New rootkit hides in hard drive's boot record
Cloaking malware holes up where Windows can't find it, say researchers
Computerworld - A rootkit that hides from Windows on the hard drive's boot sector is infecting PCs, security researchers said today. Once installed, the cloaking software is undetectable by most current antivirus programs.
The rootkit overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system.
"A traditional rootkit installs as a driver, just as when you install any hardware or software," said Oliver Friedrichs, director of Symantec Corp.'s security response team. "Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute." Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.
"That gives it unprecedented access to the computer," Friedrichs said. "It's able to hide in a manner that a traditional rootkit never can."
According to other researchers, including those with the SANS Institute's Internet Storm Center, Prevx Ltd. and a Polish analyst who uses the alias "gmer," the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection as well as to reinstall the identity thief if a security scanner somehow sniffs it out.
Several of those researchers fingered a quartet of aged exploits -- the majority harking to vulnerabilities patched in 2006 -- launched from compromised Web sites as the rootkit's install attack vector. Any PC that's not up to date on its patches is at risk if used to surf to such sites.
This is a serious threat, said Friedrichs, and illustrates the skill of some cybercriminals. "Although the concept [of a MBR rootkit] isn't new, it's not easy to pull this off," he said. "It's a very sophisticated attack, and the amount of time and effort they spent creating this is very substantial.
"We're not dealing with amateurs here."
The rootkit's lineage, in fact, has been mapped by others, notably gmer, who first published an analysis of the rootkit's code last week. By gmer's account, the rootkit's creator stole code originally written by Derek Soeder and Ryan Permeh, a pair of researchers at eEye Digital Security, as a proof-of-concept rootkit they presented at the Black Hat security conference in August 2005.
"So this has been brewing for some time," said Symantec's Friedrichs. "But given the complexity of the task, it's not surprising it's taken this long. One thing, it shows the lengths to which attackers are going to go. We've just not seen them approach threat research this complex in the past."
Matthew Richards, director of VeriSign Inc.'s iDefense Labs, pegged the start of the MBR rootkit's in-the-wild appearance as Dec. 12, with a second round of attacks on Dec. 19. So far, said Richards, nearly 5,000 PCs have been infected by the rootkit.
Some users are better protected than others, added Friedrichs, who echoed details posted last Saturday by Prevx researchers.
The rootkit is hard-coded in such a way as to only work on Windows XP systems. But even if it was tweaked, Vista users would have to explicitly approve the installation of the MBR rootkit by accepting a UAC (User Account Control) warning, since the rootkit requires needs administrative-level approval to install to the hard drive's master boot record.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts