Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bootkit


  • Please log in to reply
13 replies to this topic

#1 jinaragunlark

jinaragunlark

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 16 September 2014 - 07:05 PM

Hello,

 

So I've been having issues with a hacker giving me the Mebromi trojan. It comes in the form of a windows update that forces my computer to install it. This is probably the 6th time its happened and I've finally figured out whats going on.

 

The only solution is for me to DBAN my system, which takes about 18 hours.

 

Here are my questions:

 

1)Does anyone know of a shorter DBAN process? I dont care about the files, just the MBR being clean.

 

2) How do I hide my system so that his server or whatever cannot keep sending it to my computer? This has happened over 4 different networks, so he's somehow tracking me and then forcefully infecting my system.

 

3) How can I activate malwarebytes once his software has disabled it? When his program turns it off, thats how I can tell i'm infected.


Edited by hamluis, 16 September 2014 - 07:10 PM.
Moved from Win 7 to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:50 PM

Posted 16 September 2014 - 10:48 PM

So I've been having issues with a hacker giving me the Mebromi trojan. It comes in the form of a windows update that forces my computer to install it. This is probably the 6th time its happened and I've finally figured out whats going on.

Trojan.Mebromi.B Reference: http://www.symantec.com/security_response/writeup.jsp?docid=2012-061210-3452-99&tabid=2

When the Trojan is executed, it may copy itself to the following location: %SystemDrive%\RECYCLER\[RANDOM NUMBER].tmp
Next, the Trojan deletes the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win
The Trojan then accesses the BIOS information of the compromised computer. If the BIOS is an Award BIOS and the BIOS is not already infected, the Trojan attempts to infect the BIOS by creating the following file: C:\bios.bin
Next, the Trojan connects to the following remote location:
hxxp://]222.169.224.229/zjb/HHN0912/01/svchs

Trojan.Mebromi Reference: http://www.symantec.com/security_response/writeup.jsp?docid=2011-090609-4557-99&tabid=2
When the Trojan is executed, it drops the following file: %Temp%\cbrom
The above file is a tool that is used by the Trojan to check the status of the BIOS. If it is an Award BIOS and it has not been infected, the Trojan creates and executes the following file, which infects the BIOS: C:\bios.bin
Next, the Trojan infects the Master Boot Record (MBR).
Note: If the tool determines that the computer is not running an Award BIOS, it does not infect the BIOS and only infects the MBR.
The Trojan then infects the following files, depending on the operating system: %System%\winlogon.exe (if the operating system is Windows XP or 2003) %System%\winnt.exe (if the operating system is Win2000)
The Trojan then drops and executes the following file: C:\my.sys
Next, it downloads a file from the following location:
hxxp://]dh.3515.info:806/test/91/calc
The file is saved to the following location and executed: C:\calc.exe
 

The only solution is for me to DBAN my system, which takes about 18 hours. (1)Does anyone know of a shorter DBAN process? I dont care about the files, just the MBR being clean.

DBAN Free does not find and wipe 'Remapped sectors and hidden areas' so the trojan can hide there.

DiskPart. http://ss64.com/nt/diskpart.html

CLEAN [ALL] (remove all partition and volume info from the hard drive)

The diskpart commands may be placed in a text file (one command per line) and used as an input file to diskpart.exe: DiskPart.exe < myscript.txt

Example of myscript.txt
SELECT DISK=0
CLEAN [ALL]
EXIT
Alternatively, KillDisk Windows Suite v.9 with single pass.

http://www.killdisk.com/downloadfree.htm
http://www.killdisk.com/screen.htm#win
1a.png

5.3.2 DOS Command Line Mode. http://www.killdisk.com/commandline.htm

( 2) How do I hide my system so that his server or whatever cannot keep sending it to my computer? This has happened over 4 different networks, so he's somehow tracking me and then forcefully infecting my system.

Because your BIOS and MBR are infected.

Edited by Crazy Cat, 16 September 2014 - 10:54 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#3 jinaragunlark

jinaragunlark
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 September 2014 - 12:29 AM

Good god, I love you. It took me a few months to figure out it was the Mebromi trojan, in which I called up iBuyPower to see if they can give me the latest BIOS to flash it (it would be nice to update it, anyways). They couldn't help at first, but I'm glad that I was right in assuming it was the Mebromi.

 

DBAN seemed to work decently enough once I was taught what it was. Today might have been a false alarm, but I managed to use a system restore to rewind the terrible updates. Now, whether or not everything is at risk.... we shall see. I expect it is. If that is so, I'll use one of those two that you suggested.

