Security firms warn of a rootkit that overwrites the master boot record of hard disks to hide from Windows and cloaks a Trojan that steals from bank accounts.
"A traditional rootkit installs as a driver, just as when you install any hardware or software," said Oliver Friedrichs, director of Symantec's security response team. "Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute." Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.
The rootkit is effective on Windows XP systems but requires explicit permissions on Vista. It takes advantage of several unpatched vulnerabilities in Windows. One suggestion to solve the problem is to reformat the hard drive and create new partitions.
Similar attacks were demonstrated as a proof of concept, and the one in the wild is doubted to be based on stolen code from the proof.
Malware writers are hard at work to crack the best defenses — in this case, taking a step backward to attack the most significant component of memory systems.