MBR rootkit – the story so far

During this week, there was quite a lot of talk about an MBR rootkit Trojan spotted in the wild at the end of December 2007. The Trojan uses techniques similar to old boot sector viruses to infect the system and remain active in memory. This method allows the Trojan, detected by Sophos as Troj/Mbroot-A, to stay hidden from security tools such as anti-malware software as long as its code is started before the security software.

In addition to that, the rootkit hooks the IRP_MJ_READ and IRP_MJ_WRITE routines in the driver disk.sys to hide the malicious sectors of the drive when they are accessed by other programs. That way, the rootkit stays hidden and the detection requires either special anti-rootkit detection tools or booting from a clean bootable disk, as in the good old days of DOS.

So how does the rootkit gets installed in the first place? Troj/Mbroot-A infections have been installed via several malicious web pages hosting older browser exploits. These exploits download and launch the Trojan dropper which writes its loader to the MBR and sectors 60 and 61 of the hard drive. The original MBR is still used during the boot process, and is retrieved when the infected MBR in accessed in order to hide the infection. The original MBR is saved to the sector 62.

Boot sector infection

Once the system is infected, the Trojan waits between 30 and 45 minutes before initiating a system shutdown. This ensures that the Trojan becomes hidden on the system. Once hidden, the rootkit starts communicating with a number of web pages using HTTP POST requests. (At the moment, the purpose of these requests is not clear.)

The generated network traffic could be used by Network Intrusion Detection Systems such as Snort to detect potential infection of a system on the network (a number of randomly looking .COM domains are used to POST to a URL ending in /service/).

The number of computers infected by Troj/Mbroot-A is unknown but SANS reports that it may well be several thousands, though none of them would have had Sophos Anti-Virus installed. Sophos already detected the rootkit proactively as Mal/Sinowa-A at the time it appeared. In addition to that, the rootkit will not be able to infect systems with up-to-date security patches and correctly administered systems that do not allow regular users to run with local administrator privileges.

Unfortunately, there are still plenty of unpatched Windows computers out there that could become infected with this Trojan. The extent of its success could make MBR infection popular with the virus writing groups once again, after many years, as it provides a good way of hiding malicious software. On the other hand, this method of loading is highly platform dependent, which also means unreliable, because the Windows loader and kernel may change significantly from version to version and even from service pack to service pack.