Just in time for Christmas 2008, we have been seeing a new wave of our old friend the MBR/Mebroot/Sinowal/Torpig rootkit. This is one of the nastiest rootkits the world has ever seen – with only one goal: To steal people’s money and their identity. The MBR rootkit has been covered heavily in our Kernel Forensics Whitepaper and as there have been so many improvements of this rootkit, we will revisit a few of them here in this blog.

First of all, it is quite heavily distributed through drive-by-downloads via Neosploit, which is a very advanced exploit framework to compromise website visitors. The whole distribution method is one of the most advanced and well-thought-through processes.

First of all, it employs geographic IP checking so that they control specifically who will be targeted. This way they can target special geographic locations, but could potentially also target home user making life harder for security professionals. In our case, we couldn’t get infected from Australia, but were easily infected from Germany!

Secondly, after infection, the loader will “sleep” for a random period of time before anything happens. In our case, we had to wait approx. 6 minutes before the Master-Boot-Record was changed. This was clearly done to fool security researchers and automatic malware testing tools (as they would execute the loader and not see any activity at all!!!)

Thirdly, as with all MBR/Mebroot infections, the malicious code will only run AFTER a reboot as the loader will just infect the Master-Boot-Record. It is not until the next reboot, the whole Mebroot boot sequence will begin.

The boot sequence is a complicated, seven step procedure and will ensure that the computer will be infected without any malicious process or component even running on the system. This is possible because Mebroot has full control over the boot sequence of Windows.

But how can Mebroot/Sinowal do their dirty work without a malicious component? Well, because Mebroot/Sinowal controls the boot sequence, it can inject the malicious code into existing/legitimate Windows Components. It will “hook” key functions that the Internet Explorer will use to do it’s day-to-day job like sending and receiving data and encrypting that data. Yes, you are right. Mebroot/Sinowal does have full control over the encrypted data stream as it has access to it before it will be encrypted and after it has been decrypted. The picture below shows the key parts where code was injected – mainly into explorer.exe and iexplore.exe (Internet Explorer)

 This is also the reason why the rootkit is so invisible – simply because there is no malicious component on its own running. An infected computer with Norton 2009 running will not detect anything even for a full computer scan.

But how does Mebroot/Sinowal actually work from a user’s perspective?

Well, as Mebroot/Sinowal have full control over the internet session; they will dynamically inject their own malicious HTML code into the banking website to either steal existing information or to steal additional information. This is typically done after the user is logged in to what is for all intense purposes the authenticated secure banking website and therefore almost all users will be deceived as they are sure that they are not at a phishing site.

Please note: The user is actually at the right site. The SSL certificate is correct and valid. You even see the green bar from your SSL EV certificate, however the content is injected locally by the Trojan. Below are two screenshots from Bank of America and Citibank where the Trojan injects its own HTML to get additional personal information from the user.

Technical Details

As per always on this blog, we will provide some technical background and how it looks like from a user’s point of view. A full technical description of Mebroot/Sinowal is available here: http://web17.webbpro.de/index.php/analysis-of-sinowal (thanks to Peter Kleissner)

We analyzed the following sample on Jan 5, 2009 and according to Virustotal, only 8 out of 38 Antivirus Engines detected this Mebroot/Sinowal sample (http://www.virustotal.com/analisis/fe95bd3e4e26a22c8be7b6f1ead6bcec). None of the big Antivirus Engines like F-Secure, McAfee, Sophos or Symantec detected it. At least Trend Micro’s heuristic engine came up with the name “Cryp_Xed-3″)

What are the Antivirus Engines doing?

This brings me to one of the main points of this post. “What on earth are the Antivirus Engines doing?” As always, we were doing our analysis on a clean machine without Antivirus Engine to see what the virus is doing.

However we couldn’t believe our eyes when we retested with Norton Internet Security 2009 running and it did just nothing. Norton Internet Security 2009 is one of the best Antivirus Engines with a fast scanner, a nice user interface and a good protection, however it did just nothing!!! The Mebroot/Sinowal installer successfully infected the Master-Boot-Record, after a restart, the machine was compromized and NIS 2009 was just silent. (Note: We really do not want to single out Norton 2009 here. As stated above we think it’s one of the best products and many people we know use it and for good reason. However you can imagine what the situation looks like for less advanced products like any of the free Antivirus products used by consumers today)

Side Note: This picture illustrates another problem of many “phishing” protection tools. I don’t think that the page as it is displayed belongs to the company represented…

Movie / TrustDefender

TrustDefender will successfully protect the user from this attack by default . TrustDefender will alert you that your Windows Kernel has been compromized and will automatically secure the internet banking transaction regardless.

We have put together a little screen capture movie that demonstrates how Mebroot/Sinowal successfully infects a customer’s PC even with Norton 2009 installed and how TrustDefender protects this use for a Bank of America session.

Please note: In this movie, TrustDefender does not run in quiet mode for this transaction with Bank of America as the TrustDefender Enterprise Server is not integrated with the BofA backend systems. Financial Institutions can integrate the Enterprise Server enabling the full functionality and run in a quiet mode protecting the consumer with little or no interaction required from the account holder. However TrustDefender Gold Customers will be protected regardless.

(click on the picture to start the movie)

Outlook

We will leave this machine running and will update soon on how the Antivirus Engine will pick it up once they update their patterns. It will be quite interesting as there is no process running or anything… Let’s see.