Security

MBR rootkit Mebroot: A tough threat to security

Security firm Finjan has raised a warning on rootkit "Mebroot," which it believes has entered the Release to Manufacturing (RTM) phase.

Security firm Finjan has raised a warning on rootkit "Mebroot," which it believes has entered the Release to Manufacturing (RTM) phase — a term used for software that has entered production. It's extremely difficult for security software to detect this rootkit because it overwrites the master boot record (MBR) of the harddisk.

An excerpt from InfoWorld:

Dubbed "Mebroot," the rootkit infects the master boot record (MBR), the first sector of a PC's hard drive that the computer looks to before loading the operating system. Since it loads before anything else, Mebroot is nearly invisible to security software.

"You can't execute any earlier than that," said Mikko Hypponen, F-Secure's chief research officer.

F-Secure goes on to mention that its security software could at best only guess on the infection of a PC by the Mebroot rootkit. However, booting from F-Secure's software CD makes it possible to detect the malware since then the security software gets the upper hand.

What makes Mebroot a greater threat is that it injects itself into other system processes and all it requires to get the PC infected is to visit a Web page with unpatched Web browsers. This type of MBR infecting rootkits have been in the news for some time now, but the scale of infection is yet to be ascertained.

Crafting such targeted malware takes a high engineering effort and goes to show how lucrative the malware "business" is becoming. Malwares represent a big threat to the shifting of software services online.

Do you feel it's high time that an industry framework was formulated to make security integral to the design of the Internet?

Editor's Picks