cancel
Showing results for 
Search instead for 
Did you mean: 

How to collect an MBR rootkit sample

This article explains how you can collect an MBR rootkit sample for F-Secure Labs to analyse.

Before performing any of the steps, you need

To collect an MBR rootkit sample, do as follows:

  1. Insert the thumbdrive to the powered-down system. Boot from F-Secure Rescue CD and let it initialize until the screen presents the choice to continue or restart the computer.
  2. Press Alt-F2 to switch to the console.
  3. List all available drives with the fdisk -l command. Use the sizes of the disks to pick out the thumbdrive.
  4. Mount the thumbdrive with the mount %devicename% command where %devicename% = the name of the thumbdrive.

    Example:

    Name of thumbdrive: /dev/sdc1

    Command: mount /dev/sdc1

  5. Use the following command to dump the MBR, which is usually (but not always) the first sector of the hda drive: dd if=%device_name% of=%filename% bs=512 count=1 where %device_name% = name of the device and %filename% = name of the output dump.

    Example:

    Name of the output dump: /tmp/mbr_disk

    Command: dd if=/dev/hda of=/tmp/mbr_disk bs=512 count=1

  6. You may also use the above command to dump the first sector of other drives if you feel the information may be relevant.

    Note: Ensure the name of the output dump is changed to avoid overwriting the dumped MBR information.

    Example:

    Name of the output dump: /tmp/mbr_disk1

    Command: dd if=/dev/hda1 of=/tmp/mbr_disk1 bs=512 count=1

  7. Copy the dumped information to the thumbdrive with the following command: cp %name of output dump% %file on thumbdrive%. You can determine the path to the thumbdrive by typing the df command and noting the relevant entry in the mounted on column.

    Example: cp /tmp/mbr_disk /media/shc1/mbr_disk

  8. Use an uncompromised machine to submit all the dumped files to F-Secure via the Sample Analysis System , along with any relevant details. The dumped files may also be sent in as an attachment to a reply for an existing SAS case.
Version history
Revision #:
11 of 11
Last update:
‎10-03-2017 02:28 PM
Updated by: