MBR backup before searching for ROMBERTIK ?

I just read an online article (BBC.com) about ROMBERTIK malware that intentionally corrupts the Master Boot Record (MBR) of a hard drive triggered by certain malware detection actions.

It made me realize that I have been lax about MBR backups.

Can anyone recommend a tool to archive MBRs on a collection of drives?

Hopefully, the tool would also collect MAC addresses (and/or other data which uniquely identifies hard drives and system hardware) to make it brain dead to restore the appropriate MBR image to the right Hard Drive? (I envision a tech pulling drives from several machines in a infected network node where the notes/labels get mixed up.)

 

Hi Tim,

I did see that portion. However, it seemed possible that I would notice out of control drive activity and kill the task before it overwrote everything.

Perhaps with an MBR backup, I'd be a step closer to rebuilding a directory index and a chance for partial data file recovery.

I've had more than one occasion over the last 25 years where restore from backup has failed... using different brands of backup tools. I fell back to doing test full Restores periodically to test the backup media and Restore software. The backup software tools file internal validators don't seem to trustworthy enough to be worth the time penalty.

And such a tool would be helpful if there are other MBR attacks. It's one more tool in the toolbox.

Thanks for for reply and getting the article on MG!

 

But first you have to be stupid enough to open a phishing email. Some of which appear to come from Microsoft.
Microsoft doesn't send emails and doesn't phone people. It is a scam. Spread the word to all the clueless users you know.

Second you have to be stupid enough to click a link or an attachment in the above phishing email.

Spread the word NEVER click on links nor download attachments in strange emails.

Personally, when I get an email from someone I know that has been forwarded multiple times, I throw it in the trash because I have no idea who originally sent it.

 

Let's not blame everything on users. Too many eMail clients developers make Preview Panes the default. Most make touch GUIs too difficult to do multi-selects of messages without accidentally opening some along the way. And everybody seems to make it more convoluted to inspect the headers. What the heck???

Let's face it. Most of us are sent many times the SPAM and spoofed eMail as valid eMail messages. ('Cause all of us have a helpless friend/relative/co-worker that has us in a compromised address book.) But the eMail client are all still based on the bad assumption that it is the opposite ratio. Mistakes are going to happen even to those who Know better.

(Have you seen the initiatives to make ISPs and big tech companies responsible for directly alerting their customers when they detect zombie activity? If that has ANY success, it will not be long before the Nanny State will legislate that "proactive stance" across the board on malware-like packets. This bit of "clueless user" advice hasn't long to live.)

In any case, d'ya really need to snipe quite so hard? Clueless users are why most of us have jobs! Appreciate the lost and helpless, they're less stressful to fix than the poor schmucks with real problems!! (Even though solving a real and tough problem is more satisfying.)

 

Are you also aware that this has been around Since January?
https://nakedsecurity.sophos.com/20...eally-destroy-computers-no-no-three-times-no/
If you keep your security programs up to date, it will catch this.

 

Greetings BAMaustin.

Addressing your question:

Don't have a suggestion, but it does sound like an interesting tool to have - please let us know if you find one that works well.

As an aside: just read Tim's article - yikes! I'm sure self-awareness has been done before in malware, but this one sounds fairly capable. That's pretty scary stuff.

Good luck, and welcome to MajorGeeks.

 

Nope, I was not aware of that. Thanks for letting me know.

On the other hand, it seemed likely that by the time malware is made public on a News source as conservative as the BBC, there would have been time to get a signature in the databases.

So I'm more interested in the original question...
Can anyone recommend a tool to backup MBRs?

(ROMBERTIK was just a reminder that a tool is missing from my toolbox.)

 

Acronis can back up just the MBR and exclude any disk partitions. It's almost instant. I would assume many other imaging programs can do the same - dunno, haven't looked.

EDIT - no it can't, but it can restore only the MBR, so with a bit of tweaking you could use it.

 

Greetings Earthling.

Acronis is one of the tools I switched to after the 2nd time a Ghost master CD came apart in one of my machines about 1 year after purchase. (Be careful to inspect Ghost media older than 6 months. They seem to buy from suppliers whose polycarbonate gets suspiciously fragile as it ages. Fragile discs and high RPMs aren't a good combination. The shard spearing an inch into my server closet wall startled the daylights outta me! The pieces that stayed inside didn't do the drive much good either.)

I'll have to make time to experiment with Acronis True Image a bit more. I'd had some frustrations doing single file restores with it before. Maybe MBRs will be different. Thanks!

 

I've used Acronis for years. I have never done single file restores because the majority of our files are archived off the computer on floppies (don't ask - my husband will still be using floppies in 2025!) and USB sticks.

I make an image about once every 4 weeks. About 3 times a year, I do the entire hard drive - all partitions. I have 6 external hard drives so I rotate where the images are stored and I also have some on DVDs.

Now if I needed to restore the MBR, I'd find the newest image of all partitions and restore it. Then I'd find the newest image of just C and restore that. At most, I'd end up needing a month's worth of updates.

 

BAMaustin,
Have a look at Paragon's free programs. As I use Paragon Partition Manager 8.5 and Drive Backup 8.5, both from 2007, I unfortunately don't know what features are included in the latest free editions. However, I can safely say the Paragon programs I use are second to none - that's why I still use them.

You should look at:
Backup & Recovery 14 Free Edition
https://www.paragon-software.com/home/br-free/requirements.html

Rescue Kit 14 Free Edition
http://www.paragon-software.com/home/rk-free/requirements.html

Especially look at the latter's Boot Corrector Wizard.

 

FWIW there's another good read about this virus at the Talos Group's Cisco blog...an example of a fake Microsoft email is attached. Note the last sentence: the syntax is all wrong, etc. - poorly written, but I guess it could fool some people.
.

 

I just tested it. I made an Acronis image of the OS partition (all Acronis images automatically include the MBR), and in the options I set it to exclude all files by using the *.* wildcard. The image took about 2 minutes to create on a slow laptop and restoring just the MBR was virtually instantaneous. The computer rebooted normally.

 

Very cool! I think I'll look around for a way to munge up the MBR so that I can restore after confirming the drive was rendered non-bootable.

It may be paranoia but I once ran into a series of returned merchandise testing programs for an EPROM burner that didn't blow if it found a valid checksum. So we didn't discover there was a decision tree logic error until later than was healthy. (Limiting reprogramming was a legacy from when you could only count on successfully writing 3 times.)

 

I know what you mean. Sometimes you have fall back to embarrassing methodologies.

For that problem doing single file restores (the client was frequently overwriting database report definitions because of the way the COTS database app was written) Instead of a backup utility, we used a scheduled task with an xcopy to NAS script. It was slow but the client could restore the damaged file by themselves. (When that nightly process started overrunning into the start of the biz day, I discovered that using the command line version of 7-Zip was a real time-saver. You can compress a 10,000 file folder & move the compressed archive in a small fraction of the time it takes to copy the discrete files. The client thought ZIPped files were just another kind of network folder. AND there are tools to recover files from a damaged ZIP archive. There were other benefits too.)

 

That is sad; using a computer and not knowing what the zip extension indicates.

 

Yah. But I gave up explaining since MiscreantSoft started hiding known extensions by default. As far as they are concerned, the icon looks like a folder (with a zipper) so it must be a folder.

Of course, its just as bad discussing UTIs, Creator and File Types with Mac folks.