Bootkits, they are back at full speed...

Published: 2011-07-02. Last Updated: 2011-07-03 00:29:34 UTC
by Pedro Bueno (Version: 1)
5 comment(s)

 

First of all, don't get me wrong, this is not a media FUD to scary you because of the recent coverage on the MBR rootkits. :)

As many of our readers probably know, earlier this week there was a report from the AV vendor Kaspersky about approximately 4.5 million computers infected with the rootkit called TDL4 (aka TDSS/Alureon).

TDL4 is a rootkit that infects the computer 's MBR (Master Boot Record). The TDSS family is being around since about 2008. At the time, it was quite interesting because we didn't have many mbr virus since 10, 13 years ago, when back in the time, it was quite common. (Remember those virus creation kits? ) :)

The MBR contains the first code that will be loaded during the boot, so infecting the MBR by replacing it will give an enormous advantage for the virus, since it will be loaded before anything else, including the Anti-Virus.

The 4.5 millions infected computer should not be a surprise because rootkits usually breaks a detection cycle.

The usual cycle can be described as:

1- user sees suspicious activity on his computer, like a new running process for example.

2- user sends file to AV vendor

3- AV vendor creates detection

Now the problem is, how can the user send something to his AV vendor since he can't "see" anything?

Bootkits like this have been always a headache for AV vendors for this reason.

I am not alone on this. Also this week, Microsoft released a blog which describes another Bootkit, which it *detects* as Trojan:Win32/Popureb.E.  Note that I mention detects only, which does not include *Cleaning* .

Kaspersky free tool, called TDSSKiller (version 2.5.8.0 ) is one of the few around that can effectively detects if a computer is infected with this rootkit, which it calls: Rootkit.Win32.BackBoot.gen.

The problem with this new bootkit is that it forges the cleaning part. For example, when the security product tries a Write method, the trojan will change to Read. This will make the security product believe that the cleaning was successful while it was not.

Please note that this deceptive technique is not new. One TDSS variant, that infects sys file will perform in similar way, when you try to get the infected sys file, it will intercept and give to you the clean one, then make you believe that all is ok, since you got a clean file back.

Regarding MS's Popureb, the current recommendation is to fix the MBR and rebuild the machine.

There are no clean indicators of the infection on the machine, since the file dropped by the bootkit, (currently) called hello_tt.sys will not be "accessible" .

On some of my tests, I found the GMER's MBR tool is not effective against it, but the new TDSSKiller was being successful on detection and cleaning.

The next chapters on this fight will be interesting...

___________________________________

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

5 comment(s)

Comments

TDSS already used to hide it's tracks by overwriting the atapi.sys driver file. Trying to open the file would return a clean file, even though the file on the disk was rooted. All they did is move some stuff to the MBR.
It would seem to me that the way to both detect and clean-up such a mess would be to do all the processing offline. Burn a CD with a bootable image that could go out and detect the presence of the bootkit without having to execute it first. Likewise, cleanup should be easier if the normal boot drive is simply a data disk during the detect/cleanup operation.
Of course, this would not work if the malware was able to infiltrate the BIOS, as it would get its claws into things before you could even boot the CD.
Makes one wonder why not more places use 'boot-from-network-only' for desktops. Either pull the entire OS in over the network, or a shim that runs a checksum on critical OS and virus scanner files, then hands over to normal disk boot.
Our guys at SophosLabs just published a technical paper detailing the workings of Popureb. Fortunately, reinstalling is not necessary.

http://nakedsecurity.sophos.com/2011/07/06/popureb-a-small-rootkit-with-a-big-reputation/

Chester

Diary Archives