Security

Rootkit hides in boot sector, cloaks and reinstalls Trojan

Security firms warn of a rootkit that overwrites the master boot record of hard disks to hide from Windows and cloaks a Trojan that steals from bank accounts.

Security firms warn of a rootkit that overwrites the master boot record of hard disks to hide from Windows and cloaks a Trojan that steals from bank accounts.

An excerpt from PC World | Computer World:

"A traditional rootkit installs as a driver, just as when you install any hardware or software," said Oliver Friedrichs, director of Symantec's security response team. "Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute." Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.

The rootkit is effective on Windows XP systems but requires explicit permissions on Vista. It takes advantage of several unpatched vulnerabilities in Windows. One suggestion to solve the problem is to reformat the hard drive and create new partitions.

Similar attacks were demonstrated as a proof of concept, and the one in the wild is doubted to be based on stolen code from the proof.

Malware writers are hard at work to crack the best defenses -- in this case, taking a step backward to attack the most significant component of memory systems.

16 comments
normhaga
normhaga

Wasn't one of the big sales pitches for XP that the MBR was inaccessible during OS operation?

tonyritter
tonyritter

How do you know if your infected by this rootkit?

Canuckster
Canuckster

If Vista requires explicit permission, does that mean XP is done through a web-bot and requires no user action to install this? Or is it email delivered? How does one prevent it in the first place?

Doug.Warren
Doug.Warren

Your bank account is suddenly empty ;-)

pr.arun
pr.arun

This makes the attack possible on XP and not on Vista.

SpamBot
SpamBot

By any chance that the AVs and anti spyware recognized and detect it? Or we simply need to rewrite the MBR again in order to clear this rootkit?

Oktet
Oktet

Does this still apply: 74 GB Raptor two partitions C and D. C:\ has WinXP Professional. D:\ has WinVista Business.

Neon Samurai
Neon Samurai

As they say in marketing; "There's always someone dumb enough to buy it." or in this case, always someone foolish enough to press "ok".

dirtylaundry
dirtylaundry

and suddenly the old news of a rootkit attacking XP and weak to Vista should come out again - NOW - when M$ is going to stop XP sales and discontinue support for it...hrm.... http://blogs.zdnet.com/security/?p=791 and it's been confirmed that enabling the Protection feature in many BIOS will guard against this type of infection.

Neon Samurai
Neon Samurai

Lilo is nice. I used it up until Mandriva changed over to Grub for it's loader. Grub may be able to discover partitions on the drive but I do miss that clean lilo.conf file that I could jump into and edit on a whim. (still learning Grub which will eventually get to that same comfort level.) It seems like it should be more resilient so I hope I've guess right and it works well for you.

Oktet
Oktet

good info though. I actually have an old school Sony Vaio, that I run WinXP and Linux, but I changed the boot-loader using Lilo, so that Linux is first, then WinXP, like you said earlier:"the setup may be more resilient to infection."

Neon Samurai
Neon Samurai

If winXP can see both C and D then I'd watch for the infection coming in through winXP then jumping to the second partition or physical drive. When last I was booting two Windows OS together, the config was in the boot.ini at the drive root so the mbr would be read first before you got to switching between either OS. My machine uses Grub as the initial boot menu so in that case Windows is loading only after the system hits a non-Windows layer. My MBR is foreign to win32/64 programs unless I eventually need to boot the Windows and do an fdisk /mbr for some reason. I'd still watch my Windows system but the setup may be more resilient to infection. Just some possible points to consider.

Neon Samurai
Neon Samurai

Same here. The first virus I saw take down a system (and most of the two small towns that shared a highschool.. hm.. a clue..) was a dos boot sector virus. I can't remember the name of it now. Scanned that damn machine with McAfee twice and formatted the drive four times before finding it with a Norton AV disk. bah.. the shmuck that released that one nearly had a visit from some large unfriendly people.

sonotsky
sonotsky

Wouldn't "fdisk /mbr" take care of this?

cruizok
cruizok

way back when, first virus i ever found was the stoned virus, mbr infection. was such a puzzle to figure it out and get it cleared at that time, not much info in those days. interesting to see this idea back in action after all these years

Editor's Picks