Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undetectable mebroot/torpic


  • This topic is locked This topic is locked
8 replies to this topic

#1 JoshuaJ

JoshuaJ

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 15 July 2011 - 09:55 AM

On Wednesday our mailserver got blacklisted at cbl.abuseat.org. Luckily I learned of this quickly and from this learned that one of the computers on the network was infected with torpig. According to the site this is a fairly certain diagnosis as the computer in question attempted to contact a sinkhole C&C and used torpig specific networking protocols for communication. After some sleuthing I have correctly identified the computer. Our firewall has caught it in the act of attempting to contact the sinkhole a few more times, but since there is now a firewall rule in place it is unable to.

I've read dozens of copies of removal instructions for this combination of malware, and I've yet to find anything that works for me. I don't know if this is a brand new variant, or something else masquerading as torpig but I can't seem to pin it down. Even worse - it seems to be in the user's roaming profile since as soon as she logged in to a different computer we detected another connection attempt to C&C.

I've downloaded, updated, and run Malwarebytes, and we run Eset NOD32 on the whole network. Updated scans with both show the computer is clean. I've also tried Windows Defender and GMER also to no avail.

I'm planning to nuke the machine and reinstall after a fixmbr, but I'd really like to be able to detect this malware especially with the possibility looming that other machines are infected. Is there other software I should try? Something I'm missing?

Edited by JoshuaJ, 15 July 2011 - 09:58 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:27 PM

Posted 15 July 2011 - 12:05 PM

Hi JoshuaJ,

There are a few ways to detect this infection. The best way is getting an offline MBR dump. This is fairly simple, and afterwards you can upload the created dump to sites like http://www.virustotal.com, which will make clear if the MBR was infected or not (typical detection will be Mebroot/Sinowal).

One way to do this, is below.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Edited by elise025, 15 July 2011 - 12:12 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 JoshuaJ

JoshuaJ
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 15 July 2011 - 01:10 PM

Here it is. BTW it's necessary to either cleanly unmount the usb drive or shutdown the computer before removing it or the changes aren't actually written to disk.

Also - I had to rename this as .zip, but it's actually .rar. I'm not sure what the reasoning behind allowing one and not the other is, but c'est la vie.

Thanks for your help on this!

Attached Files

  • Attached File  mbr.zip   552bytes   0 downloads


#4 JoshuaJ

JoshuaJ
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 15 July 2011 - 01:39 PM

Ah-hah. Now I think I might be on to something. MBAM detected some files that appeared to be unrelated, but a couple of the engines in virustotal think it's sinowal.

http://www.virustotal.com/file-scan/report.html?id=b50f957d92709cdf3933ae292e488774aa9aa95e9933aeffbb1af368693801d7-1310751927

I still think this could be a new variant due to the high incidence of false negatives (62.8%)

Now I just need to figure out if mebroot is still there.

#5 JoshuaJ

JoshuaJ
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 15 July 2011 - 01:41 PM

Wow. So, the two infected files that I found are still present after cleaning with MBAM. Right-click delete sends them to the recycle bin and less than a second later they're back. There's 10 copies of each in the bin at present. Crazy stuff.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:27 PM

Posted 15 July 2011 - 02:15 PM

Could you please post me the MBAM log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 JoshuaJ

JoshuaJ
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 15 July 2011 - 03:18 PM

Unfortunately I haven't got it and I'm about to leave work for a week long vacation. I've sent copies of the infected files to Eset so hopefully we'll see some updated definitions soon.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:27 PM

Posted 15 July 2011 - 04:02 PM

If they are MBR rootkit related, I doubt it, I have sent ESET quite some MBR samples, but still haven't noticed a change in detection.

I hope you enjoy your vacation! :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:27 PM

Posted 24 July 2011 - 04:58 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users