Summary

 

This article explains how you can collect an MBR rootkit sample for F-Secure Labs to analyse. Before performing any of the steps, you will need:

 

 

Collecting an MBR rootkit sample

 

To collect an MBR rootkit sample, do as follows:

 

  1. Insert the thumbdrive to the powered-down system. Boot from F-Secure Rescue CD and let it initialize until the screen presents the choice to continue or restart the computer.

  2. Press Alt-F2 to switch to the console.

  3. List all available drives with the fdisk -l command. Use the sizes of the disks to pick out the thumbdrive.

  4. Mount the thumbdrive with the following command:

    mount %devicename%
    where %devicename% = the name of the thumbdrive

    Example:
    Name of thumbdrive: /dev/sdc1
    Command: mount /dev/sdc1

  5. Use the following command to dump the MBR, which is usually (but not always) the first sector of the hdadrive:

    dd if=%device_name% of=%filename% bs=512 count=1
    where %device_name% = name of the device and %filename% = name of the output dump

    Example:
    Name of the output dump: /tmp/mbr_disk
    Command: dd if=/dev/hda of=/tmp/mbr_disk bs=512 count=1

  6. You may also use the above command to dump the first sector of other drives, if you feel the information may be relevant.

    Note: Ensure the name of the output dump is changed to avoid overwriting the dumped MBR information.

    Example:
    Name of the output dump: /tmp/mbr_disk1
    Command: dd if=/dev/hda1 of=/tmp/mbr_disk1 bs=512 count=1

  7. Copy the dumped information to the thumbdrive with the following command: cp %name of output dump% %file on thumbdrive%

    You can determine the path to the thumbdrive by typing the df command and noting the relevant entry in the "mounted on" column.

    Example:
    cp /tmp/mbr_disk /media/shc1/mbr_disk

  8. Use an uncompromised machine to submit all the dumped files to F-Secure via the Sample Analysis System , along with any relevant details. The dumped files may also be sent in as an attachment to a reply for an existing SAS case.
(2,098 Views)

Collecting an MBR rootkit sample

Contributors