« October 2010 Windows Update Release | Main | November 2010 Security Update Release Targets Fake Security Programs »

Alureon Bootkit Trojan - Crossing the 64 bit Barrier

There is a very prevalent rootkit (hidden malicious program) that has been infecting Windows computers for quite some time now. The general name the Microsoft Malware Protection Center has assigned to this for-profit motivated threat family is Alureon.

 The primary symptom of infection is browser redirects - this means that your search results will take You to sites other than the ones they should normally resolve to. Security companies and researchers have a variety of names for this malicious program - while Microsoft refers to it as Alureon,  some call it TDSS, some call it TDL#x where x represents the # of the variant that's detected.  The most advanced and most insidious variant of this infection is called TDL4.  However, many if not most malware researchers have resisted calling it TDL4, and still consider it to TDL3, because it's infection cycle has too much in common with its TDL3 predecessor to be labeled as a completely new variant. 

Over time, this rookit has progressively gotten more and more crafty and it is now more difficult to detect and remove than it was previously because it began to infect the Master Boot Record (MBR) on an infected computer, making it technically a Bootkit.  The MBR code is what enables your computer to boot up when your start it, and if it is corrupted your computer may not boot at all.  Because it is so vital to the functioning of a Windows-based computer, Microsoft has provided Windows users with recovery commands that run from the Windows Recovery Environment, to replace the MBR with default Windows code appropriate to the Windows operating system that's installed.

More recently, in early August 2010, a new Alureon TDL variant that displayed the ability to infect Vista and Windows 7 64 bit based computers emerged.

This was a very unsettling but significant development, because very strict security measures that were integrated into  64 bit versions of  Vista and Windows 7 (Patchguard and very stringent driver signing requirements) had to be bypassed to allow this to happen!

However, it's important to note, the infection can only compromise a 64 bit Windows 7 or Vista system,  if  User Account Control (UAC) is turned OFF or if the user casually approves the malicious action.  Since UAC is ON by default, a user would either have to intentionally disable it, or approve a questionable action initiated by malware (if it was ON), thereby leaving themselves vulnerable to this type of exploit.  When a user's behavior helps usher in a threat in this manner, the infection is said to rely upon "social engineering" techniques to compromise a system! Though this rootkit also infects 32 bit operating systems, it does so without initiating the automatic reboot that's required for it to circumvent the 64 bit operating system kernel safeguards.  On 64 bit systems, this random reboot may serve as a small clue that something is amiss.

You can determine if your infected by opening Disk Management feature of the Microsoft Computer Management Console.  This can be done very quickly and directly by doing the following::

Click on the Start button -> Choose the Run option and type diskmgmt.msc, and click OK.

If your 64 bit Windows 7 or Vista system is infected by the Alureon Bootkit (rootkit trojan),  your system drive (normally C:) will NOT be visible:

  1. Under the Disk Management functions of the Computer Management Console.

  2. When Diskpart is run with the "list disk" directive to obtain a summary about each fixed disk in the computer.

On a clean system the primary drive is listed as so:

DISKPART> list disk


  Disk ###  Status      Size     Free     Dyn  Gpt

  --------  ----------  -------  -------  ---  ---

  Disk 0    Online       112 GB      0 B

  Disk 1    Online       233 GB      0 B

________________________

On TDL3 X64 Alureon Bootkit infected system Diskpart will return the following, as it does not see the primary drive:

DISKPART>list disk

There are no fixed disks to show.

These are unintentional side effects of this critter that can be used to check whether your system is infected!!

 Though it sounds pretty ominous, the Alureon MBR rootkit trojan can be fixed quite easily by running the fixmbr command at the Command Prompt by either booting to the Recovery Console in Windows XP  , or the Windows Recovery Environment (Windows RE) in Windows Vista or Windows 7 through bootrec (Boot Recovery):

In Windows XP - the command to issue is:

fixmbr

In Windows 7 and Vista - the command to issue is:

 bootrec.exe /fixmbr


This Windows 7 Themes tutorial explains exactly how to access and use the Windows 7 recovery options to repair the MBR via the Command Prompt:
http://windows7themes.net/how-to-fix-mbr-in-windows-7.html

This Bleeping Computer tutorial explains how to access  the Command Prompt from the Windows Vista Recovery Environment,after which fixmbr must be run:
http://www.bleepingcomputer.com/tutorials/tutorial147.html

 I recommend backing up your MBR, in the interest of being "safe rather than sorry" - so you can restore an original copy of that essential code, in the event your computer's MBR should become corrupted.

