Is there a rootkit stashed in your boot record?

Summary:The latest rootkit in the wild hides on your hard drive's boot sector and is starting to infect Windows PCs, according to security researchers.And the real kicker: The rootkit can't be detected by most antivirus applications.

The latest rootkit in the wild hides on your hard drive's boot sector and is starting to infect Windows PCs, according to security researchers.

And the real kicker: The rootkit can't be detected by most antivirus applications.

Symantec has been tracking the latest rootkit--Trojan.Mebroot--and provides a good overview of master boot record (MBR) rootkits. In general, an MBR is the first sector of a storage device, say a hard drive, and is used for booting the operating system. Control the MBR and control the OS.

These attacks have been around for a few years, but are now  impacting Windows in the wild. NVLabs last year published a proof of concept MBR rootkit and the first one, BootRoot, appeared in 2005 courtesy of eEye Digital Security.

According to Symantec, Trojan.Mebroot controls a system by overwriting the MBR with its own code. This rootkit also appears to be a derivative of the BootRoot. The Trojan.Mebroot kernel has been altered to load a custom back door Trojan.

Symantec notes:

The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.

Trojan.Mebroot, which was mapped last week by gmer, runs on Windows XP for now. Vista users would have to accept a User Account Control warning. The SANS Institute has the history of the latest rootkit and notes that it take advantage of "old, easy to patch" vulnerabilities that include:

  • Microsoft JVM ByteVerify (MS03-011)
  • Microsoft MDAC (MS06-014) (two versions)
  • Microsoft Internet Explorer Vector Markup Language (MS06-055)
  • Microsoft XML CoreServices (MS06-071)

Via Computerworld.

Topics: Microsoft, Security

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.