New rootkit hides in hard drive's boot record

Cloaking malware holes up where Windows can't find it, say researchers

A rootkit that hides from Windows on the hard drive's boot sector is infecting PCs, security researchers said Wednesday. Once installed, the cloaking software is undetectable by most current antivirus programs.

The rootkit overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system.

"A traditional rootkit installs as a driver, just as when you install any hardware or software," said Oliver Friedrichs, director of Symantec's security response team. "Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute." Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.

"That gives it unprecedented access to the computer," Friedrichs said. "It's able to hide in a manner that a traditional rootkit never can."

According to other researchers, including those with the SANS Institute's Internet Storm Center, Prevx Ltd. and a Polish analyst who uses the alias "gmer," the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection as well as to reinstall the identity thief if a security scanner somehow sniffs it out.

Several of those researchers fingered a quartet of aged exploits -- the majority harking to vulnerabilities patched in 2006 -- launched from compromised Web sites as the rootkit's install attack vector. Any PC that's not up to date on its patches is at risk if used to surf to such sites.

This is a serious threat, said Friedrichs, and illustrates the skill of some cybercriminals. "Although the concept [of a MBR rootkit] isn't new, it's not easy to pull this off," he said. "It's a very sophisticated attack, and the amount of time and effort they spent creating this is very substantial.

"We're not dealing with amateurs here."

The rootkit's lineage, in fact, has been mapped by others, notably gmer, who first published an analysis of the rootkit's code last week. By gmer's account, the rootkit's creator stole code originally written by Derek Soeder and Ryan Permeh, a pair of researchers at eEye Digital Security, as a proof-of-concept rootkit they presented at the Black Hat security conference in August 2005.

"So this has been brewing for some time," said Symantec's Friedrichs. "But given the complexity of the task, it's not surprising it's taken this long. One thing, it shows the lengths to which attackers are going to go. We've just not seen them approach threat research this complex in the past."

Matthew Richards, director of VeriSign Inc.'s iDefense Labs, pegged the start of the MBR rootkit's in-the-wild appearance as Dec. 12, with a second round of attacks on Dec. 19. So far, said Richards, nearly 5,000 PCs have been infected by the rootkit.

Some users are better protected than others, added Friedrichs, who echoed details posted last Saturday by Prevx researchers.

The rootkit is hard-coded in such a way as to only work on Windows XP systems. But even if it was tweaked, Vista users would have to explicitly approve the installation of the MBR rootkit by accepting a UAC (User Account Control) warning, since the rootkit requires needs administrative-level approval to install to the hard drive's master boot record.

If it gets on the drive, though, the MBR rootkit is very difficult to detect, Friedrichs admitted. The best defense, therefore, is to sniff it out before it manages to worm its way onto sector 0.

That's the approach Symantec and other antivirus vendors have taken. Symantec, for example, detects the rootkit as a Trojan dubbed Mebroot when it attempts to first install after, say, a successful attack using one of the exploits hosted on the compromised sites serving as attack launch pads.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?