MBR Malware Back in Fashion

MBR Malware Back in Fashion RETURN OF THE BOOTUP MALWARE There has been as many new MBR threats found in the first seven months of 2011 as there were in all the previous three years. CIDOX* 2011 "Is an MBR malware JULY FISPBOOT ALWORO explosion imminent?" APRIL JUNE TIDSERV.M SMITNYL BOOTLOCK JANUARY FEBRUARY NOVEMBER STONED MEBROOT MEBATRIX TIDSERV.L BOOTKIT JANUARY MARCH AUGUST JULY 2008 2009 2010 * Cidox is not strictly an MBR threat but targets boot time components. THE GOAL OF MBR/BOOT TIME MALWARE get in quick ... 1. POST The goal of boot-time infection is to get the 5. START USER - 2. READ MBR malware PROCESSES loaded onto the 3. READ IP LOADER computer before the 4. LOAD OPERATING SYSTEM operating system does. Whatever gets loaded first ultimately calls the shots." PROTECTION RING SECURITY ARCHITECTURE 3 Ring 3: Applications (Lowest privileges) 2 Ring 2: Device Drivers Ring 1: Operating System Components Ring 0: Kernel (Highest privileges) Boot malware components typically operate at the ring 0 level with the highest privileges for access to computer resources. WHAT THEY DO MBR IP Loader Cidox Bootlock Payment Rootkit MBR Modifies the MBR and Download Files uses raw disk access Tidserv.M techniques to modify disk sectors Adverts Smitnyl IP Loader: Modifies the Initial Program Loader Alworo Tidserv.L Payment: Uses techniques to mislead or extort users Mebroot Fispboot into making a payment Mebatrix Adverts: Back door & Infostealing Displays advertisements Rootkit: Uses techniques to hide its presence Back door: Opens a back door allowing remote communications Download Files: Download files from a remote location Infostealing: Collects information and uploads it to a remote location A BRIEF HISTORY OF BOOT MALWARE Boot infection is not a new idea... 2000 Boot sector viruses such as Stoned.Michealangelo were all the rage 2005 eEye researchers present BootRoot project at BlackHat 2007 Researchers at NVLabs present “Many boot malware Vbootkit at BlackHat including Mebroot and Fispboot are based on BootRoot 2007/2008 Mebroot makes its debut 2009 code StonedBootkit appears, Vbootkit becomes open source 2010 Mebatrix, Tidserv.L, and Bootlock debut "What's in store 2011 Tidserv.M, Smitnyl, Fispboot, Alworo, and Cidox for the rest of 2011?" Sources: http://www.symantec.com/connect/blogs/mbr-rootkit-paper-vb2008 http://www.symantec.com/connect/blogs/bootroot-trojanmebroot-rootkit-your-mbr http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-soeder.pdf http://www.nvlabs.in/?q=node/16 Copyright © 2011 Symantec Corporation Symantec.