Are MBR Infections Back in Fashion? (Infographic)

A Master Boot Record (MBR) is an area of the hard disk (usually the first sector) used by a computer to perform start up operations. It is one of the first things to be read and executed by the computer hardware when a computer is powered on, even before the operating system itself. As far as trying to get access to the hardware first, you can’t really beat the MBR for that, with the exception of hardware ROM (BIOS) itself.

MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair and are not an undertaking that can be performed by many malware creators except for more highly skilled individuals. This is probably one reason why after the creators of Trojan.Mebroot rediscovered the lost art of MBR infection, back in 2007 (based on work done by Soeder and Permeh of eEye Digital Security in 2005 on BootRoot), not too many other malware creators have followed in their wake. Mebroot was a significant piece of malware. It not only infected the MBR of the computer but also implemented direct disk access to write its own code into unused sectors of the hard disk and therefore place itself into an area that the host operating system isn’t even aware of. This type of low-level infection, coupled with a sophisticated rookit, makes it difficult to detect and get rid of Mebroot from an infected computer. The way to defeat it is to try and get access to the hardware by avoiding the malware hooks or before the malicious MBR gets to execute.

While MBR infection has been a mainstay of Mebroot since the start, another gang who were responsible for the highly sophisticated threat Backdoor.Tidserv (originally infected system driver files) decided that they too will have a piece of the MBR action. They jumped on board the MBR bandwagon back in the summer of 2010 with Backdoor.Tidserv.L and subsequent versions have been using this method since. Aside from Mebroot and Tidserv, there has been few other threats between 2008 to 2010 using the MBR infection technique, Trojan.Mebratix and Trojan.Bootlock being the only examples. It looked like MBR infections were going nowhere fast.

Fast forward to now, the picture for MBR malware has changed considerably. So far in 2011, we have seen as Backdoor.Tidserv.M, Trojan.Smitnyl, Trojan.Fispboot, Trojan.Alworo, and Trojan.Cidox. This represents as many new MBR or boot time malware threats as there had been in all the previous three years. This statistic points to a possible trend towards increasing use of boot time infection (particularly the use of the MBR) as a way to infect computers. We should also note that much of the hard graft to build this type of malware has already been done by researchers and early adopters. When researchers released details for BootRoot and VBootkit, malware authors literally took the research and proof of concept code and simply adapted them for their own needs. From our observations, we can tell that a number of MBR infecting malware families currently in circulation borrowed heavily from the BootRoot PoC. The arrival of short lived ransomware type threats lend weight to the idea, because this type of malware can be considered as throw away code. Ransomware is made for a single purpose and are not expected to provide a long length of service so the people who make them don’t want to spend too much time and effort in creating and hiding them on the computer. This is in sharp contrast to the more advanced examples of back door Trojans for whom the creators are trying to build a lasting and useful network of computers for profit. These are signs that the barrier to entry for this type of malware has been lowered. At this time, all the recent boot time malwares target the MBR with the exception of Trojan.Cidox which takes a slightly different approach. Instead of targeting the MBR, it infects the Initial Program Loader to achieve a similar overall effect, this is an innovation on the current MBR infection techniques.

As with any malware infections, the key is to not get infected in the first place. Symantec has been quick to add detection for such malware whenever they are discovered (so keep your detections up-to-date) and we also offer various tools that can help to remove them. For MBR infecting threats, a simple way to disable the malware is to boot up with a bootable CD and then run “fixmbr” which will restore the MBR to a default setting. This will stop the MBR based malware from executing. For other more tricky threats you can try tools such as the Norton Boot Recovery Tool.

From a historical point of view, infecting the MBR is not a new technique per se, many of the old boot sector viruses from over a decade ago did something similar. The difference is, modern MBR malware do so much more than just infecting the MBR.

They say that fashion comes in cycles, is MBR malware making a comeback in 2011? It certainly looks that way. The following infographic summarizes these threats and what they do. (A big thanks to Stephen Doherty and Piotr Krysiuk for their input.)

Download PDF

Rampant Ransomware

Contemporary viruses are written to make money. They achieve this through extortion, information theft, and fraud. Threats that use extortion can be some of the most aggressive and, in some cases, offensive viruses encountered. These viruses are generally referred to as ransomware. This blog discusses some of the nastiest variants that have been encountered so far.

In your face!
Whilst by its nature ransomware is not subtle, certain variants are very obvious in their approach. They use a combination of shock and embarrassment in order to extort money from people. The most recent example of this is Trojan.Ransomlock.F. The Trojan.Ransomlock family is a particular type of ransomware, which locks a user’s desktop. Once the desktop has been locked, it is then no longer possible to use the computer as normal. To restore access to the desktop, one typically has to send a text message to a premium rate number. A message containing the unlock code is then – hopefully – sent back to the user. (Trusting someone who has just compromised your computer and is holding you to ransom is generally not very reliable.)

