StealthMBR gets a makeover

New variants of the StealthMBR trojan aka Mebroot rootkit have recently been spotted in-the-wild. These new variants are significantly different from earlier ones.
StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair. As opposed to earlier variants, which installed lower level hooks on the IRP table of \driver\disk, these new variants are able to hook the IRP table of an even lower driver. And these hooks too are not present all the time but only installed on an on-demand basis. The hijacked disk device object is used to facilitate this. Detection is not the only problem; this threat also poses cleaning challenges by installing watching mechanisms to re-infect the machine. The following image show what an infected MBR looks like. Booting off of an external medium and inspecting should reveal the infected MBR.

The following image shows hijacked kernel object for disk device.

Once installed this threat does not require any file or registry entry to sustain itself on the compromised machine. But for installation to occur there is a dropper executable which has also changed as compared to older variants. The detection for (continue reading...)