Monday, March 07, 2011

MBR Infector Detector

Now and again, I get those analysis gigs where someone suspects that a system may have been infected with some sort of malware, but they aren't sure, and don't really have anything specific (Event Log entry, AV alert, etc.) to point to.  I know that others get these sorts of gigs as well, and like them, I have a process that I go through when examining images of these systems.  This usually starts with checking for installed AV products (MRT, etc.) to review their logs, as well as checking for AV having been run before the system was taken offline...if logs are available, they can tell you a lot, particularly the product and version run.  From there, I also mount the image and scan it with other AV tools.

One of the steps on my list is to also look for MBR infectors.  What's an "MBR infector", you ask?  Read on...
F-Secure "Hippie" Description (1996)
SecurityVibes - Mebroot (2008)
F-Secure - Mebroot (3 Mar 2008)
Symantec - Mebroot (30 July 2010)
Sunbelt - TDSS/TDL4 (15 Nov 2010)
F-Secure, 17 Feb 2011
MMPC - Sinowal, aka Mbroot, Mebroot (8 Feb 2011)
MMPC - Win32/Fibebol.A (7 Mar 2011)

If you read through the above links, particularly those that are AV vendor descriptions of MBR infectors, you'll notice some commonalities...in particular, when the MBR is infected, other sectors prior to the first partition (usually, sector 63) contain something...a copy of the MBR, code to be injected into the system, something.  Now, this doesn't mean that this is the case for ALL MBR infectors, just those that have been mentioned publicly.

Usually, what I would do is load the image into FTK Imager, and scan through the sectors manually...but why to do that, when you make the computer do it?  That's right...I wrote a (wait for it!) Perl script (mbr.pl) to do this for me!

So, what the script does is scan through a range of sectors from an image file; by default, it will scan through sectors 0 through 63 inclusive, but the analyst can set different sectors to be scanned.  When a sector that does NOT contain all zeros is found, the script will flag it.  By "flag it", in summary mode, the script will just list the sector number.  In a more detailed mode (which is the default), the script will print out the contents of the sector to STDOUT, in a hex viewer-like format.  This way, it's real easy for the analyst to see, "hey, this sector just contains some strings associated with Dell installs", or "Hey, this sector is the start of a PE file!"  Because the output goes to STDOUT, you can pipe it through "more" or redirect the output to a file.

Also, using another switch, the analyst can dump the raw sectors to disk.  This allows you to generate MD5 or ssdeep hashes, run ssdeep hash comparisons, submit the raw dump to VirusTotal, etc.

Overall, it's pretty cool.  I usually run mmls against the image anyway, and many times I'll see that the first partition starts at sector 63.  Other times, I've found the starting sector for the first partition by searching the image via FTK Imager for "NTFS".  Regardless, with the output of mmls, I can then run mbr.pl as part of my malware detection process, and just like other parts of the process, if nothing unusual is found, that's okay.  If something is found, it's usually correlated against the output of other steps in the process.  The overall goal is to as thorough a job as possible.

12 comments:

-Sketchymoose said...

Can we get a copy of your perl script? Or is it close hold? Sounds interesting!

H. Carvey said...

I'm not entirely sure that I'm ready to release this one, in part due simply to the lack of anything, including feedback, from the community. I'd really like to see something back, rather than just the script being downloaded. The forensics doesn't get stronger because one or two people release tools publicly...it gets stronger because analysts use those tools, provide feedback and even just use case scenarios that clearly demonstrate the use of such things.

H. Carvey said...

However, the code will likely be released publicly along with my next book...

Lakshmi N said...

Harlan,

Thanks for posting a process to detect MBR malwares. I am going to try it. I have not come across one but should be a good practice to follow in all my examinations.

Thanks,

Lakshmi N

Anonymous said...

CarveDog,

Thanks for telling us you wrote a script you won't release and we can't use.

-Anonymous

H. Carvey said...

Point taken, Anonymous, but I didn't say that I wasn't going to release it...I said that I wasn't sure if I was ready to do so.

And I did mention that I'd like to see something back from the community rather than simply taking. As such, I offered up a means for solving a problem, and also mentioned that I'd created a solution...for myself, for the moment.

I'm not clear on what your issue is, to be honest. Others in the community do this all the time, so why approach me this way, rather than saying something along the lines of, "I currently have an issue with MBR infectors, could you help me?"

I wrote this script, and I find it useful (and pretty freakin' cool!!) but I have no idea if anyone else has a use for it, beyond downloading it and never using it.

H. Carvey said...

Interesting...not only has "Anonymous" not responded or commented in any way, but they also haven't acknowledged the new and updated RegRipper plugins that I've provided over the past two days...

Mitch Impey said...

Yeah, a strange way to show their appreciation - thanks Harlan for these new plugins! I have bought your latest book and am impatiently waiting for it to show up! :)

mjbright said...

Hi, searching for a MBR "dump"ing Perl script I came across your post. I know it's not the main purpose of you investigation but it would be appreciated if you could liberate (some or all of) your script.

... hoping I don't write it first ...

at the least your description will inspire me ...
Thanks.

H. Carvey said...

Mike,

Without an email address, I have no place to send the file.

mjbright said...

Thanks a lot, you can e-mail to me at brightjunk@gmail.com.

Cheers,
Mike.

dev said...

Harlen,

i am also interested in a mbr 'dumping' script i never actually found one that i liked and i have used many of your scripts from your books and your google projects page i tend to like them 'better' then commercially available ones. i was wondering if you could send me that script as well ??
desai401@yahoo.com