January 13, 2008
meboot
This trojan horse or virus hides like a rootkit using some of the old techniques used by MBR viruses 10-20 years ago.
The main purpose is to steal any login information of 900 different financial institutions and all unpatched versions of the NT OS are vulnerable including XP servie pack 2 and VISTA.
Once it installs from a web site it will download keyloggers and other malware. Those files can be detected and cleaned by your AV but the MEBOOT infection will will reinstall the malware. So you have to snuff the main part of the infection which can't be seen or tampered with from the OS.
To see the infection you need an Anti-RootKit program to compare what Windows claims the hard disk says to what is actually on the hard disk. To fix the problem you need to run from the recovery console (see references below).
vulnerableOS
any NT family OS (including Windows XPsp2 and VISTA)
vector
web page
requirements
The main purpose is to steal any login information of 900 different financial institutions and all unpatched versions of the NT OS are vulnerable including XP servie pack 2 and VISTA.
Once it installs from a web site it will download keyloggers and other malware. Those files can be detected and cleaned by your AV but the MEBOOT infection will will reinstall the malware. So you have to snuff the main part of the infection which can't be seen or tampered with from the OS.
To see the infection you need an Anti-RootKit program to compare what Windows claims the hard disk says to what is actually on the hard disk. To fix the problem you need to run from the recovery console (see references below).
vulnerableOS
any NT family OS (including Windows XPsp2 and VISTA)
vector
web page
requirements
- downloaded from a web-site
- computer has administrative rights
- write directly to hard disk (not through Windows routines)
- write to MBR
- password protect your BIOS (not on all MOBO's)
- use a patched OS
- AntiRootKit program using cross-diff method
gMer has one tuned specifically for this infection - bootscan from vil.nai.com
- 'FIXMBR' at recovery console
- 'FDISK /MBR' at recovery console
- reflash your BIOS (can result in a computer that no longer runs)
- remove battery in BIOS
- Rescue Disks previously made
using one from another computer may remove your partitioning and destroy all your data.
- Matthew Richards, director of VeriSign Inc.'s iDefense Labs
- ISC (Internet Storm Center) analyst "Gmer" Derek Soeder and Ryan Permeh at eEye (POC presentation at BlackHat USA 2005)
- Nitin Kumar and Vipin Kumar (authors of Vbootkit)
- overviews
- http://news.bbc.co.uk/1/hi/technology/7183008.stm
- http://www.pcworld.idg.com.au/index.php/id;375493008
- technical analysis
- http://www2.gmer.net/mbr/
- POC (BootRoot), eEye http://research.eeye.com/html/tools/RT20060801-7.html
- "Understanding Virus Behavior under Windows NT", Semantec http://www.symantec.com/avcenter/reference/virus.behavior.under.win.nt.pdf
- "Pagefile attack", Joanna Rutkowska http://theinvisiblethings.blogspot.com/2006_10_01_archive.html
- Blackhat 2007 presentation by Nitin Kumar Vipin Kumar http://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf
- using recovery console http://support.microsoft.com/?kbid=314058
- Using "FDISK /MBR" http://support.microsoft.com/kb/166454
- information about MBRs http://thestarman.pcministry.com/asm/mbr/index.html
- alter the MBR
- write the content of malicious kernel driver (244 736 bytes) to the last sectors of the disk
- copy original MBR to sector 62
- modify sector 0 with the new MBR
- modify sector 60
- modify sector 61 with the kernel part of the loader
- patch kernel
- changes kernel to call nt!IoInitSystem
- boot system
- read altered kernel code from sector 61
- hook INT13
- cloak system API (IRP_MJ_READ) is modified to return sector 62 instead of 0
Experience the computer club and all it's SIG group that meet at Chapman university, California on the 1st Sunday of every month.
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader