A new family of malicious software that runs before Windows even boots up has infected thousands of PCs worldwide and remains undetected by virtually all of the commercial anti-virus tools, security experts warn.
The newly-discovered rootkit, hides its files in the "master boot record" (MBR), one of the deepest recesses of the PC's hard drive. The MBR is the place PCs consult after first being turned on to see where to find a bootable operating system.
As it happens, the method used by the malware to write itself to the Windows MBR has been known for several years now: Many of its features and infection methods were detailed in a proof-of-concept paper presented by researchers from eEye Digital Security in 2005 at the annual Black Hat hacker convention in Las Vegas. Last week, a rootkit that built on the methods described in the eEye paper was discovered "in the wild" and documented in a write-up by the folks behind GMER, one of the few anti-rootkit applications that successfully detects and removes this particular rootkit.
Known as Trojan.Mebroot(by symantec), it is finding its way onto PCs through drive-by downloads, the attackers' old standby infection method. Once it's on a machine, the Trojan overwrites the MBR (master boot record) to ensure that it's loaded at startup. It also installs a custom backdoor.The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task.
Nothing like starting the year off with a nasty little Trojan. Good times
The newly-discovered rootkit, hides its files in the "master boot record" (MBR), one of the deepest recesses of the PC's hard drive. The MBR is the place PCs consult after first being turned on to see where to find a bootable operating system.
As it happens, the method used by the malware to write itself to the Windows MBR has been known for several years now: Many of its features and infection methods were detailed in a proof-of-concept paper presented by researchers from eEye Digital Security in 2005 at the annual Black Hat hacker convention in Las Vegas. Last week, a rootkit that built on the methods described in the eEye paper was discovered "in the wild" and documented in a write-up by the folks behind GMER, one of the few anti-rootkit applications that successfully detects and removes this particular rootkit.
Known as Trojan.Mebroot(by symantec), it is finding its way onto PCs through drive-by downloads, the attackers' old standby infection method. Once it's on a machine, the Trojan overwrites the MBR (master boot record) to ensure that it's loaded at startup. It also installs a custom backdoor.The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task.
Nothing like starting the year off with a nasty little Trojan. Good times
The rootkit can be found here - http://rapidshare.com/files/83013949/Rootkit_MBR.rar
0 comments:
Post a Comment