You may rightly ask, "Why is it necessary to back-up my computer's MBR, if it's so easy to repair it, by simply running the Fixmbr command?"  That's a very good question, I would reply and now I'll elaborate on my response.

The reason it is better to repair a corrupted MBR by restoring it with a backup of the original is because your MBR may contain customized code that your Computer Manufacturer placed there to enable you to access your computer's recovery and restore options. 

 Many original equipment manufacturers (OEMs) have adopted the practice of not including Windows installation media (DVDs )when you purchase a computer from them, because they install a recovery partition instead.  Booting to the recovery partition (rather than booting to the Windows DVD), is how you enter to the Windows Recovery Environment.  Dell and Hewlett Packard (HP) are two major computer manufacturers, among others, that install recovery/restore partitions rather than providing Windows installation disks.  

If you use the fixmbr command it overwrites the MBR with default Windows code.  If the MBR contained proprietary OEM MBR code that enabled your computer to access the recovery partition, then you will lose the ability to access your computer's recovery partition after using the fixmbr command.  That's why restoring your MBR from an original backup is preferable.

There are several programs that enable you to back up your MBR very easily and I will name a couple I've tested.  One of these programs, MBRCheck, can also detect whether your computer's MBR is infected, and if it is, it can restore it with default Windows MBR code.

It's important to backup your MBR not just to your computer's primary hard drive but to a alternate media, such as a  CDROM so it can be accessed even if your system becomes unbootable.

Preventative Protection:

Tools to Backup and Restore the MBR

1. MBRCheck by AD


MBRCheck is a tool created by AD aka Ad13, the author of RootRepeal an excellent AntiRootkit detector.

MBRCheck does the following when it is run (without command line switches)

  1. Checks the MBR for non-standard Code
  2. Creates a log
  3. Backs up (dumps) the MBR
  4. Gives you the option to restore the  MBR (with a default Windows MBR) if your computer's MBR is found to be "non-standard"

Help File listing of MBRCheck commands:

MBRCheckHelp.jpg

To check the MBR of your Primary Drive for MBR modification:

Type MBRCheck and hit Enter

This will invoke MBRCheck  to execute with this default command line:

-s 0 -d dump.dat

This causes the system drive MBR to be dumped to a file called dump.dat and it also produces a log

MBRCheckCMDWindow.jpg

The MBRCheck log is created in the folder where the MBRCheck executable resides (here the Desktop) 

 After the identifying header information the log lists:  loaded kernel drivers, running processes, and it tells You that it has dumped the MBR in a file called dump.dat:

 The following text is excerpted from a MBRCheck log (driver and process list has been truncated):

 MBRCheck, version 1.2.3(c) 2010, AD

Command-line:            -s 0 -d dump.dat
Windows Version:        Windows Vista Home Premium Edition
Windows Information:        Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer:    Dell Inc.
BIOS Manufacturer:        Dell Inc.
System Manufacturer:        Dell Inc.
System Product Name:        MXC062
Logical Drives Mask:        0x0000001c

Kernel Drivers (total 183):
  0x8204A000 \SystemRoot\system32\ntkrnlpa.exe
  0x82017000 \SystemRoot\system32\hal.dll
 
Processes (total 61):
       0 System Idle Process
       4 System
     684 C:\Windows\System32\smss.exe
     800 csrss.exe
 
Dumping \\.\PhysicalDrive0 to dump.dat...
Dumped successfully!

Just as the MBRCheck says - the MBR has been "dumped" to a file called dump.dat on the Desktop

Backing up the MBRCheck is that EASY!!

Restoring the MBR with MBRCheck

 If MBRCheck returns the following notification:

 Found non-standard or infected MBR

You'll be prompted to hit Y (yes) to be presented with these "Additional Options"

[1] Dump the MBR of a physical disk to file
[2] Restore the MBR of a physical disk with a standard boot code
[3] Exit   
Choosing option [2] presents the following list of operating systems:

[ 0] Default (Windows Vista)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel

Choosing "0" instructs  MBRCheck to overwrite your MBR with a default Windows MBR for your installed operating system  (here Vista) upon reboot.

