SANS ISC: Master Boot Record rootkit

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Matt Richard from Verisign sent us some information regarding the Master Boot Record (MBR) rookit that's been found in the wild in the past weeks.

The first interesting part is the timeline:

• Aug 1, 2005 - eEye publishes PoC code
  http://research.eeye.com/html/tools/RT20060801-7.html
• Aug. 3, 2007 - Vbootkit presentation at Black Hat USA
  http://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf
• Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
• Dec. 12, 2007 – First known attacks installing MBR code;
  about 1,800 users infected in four days.
• Dec. 19, 2007 - Second wave of attacks installing MBR code;
  about 3,000 users infected in four days
• Dec. 22, 2007 – Malware Research Form members discover rootkit in the wild
• Jan. 2, 2007 - GMER research and analysis of MBR Rootkit code
  http://www2.gmer.net/mbr/
• Jan. 7, 2007 – First anti-virus vendors detect MBR rootkit component

The next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan.

The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

• Microsoft JVM ByteVerify (MS03-011)
• Microsoft MDAC (MS06-014) (two versions)
• Microsoft Internet Explorer Vector Markup Language (MS06-055)
• Microsoft XML CoreServices (MS06-071)

But that can change at any moment to something more recent.

The different files involved had rather spurious detection in the anti-virus world.

--
Swa Frantzen -- Gorilla Security