Assuming you or your client is not already infected with Mebroot, there’s another tool you can use to easily recover in the event of an infection: MBRtool 2.3 from DIY DataRecovery.
MRBTool is a freeware DOS program designed to backup, restore, and manipulate your hard disk MBR. The latest version includes a boot disk builder that will allow you to create a diskette or bootable CD/DVD, making it ideal for recovering from a Mebroot infection. If you are sure the target machine is clean, or you have a clean image that you can restore, you simply use MBRTool to make a backup of the valid MBR. In the event of infection, use the boot disk to start the machine and restore the valid MBR. Bye, Bye, Mebroot!
Going beyond simple recovery, you could use MBRTool to make a copy of and examine an infected MBR to compare its code against known Mebroot variants. But, be careful: you don’t want that infected MBR to get away from you.
Happy Thanksgiving and good luck surviving Black Friday!
I’ve been using F-Secure’s BlackLight Rootkit Eliminator ever since it was first released in early 2005. It’s a solid tool and has saved me from having to completely reload a system on at least three occasions, so I don’t know why I didn’t think of it as a weapon against Mebroot. Thanks to a news update from Windows Secrets, I visited F-Secure’s site and discovered the following in a March 31, 2008 blog post:
“A while ago we blogged about the MBR rootkit, which has been getting attention from all security vendors. We’re glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.
“BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we’ve seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.”
Needless to say, I immediately downloaded the latest version and have it ready to go for any suspected Mebroot infections. Of course, I used it to check all of my own systems and am happy to report that the tool didn’t find anything wrong with my MBR. You can download the standalone BlackLight here.
In my next post, I’ll give you two more tools that you can use to combat this sinister threat: MBR BIOS locking and an MBR backup tool.
According to Microsoft, the November release of its Malicious Software Removal Tool (MSRT) removed the phony security software, Win32/FakeSecSen, from 994,061 distinct machines in just nine days: MSRT Review on Win32/FakeSecSen Rogues. Win32/FakeSecSen is a family of programs that claim to scan for malware and display fake warnings of “malicious programs and viruses”. These programs attempt to force users to pay to remove the “threats” they found. Some of them attempt (illegally) to look official by impersonating Microsoft products using names such as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar.
Over at Ask the Geek, I often receive questions about how to properly erase a PC hard drive so personal data can’t be recovered. Clients also ask similar questions, particularly those involved in medical, dental, or financial practices. I’ve posted on this subject before, of course. “Paranoid About Hard Drive Security? Try This” outlined a two-step approach that works well, but is probably overkill for most, including those under regulatory scrutiny. The Center for Magnetic Recording Research (CMRR) points out that completely secure erasure doesn’t exist: erasure security is relative and is “a tradeoff between the erasure security level and the erasure time required. A high security protocol requiring custom software or days to accomplish will be avoided by most users, making it little used and therefore of limited practical value.” Enter Secure Erase (SE).
According to CMRR, “The Secure Erase (SE) command was added to the open ANSI standards that control disk drives, at the request of CMRR… The SE command is implemented in all ATA interface drives manufactured after 2001 (drives with capacities greater than 15 GB)….
“Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure.”
Secure Erase is a DOS-based program, so you need to make a bootable floppy, CD, or flash drive that boots DOS, FreeDOS, or a Windows 95/98/ME rescue disk. Download the freeware HDDerase, extract HDDerase.exe to your bootable media, boot the computer to a command prompt, and execute HDDerase.exe (HDDerase.exe must be run from an actual DOS environment and not a Window based DOS command shell).
In about an hour or two, depending on the size of the hard disk, you’ll have a drive that can be safely disposed of or re-deployed without fear. If you plan to re-deploy the disk, you’ll have to create a new partition and format the disk before you’ll be able to use it again.
I’ve used this handy utility many times to sanitize disks that contained data subject to the Health Insurance Portability and Accountability Act (HIPAA). All normal attempts to discover any trace of identifiable data on my test drives failed to reveal anything usable.
