Cybercriminals are always looking for new ways to infect systems – ideally without being noticed until it’s too late. The sky is the limit for their creativity, as the latest wave of malicious boot loaders shows. The kit has been pioneered by Brazilian Trojan bankers who aim to remove security software.
This non-traditional infection only affects systems using ntldr, the default boot loader on Windows NT up to and including Windows XP and Windows Server 2003. This choice was no coincidence – XP is still the most popular OS in several countries, including Brazil, where it runs on nearly 47% of all machines.
A tiny 10 KB malicious file flagged as Trojan-Downloader.Win32.VB.aoff linked in an e-mail starts the infection. It downloads 2 new files hosted at Amazon WS Cloud
– xp-msantivirus (1.83 MB) and xp-msclean (7.4 MB) – to the system, renames the legitimate ntldr to ntldr.old and finally installs a new file to be a new malicious boot manager – an edited version of GRUB tailored to run the file menu.lst:
The malicious boat loader called ntldr: a modified copy of GRUB
In due course the file menu.lst will be responsible to call the file xp-msantivirus in the boot:
Content of the file menu.lst. The message says: “Initializing Microsoft Malicious Software Removal Tool”
The files xp-msantivirus and xp-msclean are *nix boot images especially prepared by the criminals to remove some security files during the boot. Not surprisingly, the main targets are files belonging to a very popular security plug-in used by Brazilian banks called GBPlugin, installed in around 23 million machines. The malicious boot loader also aims to remove files from Microsoft Security Essentials, Windows Defender, and others:
Once the infection is completed, the Trojan forces the system to reboot…
“Windows Update is rebooting your system to complete the installation of Critical Security Updates”
…and all the changes take place. The malicious boot loader displays some fake messages, claiming to be the Microsoft Malicious Software Removal Tool:
“Malicious Software Removal Tool (KB890830) Do not turn off or disconnect the machine until the end of this process”
To justify the long boot time, another message is displayed that states the system is infected and “malicious files” are being removed:
“Please wait while the operation is performed. Do not turn off or reboot your computer.
ATTENTION: virus-infected files were found on your computer. The virus removal process has started. This process may take a while, depending on the quantity of infected virus files found. Don’t turn off or reboot your machine during this process, wait for its completion and your computer will be rebooted automatically.”
Finally when the boot process ends, the malicious boot loader erases itself and sets the clean ntldr as active – its mission is accomplished and a Trojan banker flagged as Trojan-Downloader.Win32.Banload.bqmv remains running in the infected machine, ready to steal Internet banking credentials.
Of course, all these malicious changes in the system are helped by a lot of other factors like running an OS using an administrative account, etc. The malicious boot loader is detected and spotted by Kaspersky Antivirus as Trojan.Boot.Burg.a.
Thanks to my colleague Vyacheslav Zakorzhevsky for the help