MBR rootkit: VirTool:WinNT/Sinowal.A report

This week you may have heard or read about a new rootkit that has been reported in the wild that uses the Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP). The malware is being called VirTool:WinNT/Sinowal.A. First we want to let you know that if you use any of the Microsoft antivirus technologies (Windows Live OneCare, Forefront Client Security, Forefront Security for Exchange or Windows Live OneCare Safety Scanner), you are already protected from this threat as of definition version 5364.0 and higher. Next, we want to talk about the use of the MBR as an ASEP by which to kick off the malware loading process and some of the interesting consequences of using this technique.


There are several binaries in the wild which try to install this rootkit. All the known variants are detected by Microsoft antimalware products using two generic signatures: PWS:Win32/Sinowal.gen!C and PWS:Win32/Sinowal.gen!D.


This malware attempts to modify the MBR so that it can control what gets read from the disk into memory and execute very early in the boot process. After the modified MBR is executed, it reads additional malicious code into memory which modifies the NT kernel to force it to load a malicious driver that has been stored at the end of the physical disk (The driver will not be visible while the infected OS is running.). Once the driver is loaded into the kernel, it behaves just like a standard kernel mode rootkit, providing covert and stealth network backdoor functionality by hooking low level APIs to attempt to avoid detection.


Here are some interesting things about this malware:


First, the installer for this rootkit needs to modify the MBR in order to ensure that the rootkit can persist across reboots. It does this by using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access. Using the CreateFile API in this way (for direct / raw disk access) requires administrative privileges as mentioned in this KB article: http://support.microsoft.com/kb/q100027. So if you are logged into Windows as a standard user or if you are using Windows Vista with UAC enabled, even if you accidentally run the malware installer or it runs via some exploit code, it will be running with insufficient privilege to modify the hard disks MBR; thus it will not be able to persist a system restart.


Next, the perceived strength of this new rootkit, its lack of a visible footprint in the registry and file system due to the use of the MBR as the ASEP, is also a big weakness! If you suspect that you have a system that is infected with this rootkit, to prevent it from loading, all that is required is to write a known-good copy of a master boot record back to the disk to prevent the rootkit driver from being loaded on the next reboot! Fortunately, we have made that a fairly painless process with the Windows Recovery Console and the ‘fixmbr’ command!


Here are some instructions for using the Windows Recovery Console:


Windows XP instructions: http://support.microsoft.com/kb/314058 (just type ‘fixmbr’ in the console)


Windows Vista instructions: http://support.microsoft.com/kb/927392 (just type ‘bootrec.exe /fixmbr’ at the console)


After restoring a known-good MBR to the hard drive, you should be able to start Windows and perform an on-line antivirus scan to detect and remove any of the malware components or any other malware that may have been installed on the system and hidden by the rootkit. You can use the Windows Live OneCare Safety Scanner at http://safety.live.com to perform such a scan. It includes all the signatures for this malware.

The main driver makes outbound HTTP connections to a particular hard-coded IP address or domain. We presume this is so that it can receive instructions and/or register with its overseer. It may also be able to receive instructions which allow it to act as an HTTP proxy, or to download and execute further malware. The malware makes similar connections to a number of domains which appear to be pseudo-randomly generated.


More information about this malware is available in our virus encyclopedia write ups:


VirTool:WinNT/Sinowal.A: http://www.microsoft.com/security/portal/Entry.aspx?name=VirTool:WinNT/Sinowal.A


VirTool:WinNT/Sinowal.B: http://www.microsoft.com/security/portal/Entry.aspx?name=VirTool:WinNT/Sinowal.B


PWS:Win32/Sinowal.gen!C: http://www.microsoft.com/security/portal/Entry.aspx?name=PWS:Win32/Sinowal.gen!C


PWS:Win32/Sinowal.gen!D: http://www.microsoft.com/security/portal/Entry.aspx?name=PWS:Win32/Sinowal.gen!D



Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.


-- Robert Hensing and Scott Molenkamp


This is a case where the Microsoft Malware Protection Center (MMPC) worked closely with the Microsoft Security Response Center (MSRC) to analyze the threat and develop guidance and mitigations. Rob "EL CONQUISTADOR" Hensing (Microsoft Security Technology Unit) and Scott Molenkamp (Microsoft Malware Protection Center, Australia) contributed to this blog in an effort to share this information with customers and partners.