MBR Infector Detector
Now and again, I get those analysis gigs where someone suspects that a system may have been infected with some sort of malware, but they aren't sure, and don't really have anything specific (Event Log entry, AV alert, etc.) to point to. I know that others get these sorts of gigs as well, and like them, I have a process that I go through when examining images of these systems. This usually starts with checking for installed AV products (MRT, etc.) to review their logs, as well as checking for AV having been run before the system was taken offline...if logs are available, they can tell you a lot, particularly the product and version run. From there, I also mount the image and scan it with other AV tools.
One of the steps on my list is to also look for MBR infectors. What's an "MBR infector", you ask? Read on...
F-Secure "Hippie" Description (1996)
SecurityVibes - Mebroot (2008)
F-Secure - Mebroot (3 Mar 2008)
Symantec - Mebroot (30 July 2010)
Sunbelt - TDSS/TDL4 (15 Nov 2010)
F-Secure, 17 Feb 2011
MMPC - Sinowal, aka Mbroot, Mebroot (8 Feb 2011)
MMPC - Win32/Fibebol.A (7 Mar 2011)
If you read through the above links, particularly those that are AV vendor descriptions of MBR infectors, you'll notice some commonalities...in particular, when the MBR is infected, other sectors prior to the first partition (usually, sector 63) contain something...a copy of the MBR, code to be injected into the system, something. Now, this doesn't mean that this is the case for ALL MBR infectors, just those that have been mentioned publicly.
Usually, what I would do is load the image into FTK Imager, and scan through the sectors manually...but why to do that, when you make the computer do it? That's right...I wrote a (wait for it!) Perl script (mbr.pl) to do this for me!
So, what the script does is scan through a range of sectors from an image file; by default, it will scan through sectors 0 through 63 inclusive, but the analyst can set different sectors to be scanned. When a sector that does NOT contain all zeros is found, the script will flag it. By "flag it", in summary mode, the script will just list the sector number. In a more detailed mode (which is the default), the script will print out the contents of the sector to STDOUT, in a hex viewer-like format. This way, it's real easy for the analyst to see, "hey, this sector just contains some strings associated with Dell installs", or "Hey, this sector is the start of a PE file!" Because the output goes to STDOUT, you can pipe it through "more" or redirect the output to a file.
Also, using another switch, the analyst can dump the raw sectors to disk. This allows you to generate MD5 or ssdeep hashes, run ssdeep hash comparisons, submit the raw dump to VirusTotal, etc.
Overall, it's pretty cool. I usually run mmls against the image anyway, and many times I'll see that the first partition starts at sector 63. Other times, I've found the starting sector for the first partition by searching the image via FTK Imager for "NTFS". Regardless, with the output of mmls, I can then run mbr.pl as part of my malware detection process, and just like other parts of the process, if nothing unusual is found, that's okay. If something is found, it's usually correlated against the output of other steps in the process. The overall goal is to as thorough a job as possible.
One of the steps on my list is to also look for MBR infectors. What's an "MBR infector", you ask? Read on...
F-Secure "Hippie" Description (1996)
SecurityVibes - Mebroot (2008)
F-Secure - Mebroot (3 Mar 2008)
Symantec - Mebroot (30 July 2010)
Sunbelt - TDSS/TDL4 (15 Nov 2010)
F-Secure, 17 Feb 2011
MMPC - Sinowal, aka Mbroot, Mebroot (8 Feb 2011)
MMPC - Win32/Fibebol.A (7 Mar 2011)
If you read through the above links, particularly those that are AV vendor descriptions of MBR infectors, you'll notice some commonalities...in particular, when the MBR is infected, other sectors prior to the first partition (usually, sector 63) contain something...a copy of the MBR, code to be injected into the system, something. Now, this doesn't mean that this is the case for ALL MBR infectors, just those that have been mentioned publicly.
Usually, what I would do is load the image into FTK Imager, and scan through the sectors manually...but why to do that, when you make the computer do it? That's right...I wrote a (wait for it!) Perl script (mbr.pl) to do this for me!
So, what the script does is scan through a range of sectors from an image file; by default, it will scan through sectors 0 through 63 inclusive, but the analyst can set different sectors to be scanned. When a sector that does NOT contain all zeros is found, the script will flag it. By "flag it", in summary mode, the script will just list the sector number. In a more detailed mode (which is the default), the script will print out the contents of the sector to STDOUT, in a hex viewer-like format. This way, it's real easy for the analyst to see, "hey, this sector just contains some strings associated with Dell installs", or "Hey, this sector is the start of a PE file!" Because the output goes to STDOUT, you can pipe it through "more" or redirect the output to a file.
Also, using another switch, the analyst can dump the raw sectors to disk. This allows you to generate MD5 or ssdeep hashes, run ssdeep hash comparisons, submit the raw dump to VirusTotal, etc.
Overall, it's pretty cool. I usually run mmls against the image anyway, and many times I'll see that the first partition starts at sector 63. Other times, I've found the starting sector for the first partition by searching the image via FTK Imager for "NTFS". Regardless, with the output of mmls, I can then run mbr.pl as part of my malware detection process, and just like other parts of the process, if nothing unusual is found, that's okay. If something is found, it's usually correlated against the output of other steps in the process. The overall goal is to as thorough a job as possible.