Is there a rootkit stashed in your boot record?

Is there a rootkit stashed in your boot record?

Summary: The latest rootkit in the wild hides on your hard drive's boot sector and is starting to infect Windows PCs, according to security researchers.And the real kicker: The rootkit can't be detected by most antivirus applications.

SHARE:
TOPICS: Microsoft, Security
65

The latest rootkit in the wild hides on your hard drive's boot sector and is starting to infect Windows PCs, according to security researchers.

And the real kicker: The rootkit can't be detected by most antivirus applications.

Symantec has been tracking the latest rootkit--Trojan.Mebroot--and provides a good overview of master boot record (MBR) rootkits. In general, an MBR is the first sector of a storage device, say a hard drive, and is used for booting the operating system. Control the MBR and control the OS.

These attacks have been around for a few years, but are now  impacting Windows in the wild. NVLabs last year published a proof of concept MBR rootkit and the first one, BootRoot, appeared in 2005 courtesy of eEye Digital Security.

According to Symantec, Trojan.Mebroot controls a system by overwriting the MBR with its own code. This rootkit also appears to be a derivative of the BootRoot. The Trojan.Mebroot kernel has been altered to load a custom back door Trojan.

Symantec notes:

The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.

Trojan.Mebroot, which was mapped last week by gmer, runs on Windows XP for now. Vista users would have to accept a User Account Control warning. The SANS Institute has the history of the latest rootkit and notes that it take advantage of "old, easy to patch" vulnerabilities that include:

  • Microsoft JVM ByteVerify (MS03-011)
  • Microsoft MDAC (MS06-014) (two versions)
  • Microsoft Internet Explorer Vector Markup Language (MS06-055)
  • Microsoft XML CoreServices (MS06-071)

Via Computerworld.

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

65 comments
Log in or register to join the discussion
  • You mean Apple Macs aren't affected?

    Fascinating. This has been 'known about for some time', Windows 2K affected, XP is affected, Vista partially affected, Apple Mac NOT affected.

    Imagine that, yet another security drop off which only affects Microsoft Windows.

    Vista, the OS ZDnet pundits (writers and Talkbackers alike) have been asserting is "More secure than OS X" is STILL partially susceptible to a security issue that goes back 7 years to Win 2K.

    Patently Vista was built on the shifting sand of legacy code, including all the code drop-offs that make malware and Microsoft a losing team in 2008, just as they always have been, ever since the days when there were only 100,000 WIndows viruses to be checked for.





    "... the main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.
    whisperycat
    • It doesn't affect the Macintosh (and even some Windows PCs) because...

      It doesn't affect the Macintosh (and even some Windows PCs) because it's based on
      a specific hardware design and how MBRs are created for hard discs introduced
      back with the original IBM PC. It also has to do with the BIOS and PCs booting up in
      "real mode," which allows the MBR to be read back as machine code during the
      boot process.

      Since neither the older Macintoshes and newer Macintoshes use a traditional BIOS
      (the former used OpenFirmware, the latter uses Extensible Firmware Interface), it
      can't be targeted by this particular trojan because the MBR is not apart of system
      bootup.

      Windows PCs running on motherboards that utilize EFI instead of a traditional BIOS
      would also be unaffected.
      olePigeon
      • Wrong!

        EFI could be targeted if the root kit was written that way. All machines that boot off of a hard drive could be exploited.
        ShadeTree
        • Except that

          this is not a BIOS virus. It exploits a weakness in the partition scheme used by
          Windows. Since GUID uses a completely different and much more sophisticated and
          secure structure than MBR, targeting that with a boot sector virus is much, much more
          difficult. Microsoft explains it for you:

          http://support.microsoft.com/kb/302873
          frgough
        • Drives and Infectability

          Mac OSX like VISTA has security which forces the software to submit to a User OK in
          order to make any changes, or installations. This as far as I know effects
          Everything. I used OSX first, and now I have VISTA to on my laptop. They both
          require a user authentication.

          In the order of hard drives. This, I suppose could even now infect any Intel based
          macintosh. Especially those that can Boot Windows. The original way of formating
          Hard drives in Mac has been replaced with Intel standards making it so that Old
          drives actually have to be reformatted just to be used on Intel based Macs...
          However, the user would still need to authenticate software activity if any were to
          occur.

          For this to effect non Intel based Macintosh the author would need to write a Kernel just for PPC based systems. This would then be so specific a virus that it
          would not effect any other machine unless it also carried some kind of Code that
          worked on multiple platforms.

          Thing is that Personally, I believe the Antivirus authors are in some way responsible
          for these tech savvy viruses. Especially the ones that require specific knowledge of
          hardware. They make lost of money on the Fix then they spend some of that on a
          new virus, maybe even open source it...
          rflulling
  • Erase the drive and it comes back!

