New variants of the StealthMBR trojan aka Mebroot rootkit have recently been spotted in-the-wild. These new variants are significantly different from earlier ones.
StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair. As opposed to earlier variants, which installed lower level hooks on the IRP table of \driver\disk, these new variants are able to hook the IRP table of an even lower driver. And these hooks too are not present all the time but only installed on an on-demand basis. The hijacked disk device object is used to facilitate this. Detection is not the only problem; this threat also poses cleaning challenges by installing watching mechanisms to re-infect the machine. The following image show what an infected MBR looks like. Booting off of an external medium and inspecting should reveal the infected MBR.
The following image shows hijacked kernel object for disk device.
Once installed this threat does not require any file or registry entryÂ to sustain itself on the compromised machine. But for installation to occur there is a dropper executable which has also changed as compared to older variants. The detection for new droppers is added as StealthMBR.a. The good thing is, we already had proactive detection for some dropped files as PWS-JA.gen.a. This should help identify problems and prevent users from getting infected in the first place. We have also developed a solution for detecting and removing this threat once a machine is compromised. It is currently under QA and will be delivered through regular DAT updates very shortly.
While we are on this subject, we also wanted to plug an upcoming webcast. We will be discussing the workings of StealthMBR rootkit and how we deliver solutions for complex threats like these through regular DAT updates without the need for special stand-alone tools. This webcast will also cover the current rootkit trends & techniques.Â Come and learn about how to prevent rootkit incidents in your environment and how to tackle such incidents if unfortunately they do occur. See you there!