Mebroot root kit infection (aka Sinowal, aka Torpig)Apr 3rd, 2009 | By Christian Donner | Category: Information Technology, Security, Software Engineering, Web
I am pretty sure I caught the Mebroot root kit last night, or some variant, and potentially some other things, too.
I was working when all of a sudden the machine rebooted, without a blue screen. It did an orderly shut-down and reboot (XP Pro SP III). I did not allow XP to boot back up, but instead booted Knoppicillin from DVD. This is a free Linux with a free version of Kaspersky, Avira Antivir, and BitDefender.
All three ran. pulled the latest signatures from the web, and found only 3 minor issues. One was the Move Networks video player that I need for ESPN360, the other two were 2 scripts in the Temperory Internet folder that my virus scanner had blocked access to anyways, so I don’t think they executed.
I booted back into XP and deleted the three files (I should have saved them for analysis, but they are gone). After doing this, IE8 (and Outlook) crashed upon start, and everything was very slow. There were very long timeouts for every mouse click, and the system would eventually freeze completely. I uninstalled IE8, reinstalled it, reverted to IE7, but I still got the crashes. I installed Windows Defender, checked running programs, checked all startup programs, checked and disabled all browser plug-ins, and disabled everything else that looked suspcious (which was not much, since I stay on top of these things all the time).
IE7 still crashed occasionally.
Then I started a trace on my Pix firewall while the XP machine booted, and saw some very interesting things:
Besides contacting Microsoft, the machine did a bunch of DNS lookups for wvvexfux.com and cheviram.com:
18.104.22.168 (Microsoft update) 22.214.171.124 126.96.36.199 Dns lookup wvvexfux.com 188.8.131.52 Dns lookup 184.108.40.206 Dns (Google) 220.127.116.11 Dns (Google) 18.104.22.168 google.no 22.214.171.124 Dns lookup
Then it sent HTTP requests to the two IPs below:
126.96.36.199 is wvvexfux.com 50 4f 53 54 20 2f 20 48 POST / H 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 TTP/1.1..Host: w 76 76 65 78 66 75 78 2e 63 6f 6d 0d 0a 43 6f 6e vvexfux.com..Con 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 30 38 tent-Length: 108 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c ..Connection: cl 6f 73 65 0d 0a 0d 0a e6 8a c4 17 e4 0f 18 5e 3f ose...........^? 78 4d 77 16 2b b6 1a f5 6d 6d 4b d4 d9 be e0 b2 xMw.
188.8.131.52 is cheviram.com, "mebroot calls home" 50 4f 53 54 20 2f 36 35 POST /65 33 39 39 34 31 37 45 45 38 41 33 41 43 36 2f 42 399417EE8A3AC6/B 31 59 47 59 51 4a 54 66 33 51 77 59 68 46 77 59 1YGYQJTf3QwYhFwY 48 4b 6c 33 32 7a 6e 31 77 45 6e 52 6a 73 69 45 HKl32
Both domains were registered as recently as a week ago, so this is indeed a very new threat. Unfortunately, I don’t know what process made the above requests, since it did all this prior to someone logging in. I also don’t know what data it sent in the POST request (just in case that someone can decipher the query string – I left out a few lines).
I updated the MBR from the XP Recovery Console, and I am running the Knoppicilin scans again while I write this, but I am considering formatting the disk and doing a fresh reinstall – which will likely take all weekend and beyond. I will check what the firewall trace says once the scan is done tomorrow, and then decide.
Bottom line is, despite all my efforts, and despite running an on-access scanner and doing full scans with products of three different vendors, this thing was able to install itself. I wonder if IE8 re-introduced security holes that were previously closed, and that someone very quickly took advantage of them. Either way, I am more concerned than ever about logging on to my bank account from my workstation at home (I changed the passwords right away, of course). What do all the people do who cannot read a firewall trace?
Read this for an opinion on why these kind of threats are out there, and nobody really seems to care.
Repairing the MBR seems to have done the trick. I ran several full scans today, and continuously monitored the firewall for suspicious traffic from this computer. I analyzed anything that I could not immediately explain, ran Google searches, trace routes, dns lookups, whois queries, etc, and it seems that the machine is clean. It appears to be much more responsive, and IE does not crash anymore.
I did not notice until today that Avira has a boot sector scan option. I am not sure it runs it when it does a full scan, and I don’t know if it would have found anything yesterday. Today, it did not.
Trustdefender has a more in-depth technical explanation of this threat, and describes the steps to verify an infection.
They also say that Mebroot does not compromise any system files – I did not want to rely on this assumption and reinstalled the XP Service Pack 3 and IE8.
It seems that the weakest point of this virus is that it triggers a system reboot. If your Windows suddenly tells you that it is closing down, be on alert. The best thing to do in this case would be to not allow it to restart, but to boot from the installation DVD, start the Recovery Console, and run FixMBR. In my case, it warned me that (and I forgot the exact wording) I had a non-standard MBR and asked if I really wanted to overwrite it.
Not surprisingly, this subject keeps coming up in the news. I came across this interesting report about how Torpig generates pseudo-random domains to spread.