    A scan of the computer's chips is an imperative.A good scrubbing from the BIOS to the CPU,plug in cards all the way to the Winbond is in order here.
    BALTHOR
    • Also not true!

      A secure erase or even a repartition will remove the infection mechanism.
      ShadeTree
      • I seem to remember..

        back in the old days, that there was something that messed with the MBR (like a
        Seagate drive or something), to give additional functions (was it for a 30 Meg drive?
        I forget). Anyway, neither a reformat nor a simple repartition got rid of it. I seem
        to recall having to use FDISK /MBR.

        I seem to recall that the master boot record was outside the scope of erase or
        simple partitioning.

        I could be wrong.
        msalzberg
        • You're not wrong.

          The MBR is no re-written by Windows when partitioning or erasing disks. You have to
          use the MBR switch. So your memory is good.
          frgough
          • Not the same thing as a secure wipe

            [i]The MBR is no re-written by Windows when partitioning or erasing disks. You have to use the MBR switch. So your memory is good.[/i]

            That's correct, but what was being discussed was something different: a [b]secure wipe[/b], something that cannot be done on the boot HDD from Windows (that would be system suicide), and should not anyway. A secure wipe utility can only be run from a special removable boot disk (CD, floppy, flash drive in some cases).

            This boot disk either has no OS whatsoever and relies on the app to do everything by itself (yes, this is possible, though rarely used) or boots old DOS. It may do that by software or use a "suicide pill" routine embedded in the firmware of most, if not all, contemporary HDDs. It completely, thoroughly zeroes the entire hard disk - absolutely no data recovery possible, not even by the NSA folks. [b]All[/b] partitions, MBRs, MFTs, boot sectors, etc. are completely ignored, because the process only considers the physical HDD. [b]Nothing[/b] escapes: the [b]entire[/b] HDD surface is wiped clean.

            No boot sector (or virus) can survive that. Your disk is nuked, sterile, as it came from the factory, useless as it is, and has to be prepared all over again to be used (create all tables and partitions anew, format, etc.).

            See, for example, http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
            goyta
          • If Memory Serves...

            It was the Monkey Virus... wow, long time since we've seen that one.
            Red_Beard
          • What NSA can do

            Sorry, NSA can recover data from a zeroed drive. They use specialized hardware that reads magnetic information outside the normal sectors on the drive. That's why software solutions for erasing drives include multipass patterned and random character writes to completely scramble the magnetic traces left by your data.
            cburkitt2
      • Would recreating MBR do it too?

        Say you boot off the XP cd to the recovery console and recreate the MBR should clean that up too but you risk losing the partitions if you do so. At least that's the warning it gives you when you do run that command.
        voska1
        • Knoppix is your friend.

          Boot from a Knoppix CD and back up all your data... just in case.

          Then run your MBR fix from the Windows Recovery CD... just remember, it's not fixed until your data is safe.

          -RB
          Red_Beard
      • Much as I hate to say it, I thnk ShadeTree is right for once

        Removal is apparently fairly straightforward and permanent, according to Symantec's Security Response for trojan.mebroot (http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-010718-3448-99 ).
        drprodny
    • I can only learn Skoda

      (no Skoda, but imagine a worldwide Soviet manufacturer from the old days)

      I'm so busy fixing the carb.
      I'm so busy fixing the starter.
      I'm so busy fixing the ignition.

      Doughnuts!!!!!!

      I only know (Skoda) and yet I think I can talk about cars!!
      fr0thy
  • So my sincere question is...

    it's pretty obvious that XP and back are affected, but what about Vista? From what I have read Vista should be able to stop this from happening. Is this a true statement or not? I am curious... ]:)
    Linux User 147560
    • Larry quoted Symantec

      [i]This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.[/i]

      I remember that one when it came out. Intially, Ms Rutkowska was railed on by the Windows community for pointing out a major flaw, but she was vindicated. Microsoft fixed it...

      Not that Linux is totally immune from such a thing, except it must have root privileges. I'd guess if your userid was in the sudoers file (like in Ubuntu), it would be similar to the way it would attack Vista - it would have to ask your consent in Vista, and would have to ask for your password in Linux. Better to be safe and not give sudoers the ANY option - force it to ask you for the root password - not yours. I think long and hard before I enter the root password when prompted...
      NetArch.
      • I figured Linux would for the most part

        be immune (nothing is immune to user idiocy though...) but I was curious if Vista was as well. I forgot about the Rutkowska demo.

        ]:)
        Linux User 147560
    • BIOS, people! BIOS!

      MBR anti-virus has been a feature in BIOS' for at least a decade now. Set up your OS, go back into the CMOS, turn it on, call it happy. No MBR rootkit.
      Dr. John