New rootkit hides in hard drive's boot record

Cloaking malware holes up where Windows can't find it, say researchers

A rootkit that hides from Windows on the hard drive's boot sector is infecting PCs, security researchers said Wednesday. Once installed, the cloaking software is undetectable by most current antivirus programs.

The rootkit overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system.

"A traditional rootkit installs as a driver, just as when you install any hardware or software," said Oliver Friedrichs, director of Symantec's security response team. "Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute." Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.

"That gives it unprecedented access to the computer," Friedrichs said. "It's able to hide in a manner that a traditional rootkit never can."

According to other researchers, including those with the SANS Institute's Internet Storm Center, Prevx Ltd. and a Polish analyst who uses the alias "gmer," the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection as well as to reinstall the identity thief if a security scanner somehow sniffs it out.

Several of those researchers fingered a quartet of aged exploits -- the majority harking to vulnerabilities patched in 2006 -- launched from compromised Web sites as the rootkit's install attack vector. Any PC that's not up to date on its patches is at risk if used to surf to such sites.

This is a serious threat, said Friedrichs, and illustrates the skill of some cybercriminals. "Although the concept [of a MBR rootkit] isn't new, it's not easy to pull this off," he said. "It's a very sophisticated attack, and the amount of time and effort they spent creating this is very substantial.

"We're not dealing with amateurs here."

The rootkit's lineage, in fact, has been mapped by others, notably gmer, who first published an analysis of the rootkit's code last week. By gmer's account, the rootkit's creator stole code originally written by Derek Soeder and Ryan Permeh, a pair of researchers at eEye Digital Security, as a proof-of-concept rootkit they presented at the Black Hat security conference in August 2005.

"So this has been brewing for some time," said Symantec's Friedrichs. "But given the complexity of the task, it's not surprising it's taken this long. One thing, it shows the lengths to which attackers are going to go. We've just not seen them approach threat research this complex in the past."

Matthew Richards, director of VeriSign Inc.'s iDefense Labs, pegged the start of the MBR rootkit's in-the-wild appearance as Dec. 12, with a second round of attacks on Dec. 19. So far, said Richards, nearly 5,000 PCs have been infected by the rootkit.

Some users are better protected than others, added Friedrichs, who echoed details posted last Saturday by Prevx researchers.

The rootkit is hard-coded in such a way as to only work on Windows XP systems. But even if it was tweaked, Vista users would have to explicitly approve the installation of the MBR rootkit by accepting a UAC (User Account Control) warning, since the rootkit requires needs administrative-level approval to install to the hard drive's master boot record.

If it gets on the drive, though, the MBR rootkit is very difficult to detect, Friedrichs admitted. The best defense, therefore, is to sniff it out before it manages to worm its way onto sector 0.

That's the approach Symantec and other antivirus vendors have taken. Symantec, for example, detects the rootkit as a Trojan dubbed Mebroot when it attempts to first install after, say, a successful attack using one of the exploits hosted on the compromised sites serving as attack launch pads.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?