It is that time of the year again to start anew. In terms of personal computers, the act of restarting the machine is called a reboot – an action that triggers execution of code from a special part of the disk called the Master Boot Record (a.k.a. MBR). As the year 2010 ended, I looked at some of the threats targeting the MBR.

 Microsoft TechNet has this to say about the MBR:

“The MBR, the most important data structure on the disk, is created when the disk is partitioned. The MBR contains a small amount of executable code called the master boot code, the disk signature, and the partition table for the disk. At the end of the MBR is a 2-byte structure called a signature word or end of sector marker, which is always set to 0x55AA.”
...
“The master boot code performs the following activities:
1. Scans the partition table for the active partition.
2. Finds the starting sector of the active partition.
3. Loads a copy of the boot sector from the active partition into memory.
4. Transfers control to the executable code in the boot sector.”

A quick search in our collection for threats found in the MBR yielded few malware based on a subversion technique that’s almost 5 years old. One interesting sample we just added recently to our collection that uses this technique is detected as Trojan:DOS/Bootroot.

Trojan:DOS/Bootroot is installed by other Windows malware using direct physical disk drive access. Bootroot grabs initial control of the MBR’s boot code. From there, it implements a 3-stage hooking mechanism done along the lines of the normal booting process. This enables the malicious bootkit to ultimately launch another malware component as the operating system loads.

INT 13h Hook

Trojan:DOS/Bootroot hooks BIOS interrupt call INT 13h, which provides Low Level Disk Services. Specifically, function 02h (Read Sectors From Drive) and function 42h (Extended Read Sectors From Drive) are redirected to an Interrupt Service Routine (ISR) that monitors the Windows file OSLOADER.EXE as it is being read from the disk.

Disassembly view of function 02h and 42h hook

Image 1 - Disassembly view of function 02h and 42h hook

OSLOADER.EXE Hook

The read OSLOADER.EXE (the "boot loader" module found inside NTLDR under Microsoft's Windows NT-based systems - Windows NT, Windows 2000, Windows XP and Windows Server 2003) disk image is patched on-the-fly with a detour code to the malware.

Disassembly view of redirection to the malware

Image 2 - Disassembly view of redirection to the malware

With the patch written, OSLOADER.EXE is interrupted after the call to _BlLoadBootDrivers@12 function with a CALL instruction to the malware.

 Disassembly view of the CALL instruction to the malware code

Image 3 - Disassembly view of the CALL instruction to the malware code

The location of the patch is specific and unique to OSLOADER.EXE found in Microsoft Windows XP. At this point, OSLOADER.EXE has already loaded NTOSKRNL.EXE in memory and has also initialized a data structure called _BlLoaderBlock from which the base address of NTOSKRNL.EXE module can be searched.

NTOSKRNL.EXE Hook

Once NTOSKRNL.EXE is loaded in memory and its memory base address known, the malware searches, via custom hashes, the following set of APIs exported by NTOSKRNL.EXE:

PsGetCurrentProcess (hash: 0x0CE8C3177)
PsCreateSystemThread (hash: 0x0136E47C7)
KeDelayExecutionThread (hash: 0x0CC06CD48)
ZwOpenKey (hash: 0x0D7DF2B50)
ZwSetValueKey (hash: 0x04A2B3584)
ZwCreateFile (hash: 0x025298A1D)
MmMapIoSpace (hash: 0x0FCE7EE0C)
ZwWriteFile (hash: 0x007E3ACF7)
ZwClose (hash: 0x0FD929378)

It only needs to intercept and put yet another detour code (i.e., CALL instruction) to the module’s exported API (PsGetCurrentProcess) and deliver its payload when that particular API is called after kernel initialization.

Disassembly view of the CALL to the payload

Image 4 - Disassembly view of the CALL to the payload

Payload

If left unchecked, the whole procedure “resurrects” another malware component from unused disk sectors and into the affected system. With this particular sample, for instance, a separate malicious thread is created and executed, which drops another malware component into the Windows default folder and creates a corresponding system registry RUN entry.

 Disassembly view of the file dropping payload

Image 5 - Disassembly view of the file dropping payload

The installed malware component is left for the interrupted Windows boot process to run as part of the Windows start-up procedure afterward.

Registry Editor view of registry data that executes the dropped malware

Image 6 - Registry Editor view of registry data that executes the dropped malware

The installed malware may vary. One example, with SHA1 F7A1B33F5586933CFE41CBC3E7575CFB9A48AF4E, is detected as Trojan:Win32/Malagent and downloads and installs other malware from a specific FTP site. Another example, with SHA1 36eef85a244ae201ef2d26c26417acd893aab968, is detected as Trojan:Win32/Agent.AAE, and downloads files via HTTP and serves advertisements. 

Telemetry

We found variants of Trojan:DOS/Bootroot being actively used to launch a number of different threats that connects to a remote server and downloads other malwares via HTTP and FTP. Also, a bit of information about this malicious bootkit is distributed in Chinese- and Russian-language sites. Majority of the detections for this malware are also found in China as of the end of 2010.

Country/region

Volume

Percent

China

2,023

99.07%

Taiwan

11

0.54%

United States

2

0.10%

Brazil

1

0.05%

Finland

1

0.05%

Korea

1

0.05%

Turkey

1

0.05%

Ukraine

1

0.05%

Unavailable

1

0.05%

 

Remediation

A troubleshooting guide on how to restore the MBR boot code is available in Microsoft TechNet website and can be found here. You can also stay protected from this threat using Microsoft Security Essentials and Microsoft Forefront.


Jireh Sanico
MMPC Dublin