Do you want to fix the MBR code?  Type 'YES' and hit ENTER to continue: yes

Successfully wrote new MBR code!

Please reboot your computer to complete the fix

2. HDHacker by Dimio

To Backup the MBR:

Select the settings pictured in the image below:

Under the "Read Commands" section:

Click the "Read Sector from Disk" button, and the sector image for MBR HardDisk0 will be displayed in the window.

Under the "Write Commands" section:

Select the "Save sector to file" button and by default, your MBR will be saved to the following file within the HDHacker folder:

MBR_HardDisk0.dat

To Restore the MBR (from MBR_HardDisk0.dat):

Select the settings pictured in the image below:

Under the "Read Commands" section:

Click the "Load Sector from File" button, and the sector image for MBR HardDisk0.dat will be displayed in the window.

Under the "Write Commands" section:

Select the "Write Sector on Disk" button and by default,  the backed up MBR,

MBR HardDisk0.dat, will overwrite the MBR on the Logical DriveC:

HDHackerGUI.JPG

3. Mbr.exe by Gmer

Gmer's mbr.exe is a versatile and effective command line tool that can detect and repair a TDL infected MBR on all Windows platforms including the 64 bit versions of Windows.  Mbr.exe can also back-up the MBR, so it is one of the most comprehensive and valuable programs to have when dealing with the MBR Bootkit.

Download mbr.exe to your desktop.

Open a Command Prompt (elevated in Vista and Windows 7) and issue the following command to view the mbr.exe help listing of available switches and their output:

%userprofile%\desktop\mbr.exe -h

Help Listing:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Usage: mbr.exe [options]

  -f                                          - fix mbr

  -c start_sector size_in_sectors filename    - copy selected sectors to file

  -t                                          - trace called modules

  -k                                          - list all disk devices

  -dPHYSICALDRIVE                             - set physical drive numer

  -l logfile                                  - specify log filename

  -s                                          - disassembly unknown hookers

  -u                                          - unload driver


samples of usage:


  mbr.exe -c 0 1 copy_of_sector_00

  mbr.exe -c 0x3fdc80 0x1ca copy_of_mbr_rk

  mbr.exe -d0 -t

To have mbr.exe check your MBR for bootkit Infection:

Open a Command Prompt (elevated in Vista and Windows 7) and issue the following command from your desktop:

"%userprofile%\desktop\mbr.exe" -t

A log is produced called mbr.log (in the same folder as mbr.exe)

If your MBR is clean the mbr.log will look like this:

C:\>%userprofile%\desktop\mbr.exe -t

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 6.0.6002 Disk: TOSHIBA_MK1234GSX rev.AH001D -> \Device\Ide\IdeDeviceP0T0L0-0

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe hal.dll CLASSPNP.SYS disk.sys acpi.sys dxgkrnl.sys

igdkmd32.sys watchdog.sys win32k.sys win32k.sys

1 ntkrnlpa!IofCallDriver[0x82080962] -> \Device\Harddisk0\DR0[0x873ED640]

3 CLASSPNP[0x82FA68B3] -> ntkrnlpa!IofCallDriver[0x82080962] -> [0x845F0F08]

kernel: MBR read successfully

user & kernel MBR OK

If your MBR is infected with MBR Bootkit TDL3 variant of Alureon, one of the disk drive controllers will be hooked and show up as "UNKNOWN" in the called module listing.  In this instance, the hooked driver is needs to be identified by running a more in depth Anti-Rootkit Program (such as Gmer Anti-Rootkit, or Rootkit Unhooker with "Code Sections" or "Code Hooks" scanning enabled.

