New version of Gozi financial malware bundles MBR rootkit

The malware installs code into the computer's master boot record in order to achieve persistence, Trusteer researchers say

Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer's Master Boot Record (MBR) in order to achieve persistence.

The Master Boot Record (MBR) is a boot sector that resides at the beginning of a storage drive and contains information about how that drive is partitioned. It also includes boot code that runs before the operating system starts.

Some malware authors have leveraged the MBR in order to give their malicious programs a head start over antivirus programs installed on the computer.

Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8. This malware is hard to detect and remove and can even survive operating system reinstallation procedures.

"Even though MBR rootkits are considered highly effective they haven't been integrated into a lot of financial malware," Trusteer researcher Etay Maor said Thursday in a blog post. "One exception was Mebroot rootkit that was used to deploy Torpig (aka Sinowal/Anserin)."

The new Gozi MBR rootkit component waits for Internet Explorer to be launched and then injects malicious code into the process. This allows the malware to intercept traffic and perform Web injections inside the browser like most financial Trojans programs do, Maor said.

The fact that a new variant of Gozi was discovered shows that cybercriminals continue to use this threat despite the fact that its main developer and some of his accomplices were arrested and indicted.

The new variant detected by the Trusteer researchers is very similar to an older version, except for the additional MBR rootkit component, Maor said. "This may indicate that a new rootkit is being sold in the cybercriminals' forums and is adopted by malware authors."

While some dedicated tools for removing MBR rootkits do exist, many experts recommend wiping the entire hard drive and recreating the partitions in order to ensure a clean start if the computer has been infected with such a threat, Maor said.

Since cleaning such malware might require advanced technical knowledge, it's probably best to contact the technical support department of your antivirus provider in order to get expert help.

Join the PC World newsletter!

Error: Please check your email address.

Tags Trusteersecurityspywaremalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Deals on PC World

Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?