Sinowal, also known as “Mebroot” and “Torpig” to various antivirus companies, is a dangerous rootkit that uses the computer’s Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP). The Trojan typically infects Windows XP PCs via malicious websites using code that exploits vulnerabilities in Adobe Reader, Flash Player, or Apple QuickTime–vulnerabilities that have already been patched. Once the Trojan gets on your system, it does an interesting little dance to prevent detection. Windows Secrets writer Woody Leonhard describes Sinowal’s stealthy behavior in his November 20, 2008 article, “Don’t be a victim of Sinowal – the super-Trojan:”
“The key to Sinowal/Mebroot’s ‘success’ is that it’s so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn’t run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn’t start until 10 minutes after that.
“Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process.”
Also contributing to the Trojan’s effectiveness is that it’s constantly changing. Washington Post journalist Brian Krebs posted a chilling overview of Sinowal’s criminal mischief in his October 31, 2008 column, “Virtual Heist Nets 500,000+ Bank, Credit Accounts:”
“Sinowal…constantly morphs its appearance to slip past security software. Between April and October, researchers spotted an average of 60 to 80 new Sinowal variants per month…
“On Oct. 21, a new Sinowal variant was submitted to Virustotal.com, which scans incoming files against nearly three dozen commercial anti-virus programs and maintains a historical record of those results. Only 10 out of 35 of those security programs – or 28.5 percent – identified it as such or even flagged it as suspicious.”
Very scary, but here are seven things you can do to protect yourself:
- Apply all security patches to Windows XP.
- Apply all patches to third-party software, particularly Adobe Reader, Flash Player, and Apple QuickTime. These are the main avenues of infection.
- Make sure your antivirus detection definitions are up to date.
- Create a limited user account and use it to browse the web.
- Only visit websites you trust.
- Run your browser in a sandbox.
- Switch to Vista–it’s not currently vulnerable.
As always, constant vigilance is necessary on the Wild, Wild, Web.
In my How to Secure Your Computer series of articles, I issued Maxim #13, “WiFi Security–The Only Way is WPA“. However, TKIP–which is one of the protocols used under the WPA certification standard–is now vulnerable to attack, so I feel it prudent to modify my stance a bit and shed a little light on the subject. Certain media reports would have you believe that WPA has been cracked; this isn’t the case. (See “WPA Not Cracked, But Still Vulnerable.”) Steve Gibson’s latest episode (#170) of Security Now! explains in great detail the TKIP hack and why it’s much to worry about–at least, not yet.
Under the WPA/WPA2 standards, a wireless access point or router can use either TKIP (Temporal Key Integrity Protocol) or AES-CCMP (Advanced Encryption Standard, Counter Mode/CBC MAC Protocol). TKIP is an enhancement of WEP that utilizes the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication; CCMP provides much stronger protection because it uses AES (Rinjdael) encryption.
Two German researchers, Martin Beck and Erik Tews, recently found a way to crack TKIP. They use what is called a chopchop attack, which attempts to decrypt packets byte by byte. You can read all about it in their white paper, “Practical attacks against WEP and WPA” so I won’t go into the details here.
While there doesn’t appear to be much an attacker can do at this point, the attack is a harbinger of things to come and now would be a good time to log into your wireless router and see what’s up. I discovered that mine doesn’t support AES-CCMP, only TKIP, so I need to upgrade the firmware. I recommend that everyone do one of the following: 1. Switch your current WPA configuration to AES-CCMP if it’s supported; 2. Upgrade the firmware in your router so it supports WPA2 with AES-CCMP; 3. If neither of those is possible, or, heaven forbid, your router only supports WEP, replace it with one that’s WPA2 compliant and use AES-CCMP.
For the past couple of years, Microsoft has been issuing a semi-annual report on the security threat landscape. The latest version of the Security Intelligence Report (SIR), v5, was released last Monday. Microsoft appears to be taking security seriously these days: “…during the frst half of 2008 (1H08), there were fewer disclosures of Microsoft vulnerabilities than for the industry as a whole; in fact, Microsoft vulnerabilities were down 33.6 percent in 1H08.