 

Would flashing the BIOS solve that if it is indeed infected?

 

Also: thank you soooo much for you quick, comprehensive reply.


Edited by jinaragunlark, 17 September 2014 - 12:29 AM.


#4 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:12:50 AM

Posted 17 September 2014 - 09:00 AM

Hello jinaragunlark:
 
Only referencing your Malwarebytes Anti-Malware (MBAM):
 
1. In the past, have you checked/ticked the "Enable self-protection module" feature? This may help prevent malware from stopping MBAM's protections.
 
Reference: Malwarebytes Anti-Malware Users Guide - Advanced Settings

2. I have requested immediate blocks for the IP address and URL referenced above (post #2) in hpHosts and hence MBAM's Malicious Website Protection module.

HTH :)


Edited by 1PW, 17 September 2014 - 09:02 AM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#5 jinaragunlark

jinaragunlark
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 September 2014 - 12:54 PM

1. In the past, have you checked/ticked the "Enable self-protection module" feature? This may help prevent malware from stopping MBAM's protections.
 

Thats a negative. I never knew this feature existed! I've turned it on for this PC and I'll definately do that for when I reinstall the next time.

 

 

2. I have requested immediate blocks for the IP address and URL referenced above (post #2) in hpHosts and hence MBAM's Malicious Website Protection module.
 

How do I go about doing that?



#6 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:12:50 AM

Posted 17 September 2014 - 01:53 PM

Hello jinaragunlark:

 

As long as you do not deliberately disable MBAM's Malicious Website Protection module (default is enabled), you are now protected from those addresses.

 

The IP address (generously supplied by your new best friend Crazy Cat) and the URL (which resolves to 81.17.22.23) are now blocked by MBAM's Malicious Website Protection module through database updates about five hours ago.

 

Verification may safely be made by simply trying to ping either on a system with an updated Malwarebytes Anti-Malware Professional, Premium or Trial versions.

 

For those folks not using the paid version of MBAM, their recent update of hpHosts very likely has those entries now.

 

Out of curiosity, please very briefly document the exact application, and its error output, that enabled you to identify your malware as specifically the Trojan.Mebromi - Thank you.

 

HTH :)


Edited by 1PW, 17 September 2014 - 02:41 PM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#7 jinaragunlark

jinaragunlark
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 September 2014 - 02:51 PM

Thanks!

 

It was actually just my slueth skills that allowed me to identify it. I've been fighting the same issue since june and have reformatted about 20 times and DBAN'd about 5. I just kept paying attention and figuring things out with a little bit of research.



#8 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:12:50 AM

Posted 17 September 2014 - 04:13 PM

Hello jinaragunlark:

 

I also read your other BC post back in August: http://www.bleepingcomputer.com/forums/t/544165/trojanmebromi/#entry3446156

 

Has any specific anti-virus, anti-malware, anti-rootkit application identified your symptoms as Trojan.Mebromi since the above?

 

Have you found any traces of the residual tell-tale files or Windows registry changes mentioned in other Internet sources? Has your computer's Award BIOS been verifiably altered?

 

The reason I'm asking is if all mainline, legitimate, Malware Removal vendors are to treat Trojan.Mebromi (or a variant) as if it's back in the wild, we will need to document this with verifiable evidence.

 

Thank you. :)


All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#9 jinaragunlark

jinaragunlark
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 September 2014 - 04:30 PM

Unfortunately, I didn't do anything. I thought I was the only few who ever knew about it, haha.

 

So to answer the questions, no. The only way I knew is threw repeated symptons and logic, and some help from you guys.

 

Whats frustrating is how well it hides from every single detector i've used. Its a very clever and very nasty piece of work.

 

I'll be sure to keep this thread in mind and if it happens again, I'll document all the above things.



#10 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:50 PM

Posted 17 September 2014 - 08:27 PM

Good god, I love you. It took me a few months to figure out it was the Mebromi trojan, in which I called up iBuyPower to see if they can give me the latest BIOS to flash it (it would be nice to update it, anyways). They couldn't help at first, but I'm glad that I was right in assuming it was the Mebromi.
 
DBAN seemed to work decently enough once I was taught what it was. Today might have been a false alarm, but I managed to use a system restore to rewind the terrible updates. Now, whether or not everything is at risk.... we shall see. I expect it is. If that is so, I'll use one of those two that you suggested.
 
Would flashing the BIOS solve that if it is indeed infected?
 

As 1PW has already pointed out, you should confirm that the 'Mebromi trojan' is the culprit, before you flash the bios.

