Naathim Opublikowano 21 Sierpnia 2013 Zgłoś Udostępnij Opublikowano 21 Sierpnia 2013 Witaj Picasso Potrzebuję konsultacji w jednej sprawie. Netbook Samsung, Windows 7 Starter x86. Otóż w ramach pracy badawczej robiłem sobie różne skany i raporty, żeby parę rzeczy porównać w logach i ni z tego ni z owego coś przyciągnęło moją uwagę. Z raportów wyszło mi że mam rootkita w MBR ( ), ale wcale nie jestem o tym w 100% przekonany. Ano popatrz: Najpierw (stąd się w ogóle to wzięło) mamy stary log z Gmera: GMER.txtPobieranie informacji ... MBRcheck mówi tak: MBRCheck_08.21.13_12.18.06.txtPobieranie informacji ... No to jedziem mbr.exe (chociaż to trochę stare narzędzie, ale jeśli wierzyć zapisom to Mebratix jest starą infekcją ): mbr.txtPobieranie informacji ... Bierzem sobie TDSSKillera więc na tapetę: TDSSKiller.2.8.16.0_21.08.2013_12.26.18_log.txtPobieranie informacji ... No i na koniec najciekawsze - narzędzie MBRScan. (celowo umieszczam go w spoilerze ze względu na znaczniki) Interesuje mnie co Ty o tym myślisz Pokaż ukrytą zawartość MBRScan v1.1.1 OS : Windows 7 Service Pack 1 (32 bit) PROCESSOR : x86 Family 6 Model 28 Stepping 10, GenuineIntel BOOT : Normal Boot DATE : 2013/08/21 (ISO 8601) at 12:56:35 ________________________________________________________________________________ DISK : Device\Harddisk0\DR0 __Hitachi HTS543225A7A (ESBO) BUS_TYPE : (0x03) P-ATA USE_PIO : NO MAX_TRANSFER : 128 Kb ALIGNMENT_MASK : word aligned ________________________________________________________________________________ DISK : Device\Harddisk1\DR1 __Generic Flash Disk (8.07) BUS_TYPE : (0x07) USB USE_PIO : NO MAX_TRANSFER : 64 Kb ALIGNMENT_MASK : byte aligned ________________________________________________________________________________ Device\Harddisk0\DR0 232.9 Go [Fixed] ==> Mebratix.B MBR Code MBR_MD5 : C9AEF39EE26A3AC58B1FA731BC1896BC MBR_SHA1 : 0D66393B8EC766939B4C4CACFF32CE2D20DDCE4F Device\Harddisk0\Partition1 100.0 Mo 0x07 NTFS / HPFS __ BOOTABLE __ Device\Harddisk0\Partition2 62.00 Go 0x07 NTFS / HPFS Device\Harddisk0\Partition3 17.03 Go 0x27 RE Hidden partition Device\Harddisk0\Partition4 153.8 Go 0x07 NTFS / HPFS ________________________________________________________________________________ Device\Harddisk1\DR1 3.81 Go [Removable] ==> Unknown MBR Code MBR_MD5 : BCEA6C6B66914F2C10DB6EE5F8F81759 MBR_SHA1 : 05C1E578D6FF994B93311E6E9EA7CEC9D268A16D Device\Harddisk1\Partition1 3.81 Go 0x0B FAT32 [CHS] ________________________________________________________________________________ ############################### Additional scan ################################ DRIVER : C:\windows\System32\Drivers\dump_iaStor.sys => Invisible on the disk ADDRESS : 0x89839000 SIZE : 872.0 Ko DRIVER : C:\windows\System32\Drivers\dump_dumpfve.sys => Invisible on the disk ADDRESS : 0x8DFBA000 SIZE : 68.0 Ko DRIVER : C:\Users\Na'athim\AppData\Local\Temp\mbr.sys => Invisible on the disk ADDRESS : 0xA6FC2000 SIZE : 28.0 Ko BCD EmsSettings {0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9} => BcdLibraryBoolean_EmsEnabled (16000020) SystemStartOptions : NOEXECUTE=OPTIN ________________________________________________________________________________ _______MBR \Device\Harddisk0\DR0 0x00000000 33 C0 8E D8 8E C0 8E D0 BC 00 7C 8B F4 BF 00 06 3À.Ø.À.м.|.ô¿.. 0x00000010 B9 00 01 FC F3 A5 EA 1B 00 60 00 0E 1F 06 E8 95 ¹..üó¥ê..`....è. 0x00000020 00 07 80 3E 97 01 01 74 75 80 3E 97 01 02 74 00 ...>...tu.>...t. 0x00000030 C6 06 94 01 00 E8 04 01 BE BE 01 B3 04 F6 04 80 Æ....è..¾¾.³.ö.. 0x00000040 75 0F 83 C6 10 FE CB 75 F4 CD 18 BE 5D 01 E8 FC u..Æ.þËuôÍ.¾].èü 0x00000050 00 BB 00 7C 06 53 50 55 8B EC C7 46 02 00 00 5D .».|.SPU.ìÇF...] 0x00000060 50 55 8B EC C7 46 02 00 00 5D FF 74 0A FF 74 08 PU.