The latest rootkit in the wild hides on your hard driveâs boot sector and is starting to infect Windows PCs, according to security researchers. And the real kicker: The rootkit canât be detected by most antivirus applications. Symantec has been tracking the latest rootkitâTrojan.Mebrootâand provides a good overview of master boot record (MBR) rootkits. In general, an MBR is the first sector of a storage device, say a hard drive, and is used for booting the operating system. Control the MBR and control the OS.
These attacks have been around for a few years, but are now impacting Windows in the wild. NVLabs last year published a proof of concept MBR rootkit and the first one, BootRoot, appeared in 2005 courtesy of eEye Digital Security.
According to Symantec, Trojan.Mebroot controls a system by overwriting the MBR with its own code. This rootkit also appears to be a derivative of the BootRoot. The Trojan.Mebroot kernel has been altered to load a custom back door Trojan.
Symantec notes:
The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.
Trojan.Mebroot, which was mapped last week by gmer, runs on Windows XP for now. Vista users would have to accept a User Account Control warning. The SANS Institute has the history of the latest rootkit and notes that it take advantage of âold, easy to patchâ vulnerabilities that include:
* Microsoft JVM ByteVerify (MS03-011)
* Microsoft MDAC (MS06-014) (two versions)
* Microsoft Internet Explorer Vector Markup Language (MS06-055)
* Microsoft XML CoreServices (MS06-071)
Leave reply