On TV.com: TOP 10 Shows CANCELED Too Soon
BNET Business Network:
BNET
TechRepublic
ZDNet

January 9th, 2008

Is there a rootkit stashed in your boot record?

Posted by Larry Dignan @ 11:00 am

Categories: Exploit code, Microsoft, Rootkits, Vulnerability research, Windows Vista

Tags: Symantec Corp., Microsoft Corp., SANS Institute, Trojan.Mebroot Kernel, Rootkits, Security, Spyware, Adware & Malware, Larry Dignan

The latest rootkit in the wild hides on your hard drive’s boot sector and is starting to infect Windows PCs, according to security researchers.

And the real kicker: The rootkit can’t be detected by most antivirus applications.

Symantec has been tracking the latest rootkit–Trojan.Mebroot–and provides a good overview of master boot record (MBR) rootkits. In general, an MBR is the first sector of a storage device, say a hard drive, and is used for booting the operating system. Control the MBR and control the OS.

These attacks have been around for a few years, but are now  impacting Windows in the wild. NVLabs last year published a proof of concept MBR rootkit and the first one, BootRoot, appeared in 2005 courtesy of eEye Digital Security.

According to Symantec, Trojan.Mebroot controls a system by overwriting the MBR with its own code. This rootkit also appears to be a derivative of the BootRoot. The Trojan.Mebroot kernel has been altered to load a custom back door Trojan.

Symantec notes:

The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.

Trojan.Mebroot, which was mapped last week by gmer, runs on Windows XP for now. Vista users would have to accept a User Account Control warning. The SANS Institute has the history of the latest rootkit and notes that it take advantage of “old, easy to patch” vulnerabilities that include:

  • Microsoft JVM ByteVerify (MS03-011)
  • Microsoft MDAC (MS06-014) (two versions)
  • Microsoft Internet Explorer Vector Markup Language (MS06-055)
  • Microsoft XML CoreServices (MS06-071)

Via Computerworld.

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 65 Talkback(s)
fixMBR
the fixMBR solution doesnt work, have tried it many times + other commands such as RebuildBcd and Fixboot, i even went so far as trying to erase as much boot info as i could and messing the files up o... (Read the rest)
Posted by: Dave9 Posted on: 03/31/08 You are currently: a Guest | | Terms of Use
You mean Apple Macs aren't affected?  whisperycat | 01/09/08
It doesn't affect the Macintosh (and even some Windows PCs) because...  olePigeon | 01/09/08
Wrong!  ShadeTree | 01/09/08
Except that  frgough | 01/09/08
Drives and Infectability  rflulling@... | 01/10/08
Erase the drive and it comes back!  BALTHOR | 01/09/08
Also not true!  ShadeTree | 01/09/08
I seem to remember..  msalzberg | 01/09/08
You're not wrong.  frgough | 01/09/08
Not the same thing as a secure wipe  goyta | 01/10/08
If Memory Serves...  Red_Beard | 01/10/08
What NSA can do  cburkitt2 | 01/10/08
Would recreating MBR do it too?  voska1 | 01/09/08
Knoppix is your friend.  Red_Beard | 01/10/08
Much as I hate to say it, I thnk ShadeTree is right for once  drprod@... | 01/12/08
I can only learn Skoda  fr0thy | 01/10/08
So my sincere question is...  Linux User 147560 | 01/09/08
Larry quoted Symantec  NetArch. | 01/09/08
I figured Linux would for the most part  Linux User 147560 | 01/09/08
BIOS, people! BIOS!  Dr. John | 01/09/08
I thought MBR antivirus was on anyway by default  drprod@... | 01/12/08
I thought Symantec & Co. scanned the boot record?  kd5auq | 01/09/08
RE: Is there a rootkit stashed in your boot record?  justanitguy | 01/09/08
yet another reason to keep enabled the UAC  qmlscycrajg | 01/10/08
Whats UAC?  evfain@... | 01/10/08
User Access Control  goyta | 01/10/08
How to Fix the problem (no idea how to find it though)  evfain@... | 01/10/08
Vocabulary Lesson For January  Vexxarr | 01/10/08
trying to make an impression?  evfain@... | 01/10/08
Affect versus Effect?  pjricc | 01/10/08
Message has been deleted.  fr0thy | 01/10/08
Speaking of verbs...  cburkitt2 | 01/10/08
No, I mean effect - get a clue - wait let me provide it...  evfain@... | 01/11/08
Sorry, dude  seanferd | 01/12/08
noun?  evfain@... | 01/14/08
RE: Is there a rootkit stashed in your boot record?  bricar2 | 01/10/08
UGGGHHH!!!!  techboy_z | 01/10/08
Have you tried to get a PC w/OUT MSFT on it?  drprod@... | 01/12/08
Master Joe Says...  MasterJoe | 01/10/08
Master Joe is "my knowledge" protectionist  fr0thy | 01/10/08
Another sorry excuse  Ole Man | 01/10/08
Root kit MBR  Jaytmoon | 01/10/08
Answered in previous post  evfain@... | 01/10/08
Your correct  phatkat | 01/10/08
UAC  FiOS-Dave | 01/10/08
RE: Is there a rootkit stashed in your boot record?  colombos@... | 01/10/08
I love my Linux system...  mikifinaz1@... | 01/10/08
Message has been deleted.  fr0thy | 01/10/08
Me too! Linux is great at not getting viruses  Don Collins | 01/13/08
Do Mac Rootkits Exist?  Riphly_z | 01/10/08
RE: Is there a rootkit stashed in your boot record?  beholder | 01/10/08
Read the rest from Symantec XYZ  Crestview | 01/10/08
NICE  rflulling@... | 01/10/08
Guess Symantec never heard of...  gfeier | 01/11/08
RE: Is there a rootkit stashed in your boot record?  d,duffer@... | 01/11/08
Well  seanferd | 01/12/08
fixMBR - other OSs too  evfain@... | 01/14/08
fixMBR  Dave9 | 03/31/08
Thanks for the data  cd003284@... | 01/11/08
Excellent  seanferd | 01/12/08
Here's a Mad Thought  drprod@... | 01/12/08
Re:Here's a Mad Thought  Francis@... | 01/16/08
Most unlikely  seanferd | 01/12/08
Thank you for fix solution post  lynn1463@... | 01/26/08
ive had it ages  Dave9 | 03/29/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More