“However, it is alarming to see that more than 90 percent of vulnerabilities disclosed in 1H08 affected applications, and nearly half of all industry vulnerabilities are rated as High Severity. Additionally, 1H08 showed how threats are increasingly affecting a variety of vendors beyond Microsoft. Issues now cross multiple vendors and illustrate how different technologies behave together and then create complex, blended threats.”
At 150 pages, the SIR is no light read; it’s a thorough analysis of the security threat landscape based on several well-known industry sources as well as “Telemetry from several customer-focused Microsoft security products and services, including the Malicious Sofware Removal Tool (MSRT), Windows Defender, Windows Live OneCare, and Exchange Hosted Services, representing a total user base of several hundred million computers…”
The announcement, Microsoft Security Intelligence Report Volume 5 is Now Available, posted on the Microsoft Malware Protection Center blog, describes a couple of interesting key findings from the report.
There’s an old saw in security circles: “complexity is the enemy of security.” The more complex something is, the more likely there will be flaws to exploit. Too, there are times when you just don’t need the strength of AES encryption. Case in point: the company I work for utilizes a practice management and documentation system to keep track of service tickets, inventory, server & network configurations, and other customer information. Since the software is web-based (which makes it a potential attack target), we needed a simple method to securely store client passwords and remote access configurations. The solution was Iron Key (not to be confused with the secure flash drive of the same name), a free version of Silver Key–a program for creating self-extracting encrypted files.
The program is perfect for safely sending files over the Internet, even those that contain sensitive personal and financial information. For example, say you have an electronic copy of your tax return that you need to email to your accountant; easy, just drag and drop it onto Iron Key, set a good passphrase and send it along. Your accountant does not need any cryptographic software in order to decrypt the file; all he needs is to run the file and enter the right password, which you can tell him over the phone.
It doesn’t get much simpler than this.
Less than a month after the clickjacking exploit came to light, sporadic reports of users falling victim to the attack are beginning to surface. Dennis O’Reilly’s column in Windows Secrets Newsletter, Issue 172, contains this report from a reader:
Yep, clickjacking is in the wild. I build, fix, and de-badware computers for family, friends, and businesses. I had a friend complain that his eBay page kept popping up with auctions when he hadn’t accessed eBay. So, dutifully, I went to see what was going on and found that he had been trawling through some [game] crack sites.
When he clicked some links, he would also pop his eBay page up (he had his eBay cookie set). Bingo! The crack-page vendors had scored his login details. I quickly apprised him of the risks of visiting said pages and, of course, quickly reset his eBay password and scanned, cleaned, and disinfected his computer.
Just yesterday, I received a report from another engineer at our office that he had witnessed a clickjacking attempt on his own machine when he clicked a button on an antivirus blog. Instead of going to the previous page, as expected, he receive a pop-up for the “Antivirus XP 2009” malware download. I had him disable IFRAME handling in Internet Explorer and install NoScript on Firefox. That fixed the issue.
Just as Opera completed patches for critical vulnerabilities in its browser, researchers discovered another remote code execution bug. In its recent article, “Opera scrambles to quash zero-day bug in freshly-patched browser,”
The Register reports:
Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims’ browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that’s based on the same weakness.
Until Opera releases version 9.62, which should be “very, very soon” according to Opera spokesman Thomas Ford, your best bet is to disable iFrames and turn off scripting. Open opera:config and select Extensions|iFrames. Change the setting from “1” to “0.” Similarly, change Extensions|Scripting from “1” to “0.”
Bear in mind that the above temporary workaround is going to break a lot of sites that use scripting. It would be simpler if Opera had some way to designate “trusted sites” (or a plug-in like NoScript), but I’m not aware of any way to do this. Hit the comments and let me know if there’s a better workaround (I haven’t used Opera since my conversion to Firefox four years ago).