Jump to content
Posted 04 September 2010 - 12:39 AM
Posted 04 September 2010 - 01:02 AM
Family and loved ones will always be a priority in my daily life. You never know when one will leave you.
Posted 04 September 2010 - 05:47 AM
I need to install this way because I cant seem to wipe a rootkit off the internal drive.
Edited by Drovers Dog, 04 September 2010 - 06:08 AM.
Posted 04 September 2010 - 08:54 AM
Posted 04 September 2010 - 11:29 AM
Posted 04 September 2010 - 09:48 PM
DroversDog, what kind of detail would be helpful? Should we move to another forum to discuss rootkit?
I have process explorer and process monitor, used them to find the possible module involved.
MBR Rootkit, A New Breed of Malware Posted by Kimmo @ 11:08 GMT | Comments
News broke out earlier this year of a new breed of rootkit using techniques never before seen in modern malware. The most notable of them is the fact that the rootkit replaces the infected system's Master Boot Record (MBR).
The MBR is the first physical sector of the hard drive and contains the first code loaded and executed from the drive during the boot process.
In the competition between rootkits and rootkit detectors, the first to execute has the upper hand. And you can't execute earlier than from the MBR. Of course, MBR viruses used to be very common in the DOS days, 15 years ago or so. But this is 2008.
This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.
The MBR rootkit — known as "Mebroot" — is very advanced and probably the stealthiest malware we have seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.
Below are some details about the MBR rootkit's stealth features:
The ntoskrnl.exe module hook that executes the kernel-mode downloader payload is set to the nt!Phase1Initialization function which resides in the INIT section. This means that after the system has initialized the section is wiped out from memory and no sign of the hook is any longer present.
The rootkit stores data that's required to survive reboots in physical sectors instead of files. This means that the data, including the real payload, is not visible or in any way accessible to normal applications. Therefore the rootkit does not have to hook the normal set of interfaces to keep them hidden.
The MBR is the rootkit's launch point. Therefore it doesn't need to make any registry changes or to modify any existing startup executables in order to launch itself. This means that the only hooks it needs to make are used to hide and protect the modified MBR. Essentially this means that the rootkit hooks only two DWORDs from the disk.sys driver object which is shown in the picture below.
Edited by Drovers Dog, 04 September 2010 - 10:03 PM.
Posted 04 September 2010 - 11:02 PM
Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.
Hide not your talents. They for use were made. What's a sundial in the shade?
~ Benjamin Franklin
I am a Bleeping Computer fan! Are you?
0 members, 0 guests, 0 anonymous users