Mebroot: a pain for automation
I’ve spent most of the day trying to understand Mebroot a little better.
This MBR rootkit is a very sophisticated piece of malware using an old infection method (the master boot record) but with today’s best coding techniques.
Anyway, for us researchers, Mebroot breaks our testing environment on a regular basis and finds ways to be one of the biggest nuisance you could think of.
Several months ago we wrote a set of scripts in Linux to restore a clean MBR after each pass of an infected image. It worked well, but not well enough. Some of our HoneyPots need to prevent a Mebroot infection right there and then, and cannot wait for a reboot to restore a clean MBR.
So today I have been deep in batch scripting… I adopted a somewhat “shove down your throat” approach to neutralize Mebroot as it is trying its infection routine.
Can a simple batch script prevent a Mebroot infection? (I use a script and a few other files together.)
Well, I asked myself that very same question. I took my little script, downloaded 10 copies of Mebroot from Offensive Computing and put the script to the test.
First, I ran all the Mebroot samples, rebooted with a Live CD and uploaded my MBR to VirusTotal.
The result is clear, my PC is infected:
Then, I did the same test (on a clean image of course), ran my script first, and then launched all the Mebroot files.
Rebooted, uploaded the MBR and to my astonishment, it was clean:
I should mention too, that this new MBR has the same MD5 as my original ‘clean’ MBR. Also, to be sure, I repeated both steps twice (with and without batch script).
While I can’t disclose the script I am using (the bad guys read security blogs too), I can say that I use publicly available tools and simple Windows Batch scripting.
This solution may not be viable in the real world, but for our testing purposes, it works great.
Jerome Segura
Comments:
|
|
