About Me

Rachit Mathur

Rachit Mathur

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

StealthMBR gets a makeover

Sunday, April 19, 2009 at 6:22pm by Rachit Mathur
Rachit Mathur

New variants of the StealthMBR trojan aka Mebroot rootkit have recently been spotted in-the-wild. These new variants are significantly different from earlier ones.

StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair. As opposed to earlier variants, which installed lower level hooks on the IRP table of \driver\disk, these new variants are able to hook the IRP table of an even lower driver. And these hooks too are not present all the time but only installed on an on-demand basis. The hijacked disk device object is used to facilitate this. Detection is not the only problem; this threat also poses cleaning challenges by installing watching mechanisms to re-infect the machine. The following image show what an infected MBR looks like. Booting off of an external medium and inspecting should reveal the infected MBR.

Infected MBR

The following image shows hijacked kernel object for disk device.

Hijacked Object

Once installed this threat does not require any file or registry entry to sustain itself on the compromised machine. But for installation to occur there is a dropper executable which has also changed as compared to older variants. The detection for new droppers is added as StealthMBR.a. The good thing is, we already had proactive detection for some dropped files as PWS-JA.gen.a. This should help identify problems and prevent users from getting infected in the first place. We have also developed a solution for detecting and removing this threat once a machine is compromised. It is currently under QA and will be delivered through regular DAT updates very shortly.

While we are on this subject, we also wanted to plug an upcoming webcast. We will be discussing the workings of StealthMBR rootkit and how we deliver solutions for complex threats like these through regular DAT updates without the need for special stand-alone tools. This webcast will also cover the current rootkit trends & techniques. Come and learn about how to prevent rootkit incidents in your environment and how to tackle such incidents if unfortunately they do occur. See you there!

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (3)

  • zhai April 26, 2009 11:54PM

    Hi
    is it possible to download the webcast ?
    Thanks in advance
    zhai

    Reply
  • vinod April 24, 2009 1:02AM

    Thanks,

    Rachit ,Your webcast we really nice and useful….. I am interested to attend more of these……

    Reply
  • Frad Notel April 19, 2009 7:22PM

    Pretty nasty malware. McAfee seems to protect users from this variant already, but it is not new though and analysis repeats what is stated at hxxp://xxx.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html

    Reply