ìÇF...].t..t. 0x00000070 06 53 50 55 8B EC C7 46 02 01 00 5D 50 55 8B EC .SPU.ìÇF...]PU.ì 0x00000080 C7 46 02 10 00 5D 16 1F 8B F4 B4 42 CD 13 83 C4 ÇF...]...ô´BÍ..Ä 0x00000090 10 EB 00 CB C6 06 95 01 00 E8 A0 00 EB 00 BB 00 .ë.ËÆ....è..ë.». 0x000000A0 7C 06 53 B8 01 02 B5 00 B1 05 B6 00 B2 80 CD 13 |.S¸..µ.±.¶.².Í. 0x000000B0 C6 06 94 01 01 CB B8 00 F0 8E C0 33 C0 8B F0 BB Æ....˸.ð.À3À.ð» 0x000000C0 FF FF 26 81 3C 53 77 74 08 83 C6 01 4B 75 F3 EB ..&.<Swt..Æ.Kuóë 0x000000D0 1A 26 81 7C 02 53 6D 74 02 EB EE 26 81 7C 04 69 .&.|.Smt.ëî&.|.i 0x000000E0 40 74 02 EB E4 83 C6 06 E8 01 00 C3 1E 57 26 8B @t.ëä.Æ.è..Ã.W&. 0x000000F0 14 26 8A 44 03 EE 26 8B 44 07 8E D8 26 8B 44 05 .&.D.î&.D..Ø&.D. 0x00000100 8B F8 C7 05 43 58 C7 45 02 5C 00 26 8A 44 02 EE .øÇ.CXÇE.\.&.D.î 0x00000110 B1 02 8A 65 05 80 FC FF 74 13 80 FC 80 76 0E C7 ±..e..ü.t..ü.v.Ç 0x00000120 45 02 5D 00 80 EC 80 88 65 05 EE B1 01 26 8B 14 E.]..ì..e.î±.&.. 0x00000130 26 8A 44 04 EE 5F 1F 88 0E 97 01 C3 BB 00 06 B8 &.D.î_.....û..¸ 0x00000140 01 03 B5 00 B1 01 B6 00 B2 80 CD 13 C3 AC 3C 00 ..µ.±.¶.².Í.ì<. 0x00000150 74 0A B4 0E B7 00 B3 07 CD 10 EB F1 C3 4D 69 73 t.´.·.³.Í.ëñÃMis 0x00000160 73 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 sing operating s 0x00000170 79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00 ystem........... 0x00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000190 46 44 53 54 00 00 3E 02 00 27 00 00 BC 0A 8D 7E FDST..>..'..¼..~ 0x000001A0 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst 0x000001B0 65 6D 00 00 00 63 7B 9A 58 DE 68 81 00 00 80 20 em...c{.XÞh.... 0x000001C0 21 00 07 DF 13 0C 00 08 00 00 00 20 03 00 00 DF !..ß....... ...ß 0x000001D0 14 0C 07 FE FF FF 00 28 03 00 00 00 C0 07 00 FE ...þ...(....À..þ 0x000001E0 FF FF 0F FE FF FF 00 28 C3 07 00 38 38 13 00 FE ...þ...(Ã..88..þ 0x000001F0 FF FF 27 FE FF FF 00 60 FB 1A 00 E8 20 02 55 AA ..'þ...`û..è .Uª _______MBR \Device\Harddisk1\DR1 0x00000000 FA B8 00 00 8E D0 BC 00 7C 8B F4 50 07 50 1F FB ú¸...м.|.ôP.P.û 0x00000010 FC BF 00 06 B9 00 01 F3 A5 EA 1E 06 00 00 BE BE ü¿..¹..ó¥ê....¾¾ 0x00000020 07 80 3C 80 74 02 CD 18 56 53 06 BB 00 7C B9 01 ..<.t.Í.VS.».|¹. 0x00000030 00 BA 00 00 B8 01 02 CD 13 07 5B 5E B2 80 72 0B .º..¸..Í..[^².r. 0x00000040 BF BC 7D 81 3D 55 53 75 02 B2 00 BF EB 06 88 15 ¿¼}.=USu.².¿ë... 0x00000050 8A 74 01 8B 4C 02 8B EE EB 15 BE 9B 06 AC 3C 00 .t..L..îë.¾..¬<. 0x00000060 74 0B 56 BB 07 00 B4 0E CD 10 5E EB F0 EB FE BB t.V»..´.Í.^ëðëþ» 0x00000070 00 7C B8 01 02 CD 13 73 05 BE B3 06 EB DF BE D2 .|¸..Í.s.¾³.ëß¾Ò 0x00000080 06 BF FE 7D 81 3D 55 AA 75 D3 BF 24 7C BE EB 06 .¿þ}.=UªuÓ¿$|¾ë. 0x00000090 8A 04 88 05 8B F5 EA 00 7C 00 00 49 6E 76 61 6C .....õê.|..Inval 0x000000A0 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 id partition tab 0x000000B0 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 le.Error loading 0x000000C0 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 operating syste 0x000000D0 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74 m.Missing operat 0x000000E0 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00 ing system...... 0x000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001B0 00 00 00 00 00 00 00 00 11 B9 34 06 00 00 00 11 .........¹4..... 0x000001C0 32 00 0B 5D DD DE 60 04 00 00 A0 E3 79 00 00 00 2..]ÝÞ`....ãy... 0x000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª Odnośnik do komentarza
snemelk Opublikowano 21 Sierpnia 2013 Zgłoś Udostępnij Opublikowano 21 Sierpnia 2013 Samsung? Nic ciekawego, MBR jest ok... Było ostatnio parę zgłoszeń i tematów odnośnie tej detekcji MBRScan (patrz VT: MBR.dat) i jest to "false positive"... Przykładowy temat: Bootkit Mebratix.B ? (patrz ostatni post)... Odnośnik do komentarza
Rekomendowane odpowiedzi