MBR-wiping malware targets German victims

Trend Micro recently uncovered what it terms a “noteworthy backdoor” as an attached file in certain spam variants sent to German recipients. The spam sample the security firm found tells recipients they have to pay a certain debt, the details of which are contained in the attachment. The attachment, of course, executes that malware.

Like any backdoor, it (BKDR_MATSNU.MCB) performs certain malicious commands, which include gathering machine-related information sent to its command-and-control (C&C) server. But it also has a secret sauce. “This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea,” noted Lenart Bermejo, threat response tech lead at Trend Micro.

The remote malicious server only needs to communicate a wipe command to the backdoor and it can execute the MBR routine immediately. Once compromised, infected systems won’t reboot normally and will leave users with unusable machines.

The MBR was recently used in the high-profile (but different) attack against South Korean institutions, including three broadcasters – KBS, MBC and YTN – and two banks, Shinhan and Nonghyup. Security firm AlientVault found one of the offending pieces of code to attack by way of overwriting a system’s MBR, making it a rootkit bug.

McAfee’s latest Quarterly Threats Report noted a surge in MBR attacks, where the goal is to infect a machine’s storage system, and from there take control of the entire device. The appearance of MBR samples increased more than 30% in Q1 2013, noted the report. MBR corruption was popular in the '80s and '90s, but there has been a gap in MBR infections until now, McAfee said.

The German-targeted malware doesn’t stop at wreaking of MBR havoc though: another feature is the backdoor’s capability to lock and unlock a screen. “This locking of screen is definitely a direct copy from ransomware’s playbook, in which the system remains completely or partially inaccessible unless the victim pays for the ransom,” Bermejo said.

The malware, however, requires more than a remote command to implement the screen lock. Instead, it downloads a different module onto the system, which will then lock the screen.

“As to what routines will be first executed or not is dependent on the remote malicious user,” Bermejo said. “Attackers may opt to lock the screen first, then initiate the MBR overwriting or just initiate any of the two.”

Another possible scenario is a version of the MBR exploit that is integrated with the screen blocking routine, which will make the screen locking command easier to execute. Trend Micro is on the lookout for this version but hasn’t found it yet.

As always, users should cautious be cautions about the email they receive and not readily open any attachments. And, if a system is already infected, it’s a safer bet to not pay the 'ransom'.

What’s hot on Infosecurity Magazine?