Is there a rootkit stashed in your boot record?

The latest rootkit in the wild hides on your hard drive’s boot sector and is starting to infect Windows PCs, according to security researchers. And the real kicker: The rootkit can’t be detected by most antivirus applications. Symantec has been tracking the latest rootkit–Trojan.Mebroot–and provides a good overview of master boot record (MBR) rootkits. In general, an MBR is the first sector of a storage device, say a hard drive, and is used for booting the operating system. Control the MBR and control the OS.

These attacks have been around for a few years, but are now impacting Windows in the wild. NVLabs last year published a proof of concept MBR rootkit and the first one, BootRoot, appeared in 2005 courtesy of eEye Digital Security.

According to Symantec, Trojan.Mebroot controls a system by overwriting the MBR with its own code. This rootkit also appears to be a derivative of the BootRoot. The Trojan.Mebroot kernel has been altered to load a custom back door Trojan.

Symantec notes:

The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.

Trojan.Mebroot, which was mapped last week by gmer, runs on Windows XP for now. Vista users would have to accept a User Account Control warning. The SANS Institute has the history of the latest rootkit and notes that it take advantage of “old, easy to patch” vulnerabilities that include:

* Microsoft JVM ByteVerify (MS03-011)
* Microsoft MDAC (MS06-014) (two versions)
* Microsoft Internet Explorer Vector Markup Language (MS06-055)
* Microsoft XML CoreServices (MS06-071)

Leave reply

Back to Top