating system and software patches
2. Infection method
2.1 Drive-by downloads
2.2 Fake codecs/plugins
2.3 File sharing networks
3. Functionality
3.1 Installation
3.2 MBR modification
3.3 Boot sequence
3.4 Rootkit functionality
3.5 Networking code hooks
3.6 Back door
4. Additional information




1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
The execution of files from file sharing networks can lead to infection and as such users should avoid downloading files from unknown or untrusted sources. This includes fake video websites that may serve the Trojan executable under guise of it being a codec that is required to watch a streaming video.


1.2 Operating system and software patches
Users are advised to ensure that their operating systems and any installed software are fully patched and that antivirus and firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by software vendors.



2. INFECTION METHOD
This threat is known to infect computers through a number of methods. Each of these methods is examined in more detail below.


2.1 Drive-by downloads
Trojan.Mebroot is primarily spread by websites that exploit known vulnerabilities in Web browsers and their associated plugins. These exploits are often served by kits that are available in the underground market such as Neosploit and Fragus; this also means that the vulnerabilities chosen to be exploited change frequently and according to the ease of said exploitation. Users will not generally be aware that exploitation has taken place, which is crucial for the Trojan to maintain its stealthy operation.


2.2 Fake codecs/plugins
Websites that purport to host streaming videos may be used to distribute copies of Trojan.Mebroot. An executable that masquerades as a required codec or plugin is downloaded when a user attempts to watch the deliberately non-functional embedded "video".



Search engine poisoning may be used to increase the likelihood of users visiting the fraudulent sites.


2.3 File sharing networks
Trojan.Mebroot is known to have been distributed through file sharing networks. The Trojan may deliberately be shared by attackers seeking to increase the infection levels of the threat, and as such may be given an enticing name in order to tempt users into downloading the malicious executable. Typical enticing names include those of otherwise expensive commercial software packages, key generators, and "cracked" versions of high-end applications. Copies of the threat masquerading as adult pictures and video files are also common, especially those that include the names of celebrities intended to pique users’ interest.



3. FUNCTIONALITY
Trojan.Mebroot stealthily modifies the MBR and opens a back door that has been observed to be a channel through which banking-related information stealing malware may be installed by a remote attacker. Sophisticated rootkit functionality is used to hide the presence of the threat on the compromised computer. The following sections detail the functionality and features of Trojan.Mebroot.


3.1 Installation
As outlined above, the initial Trojan.Mebroot installer is distributed by way of drive-by downloads and various other methods. The installer is an executable that has been packed using a custom polymorphic packer that can be used to hide the functionality of .exe and .sys files.

The Trojan.Mebroot installer attempts to modify the MBR so that the rootkit and back door code can be executed whenever the compromised computer starts. Early versions of the Trojan took advantage of the fact that executables running with administrative privileges could write directly to the MBR, but Windows security updates later rendered this avenue of attack infeasible.

Later versions of the Trojan used a more advanced technique to modify the MBR: a driver component was introduced that allows the Trojan to perform raw operations on disk. This method of installation has the advantage of being able to bypass many intrusion prevention and active protection systems.

The installer performs the following sequence of actions:
  1. Drops %Temp%\1.tmp, which it then executes (this process waits for synchronization)
  2. Drops a DLL copy of itself as %Temp%\2.tmp
  3. Checks user32.dll on disk to ensure that that SetWinEventHook() is not hooked
  4. Injects %Temp%\2.tmp into explorer.exe to mask alterations to the operating system
  5. Drops a wrapper driver, %Temp%\4.tmp, which is registered as a privileged kernel-mode service
  6. Synchronizes the wrapper driver with %Temp%\1.tmp
  7. Cleans up temporary files and services
The Trojan now has a means of bypassing Windows security features and performing raw disk reads and writes on the compromised computer.


3.2 MBR modification
In order to ensure its execution before Windows starts, the Trojan modifies the MBRs of the first 16 drives connected to the compromised computer. The Trojan performs the following sequence of actions on each drive:

  1. Checks that the drive is bootable and not already infected
  2. Reads the partition table and copies itself to the end of the physical disk (i.e. after the "end" of the logical disk)
  3. Overwrites three sectors before the first partition with its own data, typically:
    • 60 – Kernel patcher
    • 61 – Payload patcher
    • 62 – Pre-infection MBR
  4. Overwrites the existing MBR with its own code

Following these modifications the Trojan will execute whenever the compromised computer starts.


