cancel
Showing results for 
Search instead for 
Did you mean: 

How to collect an MBR rootkit sample

This article explains how you can collect an MBR rootkit sample for F-Secure Labs to analyse.

Before performing any of the steps, you need
  • a USB drive (or other similar removable media) AND
  • any rescue system CD available, such as KNOPPIX®.

To collect an MBR rootkit sample, do as follows:

  1. Insert the thumbdrive to the powered-down system. Boot from the rescue CD (e.g. KNOPPIX) and let it initialize until the screen presents the choice to continue or restart the computer.
  2. Press Alt-F2 to switch to the console.
  3. List all available drives with the
    fdisk -l
    command. Use the sizes of the disks to pick out the thumbdrive.
  4. Mount the thumbdrive with the
    mount %devicename%
    command where
    %devicename%
    = the name of the thumbdrive.

    Example:

    Name of thumbdrive:

    /dev/sdc1

    Command:

    mount /dev/sdc1
  5. Use the following command to dump the MBR, which is usually (but not always) the first sector of the hda drive:
    dd if=%device_name% of=%filename% bs=512 count=1
    where
    %device_name%
    = name of the device and
    %filename%
    = name of the output dump.

    Example:

    Name of the output dump:

    /tmp/mbr_disk

    Command:

    dd if=/dev/hda of=/tmp/mbr_disk bs=512 count=1
  6. You may also use the above command to dump the first sector of other drives if you feel the information may be relevant.

    Note: Ensure the name of the output dump is changed to avoid overwriting the dumped MBR information.

    Example:

    Name of the output dump:

    /tmp/mbr_disk1

    Command:

    dd if=/dev/hda1 of=/tmp/mbr_disk1 bs=512 count=1
  7. Copy the dumped information to the thumbdrive with the following command:
    cp %name of output dump% %file on thumbdrive%
    . You can determine the path to the thumbdrive by typing the
    df
    command and noting the relevant entry in the mounted on column.

    Example:

    cp /tmp/mbr_disk /media/shc1/mbr_disk
  8. Use an uncompromised machine to submit all the dumped files to F-Secure via the Sample Analysis System, along with any relevant details. The dumped files may also be sent in as an attachment to a reply to an existing SAS case.
Pricing & Product Info

For product info please go to our products page

Version history
Revision #:
12 of 12
Last update:
‎04-12-2018 10:26 AM
Updated by: