New Wine in a Old Bottle – StealthMBR Rootkit

These days Malware authors are using cutting-edge and blended attack vectors for infection and spreading to avoid AV detection. These are often difficult to detect and clean.

We had seen MBR (Master Boot Record) viruses during the DOS age while rootkit use has been growing in recent years. In Jan 2008 McAfee came across a new threat, a blend of rootkit and MBR infection functionality named StealthMBR.

It gets installed on a victim’s machine when visiting malicious websites using browser exploits. During infection, it copies itself to the %temp% folder and starts as a service. This service overwrites the MBR with its own code and keeps a backup of original MBR in sector 62. It also overwrites sector 60 and 61 with rootkit loader code and rootkit components in the last sectors of the active partition. Later it restarts the system.

Picture showing infected MBR

Upon reboot, the infected MBR takes control of the system and gives control to the rootkit loader code. The loader code then patches the kernel to load and start its rootkit component.

The rootkit module hooks IRP_MJ_READ & IRP_MJ_WRITE in the IRP table of \\driver\Disk and protects itself from being modified. When the MBR is read, it returns the original MBR code from sector 62. This technique prevents many security tools from detecting and cleaning the malware.

Picture showing a part of rootkit loader module in sector 61

Given the nature of this threat (Rootkit & MBR infection), it needs a complex cleaning routine that can be difficult to achieve using regular AV techniques.

So far ‘Windows Recovery Console’ was the recommended solution to clean this threat. We at Avert Labs have developed a new cleaning method for this threat and incorporated it into DAT 5212 and above (VSE 8.5 and VSO having rootkit scanning option enabled as well). The cleaning involves unhooking the IRP_MJ_READ and IRP_MJ_WRITE entries of \\driver\Disk IRP table in memory and then restoring the original MBR from Sector 62 to Sector 0.

Picture showing MBR restored from sector 62 after cleaning.

Kudos to Harinath Ramachetty and Rachit Mathur for providing a solution for this nasty threat!!!