In the case of the Trojan.Ransomlock.F variant, not only does it lock the desktop, but it also changes the desktop background to an explicit pornographic image as in Figure 1 (censored!). This additional trick has been included by the authors of the threat in order to play on the user’s insecurities. Having a graphic pornographic image emblazoned across a monitor is guaranteed to give anyone a red face. They are less likely to seek technical help from another person to solve the problem in an effort to avoid embarrassment.

Figure 1 Censored Trojan.Ransomlock.F image (see translation of the message in Figure 2)

WARNING!

You surfed gay porn videos for three hours.
The free viewing time has expired.

To pay for the service, you need to make an online payment through the Beeline system to XXXXXXX for the amount of $400 USD.

Upon receipt of the payment you will be given an activation code.
Enter it in the box below and press Enter.

Figure 2 Translated Trojan.Ransomlock.F

A similar tactic is used by Infostealer.Kenzero. This threat masquerades as an adult game. When the Trojan is first executed, the user is asked to enter some personal information. It then monitors any pornographic Internet pages visited by the user and uploads the list of pages to a certain website. The user is then threatened with exposure of this list, in association with their personal information, if a sum of money is not paid. Again, the threat plays on a person’s embarrassment in order to extort money.

Backup
Another approach that ransomware threats typically employ is holding a user to ransom for files on their computer. This is a relatively common tactic, but has evolved over the years, utilizing encryption in smarter ways. The general approach is to search for files on the compromised computer. When user-specific files such as .doc, .xls, .jpg, etc. are found, they are then encrypted by the threat. The encryption renders the files inaccessible. Only by obtaining the correct key can the files be decrypted and accessed. Of course, to get the key, the owner of the compromised computer has to pay out.

A classic implementation of this can be seen in Trojan.GPCoder.E. This Trojan generates an encryption key specific to the compromised computer. It then checks to see if the system date is after July 10th, 2007. If so, a comprehensive list of files is searched for and encrypted using the generated key. Furthermore, a message (Figure 3) is left in each folder where a file has been encrypted.

Hello,    your   files   are   encrypted   with   RSA-4096   algorithm  (http://en.wikipedia.org/wiki/RSA).
  You  will  need  at least few years to decrypt these files without our software.  
  All  your  private  information  for  last  3  months  were collected and sent to us.
  To decrypt your files you need to buy our software. The price is $300.
  To  buy  our software please contact us at: [MAIL_ADDRESS] and provide us your  personal code [PERSONAL_CODE].
  After successful purchase we will send your  decrypting  tool, and your private information
  will be deleted from our system.
  If  you  will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.
                Glamorous team

Figure 3 Ransom message

Luckily, this threat did not use RSA, as it claimed (or a grammar-checker for that matter), and stored the generated encryption key in the registry. Therefore, it was possible for the user to retrieve the key from the registry and the files could then be successfully decrypted.
Unfortunately, a more recent implementation has proven to be much smarter and uses a more advanced encryption technique. Trojan.GPCoder.G uses the public key algorithm, RSA. The local files are initially encrypted using a symmetric encryption algorithm with a random key. This random key is then in turn encrypted by the public key of an RSA key pair. Without the private key from this key pair, it is not possible to obtain the symmetric key in order to decrypt the files. The owner of the compromised computer must send the encrypted symmetric key, along with the ransom to the malware authors. They decrypt the symmetric key and return it. This process is illustrated in Figure 4. The user can then decrypt their files. There is no way to bypass this technique. Unfortunately, unless the ransom money is sent to the malware authors (which has no guarantee of success), the only way to retrieve the encrypted files is from backup. Always backup!

Figure 4 Trojan.GPCoder.G process

Boot blocking
The most basic computer resource that an attacker can attempt to obtain a ransom for is access to the operating system itself. No operating system means no antivirus and no assistance from the Internet. Trojan.Bootlock achieves this by overwriting the master boot record (MBR) with custom code. The MBR is responsible for starting a computer’s operating system. By overwriting it with custom code, the malware authors deny a user access to the operating system. Instead the user is greeted with the message in Figure 5.


 
Figure 5 Trojan.Bootlock

The web page that is referenced in the message demands payment of $100 to obtain the password. Contrary to what the attackers claim, however, the hard drive is not encrypted and can still be accessed offline. The MBR can be repaired and the threat removed using the Norton Bootable Recovery Tool.

As always, the best way to defend against such threats is up-to-date antivirus and a regular backup routine. Thanks to the various engineers whose analysis made up this article, including Paul Mangan, Yousef Hazimee, Karthik Selvaraj, Fergal Ladley, and Elia Florio.