MBR Locker and LiveGuard

[AnthonyQ 48]

I've noticed that ESET LiveGuard seems unable to detect certain type of malware such as MBR locker. 

For example, this sample (VT: https://www.virustotal.com/gui/file/667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf/detection; Sandbox: https://tria.ge/221224-f6fptshf29/behavioral1) is an MBR locker and its behavior is very typical. However, ESET LiveGuard determined that it was safe to use.

The algorithm of LiveGuard should be updated to solve this problem.

[rotaru 10]

As of this morning ( 8:00AM in Canada) , ESET detects it on VT. (11 detections from 71)

But so it is detected by Microsoft Defender.

[itman 1,659]

8 hours ago, AnthonyQ said:

I've noticed that ESET LiveGuard seems unable to detect certain type of malware such as MBR locker. 

Most likely because the malware didn't run in the LiveGuard cloud sandbox.

Also unless things have changed in Eset processing which is doubtful, it does not monitor for write activity to MBR related files. Now that Eset has a sig. for the bootkit, it will detect it upon system startup. But, you will have to remove it manually via bootrec /FixMbr bootrec /FixBoot bootrec /ScanOs bootrec /RebuildBcd commands.

 

Edited December 24, 2022 by itman

[rotaru 10]

1 hour ago, itman said:

Most likely because the malware didn't run in the LiveGuard cloud sandbox.

 

Interesting fact though, Defender, in its own simplicity, was able to detect it in par with the paid big players.

[AnthonyQ 48]

9 hours ago, itman said:

Most likely because the malware didn't run in the LiveGuard cloud sandbox.

Also unless things have changed in Eset processing which is doubtful, it does not monitor for write activity to MBR related files. Now that Eset has a sig. for the bootkit, it will detect it upon system startup. But, you will have to remove it manually via bootrec /FixMbr bootrec /FixBoot bootrec /ScanOs bootrec /RebuildBcd commands.

 

Yeah, ESET added a signature detection hours ago after submission. 

I'm not sure if the sample is able to run successfully on LiveGuard, but it can run successfully on some free cloud sandboxes like Triage.

[itman 1,659]

Ignoring whether the malware ran on LiveGuard cloud, I strongly suspect it would not have been detected there anyway.

As I noted, Eset does not monitor or prevent write activity to MBR related files. I have brought this up in multiple past forum postings to no avail. If this malware performed no other malicious activities or like code, LiveGuard wouldn't have detected it.

[itman 1,659]

You also might want to review my posting here about the infamous Petya attack a few years back; https://forum.eset.com/topic/14714-eset-features/?do=findComment&comment=73148 .

Notably, Kaspersky does monitor for MBR modification activities. However, it could not stop Petya from trashing the partition table rendering the device totally useless:

Quote

Case 2: If system is non-UEFI, installed with Kaspersky Antivirus, and in a state where boot completely fails

The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful. Thus, boot process hijack through malicious MBR hasn’t been completed so the MFT (Master File table) contents are intact and not encrypted by the threat. In this case, the partition table information is destroyed by the threat. Given that it stores critical information needed in the booting process, a traditional boot repair process may not work. Rebuilding the partition table may require consultation with an expert.

 

Edited December 25, 2022 by itman

[Marcos 5,074]

We have already improved detection of MBR malware by LiveGuard, currently for business products with lowered detection threshold due to clean files modifying MBR. If everything goes well, we could make further adjustments for home users in a few weeks' time.

[itman 1,659]

1 hour ago, Marcos said:

If everything goes well, we could make further adjustments for home users in a few weeks' time.

I assume this will only apply to Smart Security Premium since it is the only Eset consumer product that uses LiveGuard?

Also as noted above, has this already been implemented for Smart Security Premium since it uses LiveGuard; abet with a 90% (high) confidence level? Assumed is the confidence level is being lowered in LiveGuard cloud scan processing in regards to attempted MBR write activities.

Edited December 28, 2022 by itman

[itman 1,659]

I also question LIveGuard detection effectiveness against MBR modification malware employing sleeper evasion tactics.

Eset via its HIPS has the capability to monitor for direct disk access used by MBR modification malware. This is where Eset's efforts should be directed to.

[itman 1,659]

I posted about this previously and will post it again.

Cisco after the Petya incident developed a MBR Filter driver, publicly available, that will block write access to track 1, sector 0 where the MBR resides: https://www.talosintelligence.com/mbrfilter .

Further described as:

Quote

MBRFilter

   This is a simple disk filter based on Microsoft's diskperf and classpnp example drivers.

  The goal of this filter is to prevent writing to Sector 0 on disks.
  This is useful to prevent malware that overwrites the MBR like Petya.

  This driver will prevent writes to sector 0 on all drives. This can cause an
  issue when initializing a new disk in the Disk Management application. Hit
  'Cancel' when asks you to write to the MBR/GPT and it should work as expected.
  Alternatively, if OK was clicked, then quitting and restarting the application
  will allow partitoning/formatting.

https://github.com/Cisco-Talos/MBRFilter

Why Eset never incorporated this driver into its software is really beyond me.

Edited December 28, 2022 by itman

[itman 1,659]

Let's discuss this above posted statement:

Quote

The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful.

I would say malware going after \\\\.\\PhysicalDrive0  track 1, sector 0 is atypical of MBR modification activity.

Tip - what happens if Windows is not installed on PhysicalDrive0? Tip 2 - perhaps by plugging boot drive cable into motherboard drive connector 1 and another non-boot drive into motherboard drive connector 0. 

Edited December 28, 2022 by itman

[Marcos 5,074]

Basically any sample that modifies MBR is now evaluated by ESET LiveGuard as malware regardless of the detection threshold in business products.

[itman 1,659]

2 hours ago, Marcos said:

Basically any sample that modifies MBR is now evaluated by ESET LiveGuard as malware regardless of the detection threshold in business products.

SententialOne has a blog posting here: https://www.sentinelone.com/blog/mbrlocker-wiper-malware-destructive-pranks-are-no-joke-for-victims/ in regards to a MBR locker running from a web site download. If you run the demo video, the download does not appear to be a .exe from what I can tell. As such, would it even be uploaded to LiveGuard?

-EDIT- I played the video again in full screen mode and did observe the download is a .exe. When run, it immediately forces a system shutdown. Not sure if the MBR is modified prior to shutdown (doubtful) or at system startup time. Questions are would it perform above behavior if running in a sandboxed environment?

Edited January 2, 2023 by itman