Open a command prompt window, and run this command.
systeminfo
It will show your current BIOS, or use the hardware apps here http://www.bleepingcomputer.com/download/windows/hardware-reporters/

Flashing the BIOS incorrectly, will render your PC useless, so unless your absolutely 100% sure it's the 'Mebromi trojan' or you just want to update your current BIOS, THAT you have the correct manufacturer BIOS for your PC. I can't stress this enough!

Also download these ISO and burn to CD/DVD.

http://partedmagic.com/ | http://partedmagic.com/screenshots/

http://www.ultimatebootcd.com/ Scroll down webpage to see: tools currently included with the Ultimate Boot CD.

Also: thank you soooo much for you quick, comprehensive reply.

Your welcomed.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#11 jinaragunlark

jinaragunlark
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 September 2014 - 10:07 PM


 

 

Flashing the BIOS incorrectly, will render your PC useless, so unless your absolutely 100% sure it's the 'Mebromi trojan' or you just want to update your current BIOS, THAT you have the correct manufacturer BIOS for your PC. I can't stress this enough!
 

 

Yeah, I'm being cautious with that. I was talking to iBuyPower today and they're going to reset the CMOS and flash/update the BIOS for me so that, one, its done correctly, and two, i don't void my warranty.
 



#12 jinaragunlark

jinaragunlark
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 25 September 2014 - 09:44 PM

 

Good god, I love you. It took me a few months to figure out it was the Mebromi trojan, in which I called up iBuyPower to see if they can give me the latest BIOS to flash it (it would be nice to update it, anyways). They couldn't help at first, but I'm glad that I was right in assuming it was the Mebromi.
 
DBAN seemed to work decently enough once I was taught what it was. Today might have been a false alarm, but I managed to use a system restore to rewind the terrible updates. Now, whether or not everything is at risk.... we shall see. I expect it is. If that is so, I'll use one of those two that you suggested.
 
Would flashing the BIOS solve that if it is indeed infected?
 

As 1PW has already pointed out, you should confirm that the 'Mebromi trojan' is the culprit, before you flash the bios.

Open a command prompt window, and run this command.
systeminfo
It will show your current BIOS, or use the hardware apps here http://www.bleepingcomputer.com/download/windows/hardware-reporters/

Flashing the BIOS incorrectly, will render your PC useless, so unless your absolutely 100% sure it's the 'Mebromi trojan' or you just want to update your current BIOS, THAT you have the correct manufacturer BIOS for your PC. I can't stress this enough!

Also download these ISO and burn to CD/DVD.

http://partedmagic.com/ | http://partedmagic.com/screenshots/

http://www.ultimatebootcd.com/ Scroll down webpage to see: tools currently included with the Ultimate Boot CD.

 

 

Good news (except for me :c) everyone! My primary PC has become infected once more. Before I send it off to the manufacturer for various repairs, what would you all like me to do to confirm the presence of Mebromi, or the variation there of?



#13 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:12:50 AM

Posted 25 September 2014 - 10:46 PM

Hello jinaragunlark:

In going back through all of this, IMHO your best advice was given in http://www.bleepingcomputer.com/forums/t/544165/trojanmebromi/#entry3446803.

HTH :)


Edited by 1PW, 25 September 2014 - 10:46 PM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#14 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:50 PM

Posted 26 September 2014 - 04:42 AM

Good news (except for me :c) everyone! My primary PC has become infected once more. Before I send it off to the manufacturer for various repairs, what would you all like me to do to confirm the presence of Mebromi, or the variation there of?

(1) Download and save, HDHacker.exe from https://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/
hdhacker.png

Save 'Boot Sector' & 'MBR' to your hard drive, or USB.

Read sector from Disk > Save sector to File.

 
(2) Download and save, CMOSsave/CMOSrest 4.6 Build 9325. http://www.softpedia.com/get/System/System-Miscellaneous/CMOS-save-CMOSrest.shtml files...

cmoschk.com
CMOSSAVE.COM
CMOSREST.COM

Save your COMS to hard drive.
CMOSSAVE.COM cmosback.sav
See if OK, i.e. unchanged since the last CMOSSave.
CMOSCHK.COM cmosback.sav
Once you have the 'COMS' + 'Boot Sector' + 'MBR' saved to your hard drive (or USB) you can analyse for changes.

Now, if you keep getting reinfected, it maybe a .doc, .pdf, whatever, that is infected?

Edited by Crazy Cat, 26 September 2014 - 04:43 AM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users