Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bootkits, they are back at full speed...

Published: 2011-07-02
Last Updated: 2011-07-03 00:29:34 UTC
by Pedro Bueno (Version: 1)
5 comment(s)


First of all, don't get me wrong, this is not a media FUD to scary you because of the recent coverage on the MBR rootkits. :)

As many of our readers probably know, earlier this week there was a report from the AV vendor Kaspersky about approximately 4.5 million computers infected with the rootkit called TDL4 (aka TDSS/Alureon).

TDL4 is a rootkit that infects the computer 's MBR (Master Boot Record). The TDSS family is being around since about 2008. At the time, it was quite interesting because we didn't have many mbr virus since 10, 13 years ago, when back in the time, it was quite common. (Remember those virus creation kits? ) :)

The MBR contains the first code that will be loaded during the boot, so infecting the MBR by replacing it will give an enormous advantage for the virus, since it will be loaded before anything else, including the Anti-Virus.

The 4.5 millions infected computer should not be a surprise because rootkits usually breaks a detection cycle.

The usual cycle can be described as:

1- user sees suspicious activity on his computer, like a new running process for example.

2- user sends file to AV vendor

3- AV vendor creates detection

Now the problem is, how can the user send something to his AV vendor since he can't "see" anything?

Bootkits like this have been always a headache for AV vendors for this reason.

I am not alone on this. Also this week, Microsoft released a blog which describes another Bootkit, which it *detects* as Trojan:Win32/Popureb.E.  Note that I mention detects only, which does not include *Cleaning* .

Kaspersky free tool, called TDSSKiller (version ) is one of the few around that can effectively detects if a computer is infected with this rootkit, which it calls: Rootkit.Win32.BackBoot.gen.

The problem with this new bootkit is that it forges the cleaning part. For example, when the security product tries a Write method, the trojan will change to Read. This will make the security product believe that the cleaning was successful while it was not.

Please note that this deceptive technique is not new. One TDSS variant, that infects sys file will perform in similar way, when you try to get the infected sys file, it will intercept and give to you the clean one, then make you believe that all is ok, since you got a clean file back.

Regarding MS's Popureb, the current recommendation is to fix the MBR and rebuild the machine.

There are no clean indicators of the infection on the machine, since the file dropped by the bootkit, (currently) called hello_tt.sys will not be "accessible" .

On some of my tests, I found the GMER's MBR tool is not effective against it, but the new TDSSKiller was being successful on detection and cleaning.

The next chapters on this fight will be interesting...


Pedro Bueno (pbueno /%%/ isc. sans. org)


5 comment(s)
Diary Archives