7 Replies Latest reply on Sep 27, 2011 8:44 AM by SafeBoot

    Safeboot MBR corruption

      Hoping someone might have a little insight for me.  In the last week or two we have experienced an unusually high number of MBR corruptions.  In one instance we were able to determine the corruption was due to malware.  The other instances were resolved immediately by restoring the MBR with WinTech.  There may actually still be malware on those machines, I'm still trying to investigate it.  However, I'm curious to know why the Safeboot MBR is so susceptible to corruption in the first place?  Or even if malware isn't the issue and lets say it's due to software updates ,etc.. why is it so easy to muck with the Safeboot MBR?  Are there any additional protections we can utilize to prevent it?  We are running version 5.2.9 which I was told had some self-checking or self-repairing mechanisms in place, but just doesn't seem like we're slowing down any.

       

      I'd greatly appreciate any insight!

        • 1. Re: Safeboot MBR corruption

          there are indeed self-checking/repair features in 5.2.9, but that's for the pre-boot file system, not for the MBR. That's up to your AV program to protect. EEPC does have a trivial detection method (the MBR Virus Protection option in machine/general) - but that just detects an infection and stops the user using the machine.

           

          typically NOTHING touches the MBR, well, except for fixmbr or something anyway - it does not usually need protection as no legitimate program needs to bother with it.

           

          I expect you're under attack from a TDSS rootkit or something? Grab a copy of the  bad MBR with wintech or something and let your AV company know, they should be able to tell you what it is.

          • 2. Re: Safeboot MBR corruption

            I'm just trying to figure out why the need to restore the Safeboot MBR.  As you said nothing really touches the MBR so we very rarely are doing fixmbr, but we're constantly restoring the Safeboot MBR.  As soon as we restore the Safeboot MBR, the system is operational again.  So malware will definitely (potentially) require the restore of Safeboot MBR?  McAfee is our AV company as well and I'm currently in a battle with them regarding the extreme lack of detections on malware.. hopefully we'll get that sorted out soon.  But I did recently submit the MBR to McAfee Labs and they confirmed it was infected with TDSS.  As a result I'm going to build instructions for our desktop team to start capturing the MBR and submitting it for analysis.

            • 3. Re: Safeboot MBR corruption

              Malware which replaces the MBR will for sure need a restore of the SBR - After all, it just nuked the code needed to boot the machine. If you're under attack from TDSS then for sure your EEPC machines are going to get disabled.

               

              Think about it this way, if EEPC didnt stop working, you'd have TDSS rootkits and hackers in your network, and you'd never know about it. 

              • 4. Re: Safeboot MBR corruption

                We see this too on machines running either EEPC 5.2.8 plus McAfee AV.  Error code e0050001.  Got ticket open with McAfee but have moved from the EEPC team and are now working with the malware team.   Have supplied MER, MBR copies, GetSusp and other diags, now looking at supplying sample PC to help ID the cause.  Issue happens across XP,Visa, Win 7,two versions of EEPC and a variery of hardware models. 

                 

                After using Wintech to recover a failed PC an updated McAfee DAT reveals malware infection but never of a type that looks capable of breaking the MBR.  Malware is different each time, but common feature is that each variant is not formaly detected by McAfee at the point of failure but IS caught by an updated DAT file very shortly after.

                 

                Very interested to understand what is happening here

                • 5. Re: Safeboot MBR corruption

                  You might be under a targeted attack, if so the binary for the malware changes more rapidly than we get samples, so you could see a delay of up to 5 days between infection and detection - especially if someone is targetting specifically your users, as there won't be enough "frequency" for the malware team to get samples into GTI.

                   

                  Do you have Artemis (Heuristic Network Check) turned on/up? That will give you better protection for sure if you've not got it on.

                   

                  root kits use other malware to install themselves, so you want to keep an eye out for TDSS for example, and also FakeAV.

                  • 6. Re: Safeboot MBR corruption

                    Artemis is on but set to Low.  We are restricted from raising  the level higher in our environment.

                    • 7. Re: Safeboot MBR corruption

                      That's a shame, as that would make a big difference to your protection level. I think you're stuck until DeepSafe/DeepDefender get released towards the end of the year then - unless you want to/are eligible to participate in the beta program.