AusCERT - Everything old is new again

HOME

About AusCERT

Membership

PKI Services

Training

Publications

Sec. Bulletins

Conferences

News & Media

Services

Web Log

Site Map

Site Help

Member login

Everything old is new again - MBR Rootkits?

Date: 13 January 2008

Click here for printable version

Greetings all,

There have been some reports[1-3] of a root kit doing the rounds that bases itself in the Master Boot Record (ala such vintage viruses as "Brain" and "Stoned") so that it can completely hide itself from the host operating system (in this case Windows) before that operating system has even been loaded.

There's a bit of inconsistency in the reports - some claim it is possible for the rootkit to install itself even when not run as an administrator, others say that, at least in more recent versions of Windows, administrator privileges are required to get direct access to the hard drive, which is required to write to sector zero.

While root kits are technically not new, this combination with an old technique like MBR infection is a worry in that getting rid of the infection can be downright painful.

Some motherboards come with Master Boot Record protection - might be a good idea to turn that on if you haven't already. I'm guessing the owners of the reported 6000 or so infected machines are wishing they had.

MDB

References

[1] Symantec - From BootRoot to Trojan.Mebroot: A Rootkit in Your MBR!

[2] Stealth MBR RootKit

[3] Master Boot Record Rootkit is here and ITW