Wednesday, October 26, 2011

MBR Rootkit Detection

Additional Background on the MBR:
http://en.wikipedia.org/wiki/Master_boot_record

Detecting Master Boot Record (MBR) rootkits can be difficult.  Oftentimes an infection will intercept calls to read the MBR and return the MBR prior to infection rather than the actual one.

There are many tools which can be run within Windows that claim to detect MBR rootkits but I have seen false negatives more than once in practice and like to do the following:

Boot into a Ubuntu Live CD or Parted Magic (really anything with a half-decent terminal should work)

Open the Terminal:

sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >>mbr.txt

Now if you open mbr.txt you have your MBR and don't need to worry that the infection gave you a fake MBR.

Example of infected MBR:

x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312371200 sectors, code offset 0xc0, OEM-ID "      м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 1203331323, sectors 103464193 (volumes > 32 MB) , physical drive 0xd2, reserved 0x4e, dos < 4.0 BootSector (0x0)

This particular computer was infected with the TDL4 rootkit.
The way that this MBR differs from a clean one can be seen here:
physical drive 0xd2, reserved 0x4e

Usually in this area the MBR would have:
 physical drive 0x7e

For this example the clean MBR looked like this:

 x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312373248 sectors, code offset 0xc0, OEM-ID "      м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 309755, sectors 2147991229 (volumes > 32 MB) , physical drive 0x7e, dos < 4.0 BootSector (0x0)


Please note that the above example may not be representative of the MBR on any given machine; clean or infected.  If you are unsure whether an MBR is infected then my suggestion would be to save the mbr.bin as a backup and to then run fixmbr from the Windows Recovery Console and see if there are any differences (if you have multiple operating systems installed fixmbr may result in you only being able to boot Windows until you restore the MBR to its previous state).
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)