Ask the Expert

How to detect and remove Sinowal and repair a master boot record

Is it possible to remove Sinowal and other malware that writes itself to a hard drive? Will antivirus catch it, and can I repair the master boot record?

Requires Free Membership to View

A master boot record (MBR), as you may know, contains code that the basic input/output System, or BIOS, finds when a machine is turned on. The stored code in the MBR loads the operating system into memory. Malware modifying a master boot record, which ultimately could allow an attacker to take control of a victim's machine, is not new, and any decent antivirus (AV) package should be able to at least detect modifications to the MBR.

The leading antivirus vendors will normally state if they are able to detect Sinowal/Mebroot variations. This is easy to find out -- use a search engine to search on "Sinowal detection," for example, and add the company name you're interested in. For instance, here is a Mebroot security response from Symantec Corp.

The problem, however, is that the malware writers will keep on modifying their code to avoid detection. And they will use the very same AV software to test whether their latest tweaked malware remains unrecognized. Unfortunately, it takes time, and new infected machines before any new AV signatures can be released.

To help protect the master boot record, apply write protection, which can still be found in some BIOSes, preventing modification of the MBR. If the operating system needs reinstalling or modification, this setting will have to be temporarily disabled.

If the machine is infected, the best solution is to back up data on the hard drives, and then reinstall and patch the operating system after a low-level format (or better still a new hard disk). The main reason for the reset is that attackers normally infect computers with a selection of malware, some of which will not be detected or removed by antivirus packages. Also, consider using virtual machines or clean disk images to simplify this process, especially if this is not the first time you have been infected.

Historically the solution to repair a damaged Master Boot Record was to recreate it using the fdisk /mbr or fixmbr command, though modern Windows operating systems no longer support this command. However, I have heard good reports of people using the MBRfix utility.

If credit cards or password-protected sites have been used whilst the machine was infected, make sure to immediately change any site passwords and inform banks so that new cards may can be issued.

This was first published in July 2009

 

COMMENTS powered by Disqus  //  Commenting policy