Saturday, December 10, 2011

The Case of Maximus (Mebroot-based) Bootkit

The next guinea pig is Maximus bootkit based on notorious Mebroot/Sinowal/MaosBoot. This bootkit is dated by 2008. Its dropper waits some time (about a hour) to complete installation. Then it reboots the computer. It refuses to work on our Windows 7 test system, but perfectly works on Windows Server 2003. Let’s start Hypersight Rootkit Detector’s monitoring on the infected system:

We see about 40...60 “stealth code” events. This tells us about a relatively big code base of the rootkit.

There are some typical code pieces of this rootkit shown below.

The code called by patched call of tcpip!IPRcvPacket:

The hooked IRP_MJ_WRITE callback of disk.sys:

The code called from ndis.sys driver:

And finally, the piece of the bootkit’s image in the memory (“MaOS” is a signature typical for Mebroot bootkits):

Mebroot bootkit places its body into nonpaged pool beyond the code of kernel-mode modules. This helps to avoid detection by anti-viruses and software-based rootkit detectors. But it fails to hide from hypervisors.

No comments: