How to collect an MBR rootkit sample This article explains how you can collect an MBR rootkit sample for F-Secure Labs to analyse.
Before performing any of the steps, you need
- a USB drive (or other similar removable media) AND
- any rescue system CD available, such as KNOPPIX®.
To collect an MBR rootkit sample, do as follows:
- Insert the thumbdrive to the powered-down system. Boot from the rescue CD (e.g. KNOPPIX) and let it initialize until the screen presents the choice to continue or restart the computer.
- Press Alt-F2 to switch to the console.
- List all available drives with the
fdisk -l
command. Use the sizes of the disks to pick out the thumbdrive. - Mount the thumbdrive with the
mount %devicename%
command where %devicename%
= the name of the thumbdrive. Example:
Name of thumbdrive:
/dev/sdc1
Command:
mount /dev/sdc1
- Use the following command to dump the MBR, which is usually (but not always) the first sector of the hda drive:
dd if=%device_name% of=%filename% bs=512 count=1
where %device_name%
= name of the device and %filename%
= name of the output dump. Example:
Name of the output dump:
/tmp/mbr_disk
Command:
dd if=/dev/hda of=/tmp/mbr_disk bs=512 count=1
- You may also use the above command to dump the first sector of other drives if you feel the information may be relevant.
Note: Ensure the name of the output dump is changed to avoid overwriting the dumped MBR information.
Example:
Name of the output dump:
/tmp/mbr_disk1
Command:
dd if=/dev/hda1 of=/tmp/mbr_disk1 bs=512 count=1
- Copy the dumped information to the thumbdrive with the following command:
cp %name of output dump% %file on thumbdrive%
. You can determine the path to the thumbdrive by typing the df
command and noting the relevant entry in the mounted on column. Example:
cp /tmp/mbr_disk /media/shc1/mbr_disk
- Use an uncompromised machine to submit all the dumped files to F-Secure via the Sample Analysis System, along with any relevant details. The dumped files may also be sent in as an attachment to a reply to an existing SAS case.