Jump to content

MBR Locker and LiveGuard


Go to solution Solved by Marcos,

Recommended Posts

I've noticed that ESET LiveGuard seems unable to detect certain type of malware such as MBR locker. 

For example, this sample (VT: https://www.virustotal.com/gui/file/667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf/detection; Sandbox: https://tria.ge/221224-f6fptshf29/behavioral1) is an MBR locker and its behavior is very typical. However, ESET LiveGuard determined that it was safe to use.

The algorithm of LiveGuard should be updated to solve this problem.

Link to comment
Share on other sites

8 hours ago, AnthonyQ said:

I've noticed that ESET LiveGuard seems unable to detect certain type of malware such as MBR locker. 

Most likely because the malware didn't run in the LiveGuard cloud sandbox.

Eset_MBR.png.509f268bc5532aa98c4d14c4ef27af93.png

Also unless things have changed in Eset processing which is doubtful, it does not monitor for write activity to MBR related files. Now that Eset has a sig. for the bootkit, it will detect it upon system startup. But, you will have to remove it manually via bootrec /FixMbr bootrec /FixBoot bootrec /ScanOs bootrec /RebuildBcd commands.

 

Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

Most likely because the malware didn't run in the LiveGuard cloud sandbox.

 

Interesting fact though, Defender, in its own simplicity, was able to detect it in par with the paid big players.

Link to comment
Share on other sites

9 hours ago, itman said:

Most likely because the malware didn't run in the LiveGuard cloud sandbox.

Eset_MBR.png.509f268bc5532aa98c4d14c4ef27af93.png

Also unless things have changed in Eset processing which is doubtful, it does not monitor for write activity to MBR related files. Now that Eset has a sig. for the bootkit, it will detect it upon system startup. But, you will have to remove it manually via bootrec /FixMbr bootrec /FixBoot bootrec /ScanOs bootrec /RebuildBcd commands.

 

Yeah, ESET added a signature detection hours ago after submission. 

I'm not sure if the sample is able to run successfully on LiveGuard, but it can run successfully on some free cloud sandboxes like Triage.

Link to comment
Share on other sites

Ignoring whether the malware ran on LiveGuard cloud, I strongly suspect it would not have been detected there anyway.

As I noted, Eset does not monitor or prevent write activity to MBR related files. I have brought this up in multiple past forum postings to no avail. If this malware performed no other malicious activities or like code, LiveGuard wouldn't have detected it.

Link to comment
Share on other sites

You also might want to review my posting here about the infamous Petya attack a few years back; https://forum.eset.com/topic/14714-eset-features/?do=findComment&comment=73148 .

Notably, Kaspersky does monitor for MBR modification activities. However, it could not stop Petya from trashing the partition table rendering the device totally useless:

Quote

Case 2: If system is non-UEFI, installed with Kaspersky Antivirus, and in a state where boot completely fails

The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful. Thus, boot process hijack through malicious MBR hasn’t been completed so the MFT (Master File table) contents are intact and not encrypted by the threat. In this case, the partition table information is destroyed by the threat. Given that it stores critical information needed in the booting process, a traditional boot repair process may not work. Rebuilding the partition table may require consultation with an expert.

 

Edited by itman
Link to comment
Share on other sites

  • Administrators
  • Solution

We have already improved detection of MBR malware by LiveGuard, currently for business products with lowered detection threshold due to clean files modifying MBR. If everything goes well, we could make further adjustments for home users in a few weeks' time.

Link to comment
Share on other sites

1 hour ago, Marcos said:

If everything goes well, we could make further adjustments for home users in a few weeks' time.

I assume this will only apply to Smart Security Premium since it is the only Eset consumer product that uses LiveGuard?

Also as noted above, has this already been implemented for Smart Security Premium since it uses LiveGuard; abet with a 90% (high) confidence level? Assumed is the confidence level is being lowered in LiveGuard cloud scan processing in regards to attempted MBR write activities.

Edited by itman
Link to comment
Share on other sites

I also question LIveGuard detection effectiveness against MBR modification malware employing sleeper evasion tactics.

Eset via its HIPS has the capability to monitor for direct disk access used by MBR modification malware. This is where Eset's efforts should be directed to.

Link to comment
Share on other sites

I posted about this previously and will post it again.

Cisco after the Petya incident developed a MBR Filter driver, publicly available, that will block write access to track 1, sector 0 where the MBR resides: https://www.talosintelligence.com/mbrfilter .

Further described as:

Quote

MBRFilter

   This is a simple disk filter based on Microsoft's diskperf and classpnp example drivers.

  The goal of this filter is to prevent writing to Sector 0 on disks.
  This is useful to prevent malware that overwrites the MBR like Petya.

  This driver will prevent writes to sector 0 on all drives. This can cause an
  issue when initializing a new disk in the Disk Management application. Hit
  'Cancel' when asks you to write to the MBR/GPT and it should work as expected.
  Alternatively, if OK was clicked, then quitting and restarting the application
  will allow partitoning/formatting.

https://github.com/Cisco-Talos/MBRFilter

Why Eset never incorporated this driver into its software is really beyond me.

Edited by itman
Link to comment
Share on other sites

Let's discuss this above posted statement:

Quote

The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful.

I would say malware going after \\\\.\\PhysicalDrive0  track 1, sector 0 is atypical of MBR modification activity.

Tip - what happens if Windows is not installed on PhysicalDrive0? Tip 2 - perhaps by plugging boot drive cable into motherboard drive connector 1 and another non-boot drive into motherboard drive connector 0. 

Edited by itman
Link to comment
Share on other sites

  • Administrators

Basically any sample that modifies MBR is now evaluated by ESET LiveGuard as malware regardless of the detection threshold in business products.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Basically any sample that modifies MBR is now evaluated by ESET LiveGuard as malware regardless of the detection threshold in business products.

SententialOne has a blog posting here: https://www.sentinelone.com/blog/mbrlocker-wiper-malware-destructive-pranks-are-no-joke-for-victims/ in regards to a MBR locker running from a web site download. If you run the demo video, the download does not appear to be a .exe from what I can tell. As such, would it even be uploaded to LiveGuard?

-EDIT- I played the video again in full screen mode and did observe the download is a .exe. When run, it immediately forces a system shutdown. Not sure if the MBR is modified prior to shutdown (doubtful) or at system startup time. Questions are would it perform above behavior if running in a sandboxed environment?

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...