________________________________

TDL3 infection is detected by running mbr.exe with the -s switch (to disassemble code for unknown hookers):

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS726060M9AT00 rev.MH4OA6EA -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A9DEC5]<<  
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86344872; SUB DWORD [EBP-0x4], 0x8634412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x87785AB8]
3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> [0x87506930]
[0x86974CA8] -> IRP_MJ_CREATE -> 0x86A9DEC5
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS726060M9AT00_________________________MH4OA6EA#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x86A9DAEA
user & kernel MBR OK
sectors 117210238 (+255): user != kernel
Warning: possible TDL3 rootkit infection !  <=====

Filesystem trace:
called modules: ntoskrnl.exe hal.dll fltmgr.sys Ntfs.sys
1 nt!IofCallDriver[0x804E37D5] -> [0x8772C250]
3 fltmgr[0xF77435C8] -> nt!IofCallDriver[0x804E37D5] -> [0x8778F020]
5 nt[0x80567F6C] -> nt!IofCallDriver[0x804E37D5] -> [0x8772C250]
7 fltmgr[0xF7736FB5] -> nt!IofCallDriver[0x804E37D5] -> [0x8778F020]

Registry trace:
called modules: ntoskrnl.exe hal.dll
______________________________

TDL4 infected MBR is exposed by running mbr.exe with the -s switch:

C:\>"%userprofile%\desktop\mbr.exe" -s

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST360015A rev.3.33 -> \Device\Ide\IdePort0

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83B49446]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x83b4f504]; MOV EAX, [0x83b4f580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x83B62AB8]

3 CLASSPNP[0xF756FFD7] -> nt!IofCallDriver[0x804E37D5] -> [0x83B3F300]

\Driver\atapi[0x83B7AD10] -> IRP_MJ_CREATE -> 0x83B49446

kernel: MBR read successfully

detected hooks:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST360015A_______________________________3.33____#4b333143394a4241202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

\Driver\atapi DriverStartIo -> 0x83B49292

user != kernel MBR !!!   <====

sectors 117231406 (+230): user != kernel

Warning: possible TDL4 rootkit infection !   <====

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

 ============================================

To have mbr.exe fix a TDL4 infected MBR issue the following command:

 %userprofile%\desktop\mbr.exe -f

 To have mbr.exe backup your MBR,

Issue this command at the Comand Prompt:

%userprofile%\desktop\mbr.exe -c 0 1 mbr-backup.dat

And a copy of the MBR will be placed in the file: mbr-backup.dat on your Desktop.

 

 4. MBR Backup by Mischel Internet Security

To Back up the MBR select: "Save MBR...."

The MBR is saved to a BIN file with this format:

MBR_<yyyy-month-day>.bin

To Restore the MBR select: "Restore MBR...."

To Print the MBR select: "Print MBR"

MBRBackupPic.jpg

 Detecting and removing the MBR rootkit infection

(including repairing the MBR)

If you are infected or are experiencing the symptoms of TDSS (Alureon, TDSS, TDL3, TDL4) infection,  then TDSSKiller by Kaspersky Labs can:

1. Scan your system for TDSS infection

2. Clean the infection

3. Replace the infected MBR with a clean default Windows copy

4. Produce a Scan Report

 

TDSSKiller Specifically targets (Detects and Cleans) ALL variants of the Alureon bootkit trojan (TDSS ) on 32 bit and 64 bit Windows Systems

TDSKillerStart.jpg

If You are infected with the Alureon Bootkit:

Here are my recommendations:

  1.  Scan with TDSSKiller and Cure or Remove Malicious objects as advised by TDSSKiller's default action.

  2. If TDSSKiller says you're infected with TDL4 - You will see this in your TDSSKiller Log:

    2010/11/06 16:11:04.0265 Detected object count: 1

    2010/11/06 16:11:23.0281 \HardDisk0 - will be cured after reboot

    2010/11/06 16:11:23.0281 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

    If you have TDL4, AND You have a clean, pre-infection MBR Backup:

    • Backup the default Windows MBR that TDSSKiller overwrote the infected one with (this is a safety measure).

    • Then, replace the Windows default MBR that TDSSKiller installed with your original MBR (uninfected) Backup

  3. Scan with the Malicious Software Removal Tool

  4.  Scan with Malwarebytes' Antimalware

  5. Perform a complete system scan with one of the following online scanners using Internet Explorer as your browser:

 

TrackBack

TrackBack URL for this entry:
http://secure-computer-solutions.com/blog-mt/mt-tb.fcgi/14


Hosting by Yahoo!

Comments

I come from milan, I was luck to come cross your website in google.

I have been to this blog before but this is probably the best posts yet. keep it up!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)