[Michael]

I've spent most of the day trying to understand Mebroot a little better.

This MBR rootkit is a very sophisticated piece of malware using an old infection method (the master boot record) but with today's best coding techniques.

Anyway, for us researchers, Mebroot breaks our testing environment on a regular basis and finds ways to be one of the biggest nuisance you could think of.

Several months ago we wrote a set of scripts in Linux to restore a clean MBR after each pass of an infected image. It worked well, but not well enough. Some of our HoneyPots need to prevent a Mebroot infection right there and then, and cannot wait for a reboot to restore a clean MBR.

So today I have been deep in batch scripting... I adopted a somewhat "shove down your throat" approach to neutralize Mebroot as it is trying its infection routine.

Can a simple batch script prevent a Mebroot infection? (I use a script and a few other files together.)

Well, I asked myself that very same question. I took my little script, downloaded 10 copies of Mebroot from Offensive Computing and put the script to the test.

First, I ran all the Mebroot samples, rebooted with a Live CD and uploaded my MBR to VirusTotal.

The result is clear, my PC is infected:



Then, I did the same test (on a clean image of course), ran my script first, and then launched all the Mebroot files.

Rebooted, uploaded the MBR and to my astonishment, it was clean:



I should mention too, that this new MBR has the same MD5 as my original 'clean' MBR. Also, to be sure, I repeated both steps twice (with and without batch script).

While I can't disclose the script I am using (the bad guys read security blogs too), I can say that I use publicly available tools and simple Windows Batch scripting.

This solution may not be viable in the real world, but for our testing purposes, it works great.

Jerome Segura