Back to MBR infections with Mbroot

Date :March 04, 2008

Publication: Article

This article relies on the recent emergence of the so-called Trojan horse "Mbroot" to review techniques used by the latter to infect a user's machine.

If there are attack vectors which one thought abandoned, replaced by those exploiting new information technologies, such as web or more generally those in telecommunications, nobody would have thought that old recipes would emerged again. Forgotten for a decade, MBR infections found a second wind by associating with new concepts, such as rootkits.

Why forgotten?

Because MBR infections are closely linked to those of the virus boot. For twenty years, they had a preferred medium; floppies. But nowadays they have become a scarce commodity.
Most laptops or recent computers are no more equipped with floppy disk device. It is therefore easy to see that infections through this medium could only extinguish with technology by itself, like MBR infections.

No need to draw still no hasty conclusions, if this vector has been somewhat neglected, others have evolved with new media, such as USB flash drives, removable disk drives, and so on. However, few are able to infect the MBR, even though most of them are known to be "bootable".

A bit of etymology!

Mbroot is the association of the acronym MBR (Master Boot Record) and "Root", which stands for "Rootkit". Called Mbroot   by some, Mebroot or StealthMBR by others, these "new" malwares are becoming more sophisticated. Their designers are redoubling their efforts and adapt to changing technology (web 2.0, virtualization, Peer-To-Peer, etc.). Yet the old tricks are still good to reuse.

What is the MBR?

Without wanting to go deep into the technology meanders of the boot sequence of our computers, the MBR is the first boot sector of a hard disk. It contributes to the operating system initialization, when the BIOS boot sequence ends, and tries to hand over to the initialization sequence of the operating system. Then the code contained in the MBR locates the boot routine to launch the operating system.

What is a "RootKit"?

Unlike MBR infections, rootkits illustrate techniques for recent attacks. Today it is difficult to give an exact definition of what "rootkits" really are, as they have evolved over the time. They are not intended to replicate as do viruses, to spread like the worms. Coming from Unix worlds, which made the famous, they have the image of toolboxes which purpose is to provide an arsenal of camouflage techniques. Their main goal is to maintain malwares (backdoors, viruses, worms, keyloggers, etc.) hidden and undetectable from the protections of a compromised system.

Their installation modes can vary, but are often related to deception or negligence (spam, surfing malicious websites, use of infected self-bootable devices, exploiting vulnerabilities, etc.). To be stealthy and able to conduct attacks without the knowledge of the user, rootkits must act in the lower layers of the system, i.e. at the kernel level, they can even use special processor instructions sets (virtualization). To get installed, they often require administrative permissions, which can slow down their progress. Most of the time, they are installed as drivers or system components. Once installed, they are able to hide, to manipulate processes, system files or registry keys which exploit with total impunity.

Why a renewed interest for the MBR!

It is surprising that boot sector attacks are of particular interest to malware designers. The attackers quickly made the observation "that an operating system was more difficult to attack when it is running than when it is not". Since it is becoming increasingly difficult to fault the security of such systems, the idea is to exploit them before they start.

An MBR infection has this advantage over other techniques. It thus ensures the "rootkit" to gain access to the system before it starts, and therefore to manipulate its functioning and to exploit its weaknesses.

Is this a new trend?

Not really. Since a long time, new techniques have emerged. As a "Proof-of-Concept" (PoC) for ones, viruses or worms for others, all have initiated this movement. Some pieces of code have been taken, other "plagiarized" to give birth to a multitude of variants, hence techniques were refined over time. It must be noted that while the systems have evolved, they are protected with more or less advance for some, or delay for others; the techniques used by the attackers have also advanced.

Remember the "Bootroot" project from eEye, presented at the BlackHat 2005. Their "Proof-of-Concept" code has demonstrated the possibility of running itself before Windows kernels, and allowed itself to be kept running once the operating system started.

Other programs have emerged. Among the most famous ones, the "Blue Pill" prototype from Joanna Rutkowska, is exploiting processors virtualization technologies, such as "Pacifica" from AMD or "intelVT" from Intel. In the form of a "PoC" this code can take full control of a 64bit vulnerable operating system. "Microsoft Windows Vista x64" felt free from such an attack, it was mistaken. A patch in the Release Candidate 2 of the system had to be added to fix the problem. Although this code has been developed specifically against "Microsoft Vista x64", it is not ruled out that it is transferable to other vulnerable operating systems.
Virtualization and its exploitation by malicious codes, is a new issue in terms of security. Microsoft, in turn, would have proven it by producing a stealthy rootkit named "SubVirt", exploiting virtualization technologies.

Mbroot  Analysis!
Mbroot is a Trojan horse which illustrates the use of the technologies we just described. The exploitation of the MBR enables it to control the system before it can implement its own protections. At first, it proceeds to rewrite the MBR, it replaces it by its own code to take advantage on the Microsoft system to be launched. A copy of the original MBR is made to the sector 62 of the disk of the attacked system, any access to the sector 0 is redirected to the copy. This will, of course, allow the stay as stealthier as possible.

The various analyses carried out by different anti-virus publishers, show that the Mbroot was mainly based on the "bootroot" code (mentioned above). Only the part of the code designating the backdoor has changed. It attempts to download a 467 KB malware from a malicious site, and tries to hide it in the last sector of the disk. This malware is trying to divert the protections of infected computer, and installs the backdoor which can be used to take full control of the system. Several variants of such backdoors were identified (Sinowal, Torpig, etc.).

What is Mbroot  future?

At this time Mbroot seems to only affect Windows XP systems. Several discovered variants suggest that the latter is in a development and prototyping phase. New variants exploiting new weaknesses will appear.

How to protect from Mbroot?

There is no magic formula. The protection of the MBR is offered by almost all recent BIOSes. Enabling this protection, once a sane system is installed, can reduce the risk of the system to be controlled by a rootkit such as Mbroot.

For more information:

Symantec description for MBroot

Symantec analyses Mbroot has an experiment for future attacks