A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #10401  by Tigzy
 Fri Dec 16, 2011 9:31 am
Hello

No problem to detect XP code and to find Vista / 7 code.
But I don't found a tip to differentiate Vista / 7 MBR. Someone knows a way to do so?
If not, this is not so important as the main information is to identify legit bootstrap...
 #10403  by EP_X0FF
 Fri Dec 16, 2011 9:39 am
Get two mbr dumps from the machines with same disk, same disk configuration. First running Vista, second 7. Do file compare to see difference.
 #10513  by rkhunter
 Thu Dec 22, 2011 11:40 am
What exactly you want to see in that code? How it loads the main loader?
 #10514  by Tigzy
 Thu Dec 22, 2011 12:16 pm
I'm trying to identify a signature that could be used to detect these infected MBR.
So would have an analysis to know exactly that code does.
 #10515  by EP_X0FF
 Thu Dec 22, 2011 12:25 pm
It's ROR decryption loop is perfectly fits for easy signature.
 #10518  by Tigzy
 Thu Dec 22, 2011 12:33 pm
Hello EP_X0FF! How are you?

I saw on several docs it was encrypting its most bootstrap part. The sample I got does not encrypt it.... Stunning.
Here's the dump I use. I must say for the moment I haven't enough samples for cross comparison. If some of you have some dumps to provide...

(renamed to .txt, but it's raw data)
(512 Bytes) Downloaded 37 times

EDIT: found a good paper: http://danuxx.blogspot.com/2011/03/tdss ... art-1.html
 #10520  by rkhunter
 Thu Dec 22, 2011 12:49 pm
EP_X0FF wrote:It's ROR decryption loop is perfectly fits for easy signature.
For easy yes, but you sure that it will be identify only TDL4 mbrs?
 #10522  by Tigzy
 Thu Dec 22, 2011 12:57 pm
so the best I can do here is to get the ROR args, use them to decrpt the rest of the MBR, and check for INT13h calls (with 42h / 48h args) ?
Seems my dump is an old (?) version wich was not encrypt its mbr. I can recognize the hook procedure
 #10523  by EP_X0FF
 Thu Dec 22, 2011 12:59 pm
rkhunter wrote:
EP_X0FF wrote:It's ROR decryption loop is perfectly fits for easy signature.
For easy yes, but you sure that it will be identify only TDL4 mbrs?
Yes, if you execute this code it will decrypt "ldr16". I doubt something like this exists anywhere else except infected machines.
Seems my dump is an old (?) version wich was not encrypt its mbr.
This is MaxSS MBR, not TDL4.