3.3 Boot sequence
The Trojan performs the following operations on boot so that it executes before Windows starts:
  1. Loads itself into memory
  2. Hooks the interrupt used for disk read and write
  3. Passes control to the old MBR
Windows now starts as though the Trojan were not present; the Trojan, however, is able to intercept all disk reads and writes. When Windows attempts to load the operating system kernel (ntoskernel.exe) the Trojan uses its kernel patcher – usually loaded from sector 60 – to modify the file as it is loaded. The modified kernel then calls the Trojan’s payload patcher – usually loaded from sector 61 – which loads and runs the main rootkit driver from the end of the disk. The Trojan is now present throughout the operating system and the computer has been completely compromised by Trojan.Mebroot.


3.4 Rootkit functionality
The rootkit component of Trojan.Mebroot is of crucial importance to the threat’s aim of remaining on the compromised computer for as long a period as possible. Two versions of the rootkit functionality have been observed in different variants of the threat. The first version of the rootkit code hooked the disk.sys driver to intercept reads and writes to disk at the driver level while later variants used the strategy of using multiple hooks in multiple drivers and even added a watchdog thread. The watchdog is intended to monitor attempts by antivirus software or other removal tools to probe or otherwise attempt to remove the threat. If the watchdog thread determines that system modifications made by Trojan.Mebroot have been removed or repaired it will reenable the changes to ensure that the threat remains on the computer.

In order to hide its presence the Trojan intercepts disk read and write requests. The Trojan returns fake data for read requests to the MBR and the sectors of the disk that contain the threat’s code (typically sectors 60, 61, 62, and the sectors after the end of the logical disk). In the case of reads from the MBR the Trojan returns the original preinfection data that it previously saved. In the case of reads from sectors where the Trojan’s code is present it simply returns dummy empty sectors.

The Trojan does not complete any write requests to sectors of the disk where its code is stored but falsely indicates that the write has been completed (when in fact this is not the case).

For disk read/write operations to all other areas of the disk the Trojan uses a "magic number" that indicates that the requests should be permitted to proceed, i.e. the operation completes as though the Trojan were not present. Thus Trojan.Mebroot is able to hide its presence on the compromised computer.


3.5 Networking code hooks
Trojan.Mebroot is able to bypass many host-based firewalls by hijacking low-level components of the Windows networking subsystem. The Trojan first searches for a suitable network interface that is configured to use either the PSched or TCP/IP protocol. It sends and receives data by hooking the following functions in the Network Driver Interface Specification (NDIS) layer:
  • SendPacketsHandler()
  • SendCompleteHandler()
  • ReceiveHandler()
  • ReceivePacketHandler()
The Trojan thus effectively establishes its own private networking stack that it uses to open a back door.


3.6 Back door
Trojan.Mebroot opens a back door that uses a custom encrypted protocol to communicate with a command and control (C&C) server. The back door allows malicious files to be downloaded and executed on the compromised computer.

First, the Trojan attempts to connect to one of several C&C servers whose host names are hard-coded in the Trojan executable. If none of these host names resolve to a valid IP address, the Trojan generates a pseudo-random host name using a number of hard-coded strings chosen based on the current date, to which it then attempts to connect using HTTP. Early Trojan.Mebroot variants used operating system APIs to retrieve the current date, while later variants send HTTP GET requests to a number of legitimate websites in order to retrieve the date from the HTTP header in the reply.

When able to connect to a C&C server, Trojan.Mebroot first sends an initial encrypted packet that contains the "magic" sign-on command "BIP", as well as some other strings that characterize the threat. These can be seen in the top right of the following example of a decrypted packet:




The decryption key is also shown in the above image, which is always the first dword of the packet; the reply from the C&C server must start with this key or the packet will be discarded. Also present in the packet is the secondary key that will be used to provide an encrypted communications channel between the C&C server and the downloaded payload files.

The C&C server can install files on compromised computers by sending a packet that includes the "INST" (for "install") command. Two encrypted DLLs are initially sent by the C&C server along with meta-data that describes how they should be injected into certain carefully selected processes.

Analysis of the Trojan.Mebroot code shows that the back door allows a remote attacker to perform the following actions on the compromised computer:
  • Install user-mode DLLs or updates to the Trojan
  • Uninstall user-mode DLLs or updates to the Trojan
  • Cause a trusted process to launch a new process
  • Execute any driver in kernel mode

The back door component of Trojan.Mebroot is extremely powerful; code loaded on to compromised computers by the C&C server is never stored on disk, which means that only antivirus scanners that scan memory are able to detect the downloaded payloads by way of traditional signatures.

The downloaded payloads have been observed to be keyloggers and information-stealing Trojan horses that are able to execute at the highest level of privilege, steal sensitive and potentially damaging information, and relay this information back to an attacker by way of a backchannel that can bypass security software. For these reasons, and as a result of its advanced engineering, at the time of discovery and analysis Trojan.Mebroot was considered to be one of the stealthiest and most professionally produced Trojan horses thus far seen.



4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Henry Bell
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver