New rootkit hides in hard drive's boot record
Cloaking malware holes up where Windows can't find it, say researchers
Computerworld - A rootkit that hides from Windows on the hard drive's boot sector is infecting PCs, security researchers said today. Once installed, the cloaking software is undetectable by most current antivirus programs.
The rootkit overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system.
"A traditional rootkit installs as a driver, just as when you install any hardware or software," said Oliver Friedrichs, director of Symantec Corp.'s security response team. "Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute." Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.
"That gives it unprecedented access to the computer," Friedrichs said. "It's able to hide in a manner that a traditional rootkit never can."
According to other researchers, including those with the SANS Institute's Internet Storm Center, Prevx Ltd. and a Polish analyst who uses the alias "gmer," the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection as well as to reinstall the identity thief if a security scanner somehow sniffs it out.
Several of those researchers fingered a quartet of aged exploits -- the majority harking to vulnerabilities patched in 2006 -- launched from compromised Web sites as the rootkit's install attack vector. Any PC that's not up to date on its patches is at risk if used to surf to such sites.
This is a serious threat, said Friedrichs, and illustrates the skill of some cybercriminals. "Although the concept [of a MBR rootkit] isn't new, it's not easy to pull this off," he said. "It's a very sophisticated attack, and the amount of time and effort they spent creating this is very substantial.
"We're not dealing with amateurs here."
The rootkit's lineage, in fact, has been mapped by others, notably gmer, who first published an analysis of the rootkit's code last week. By gmer's account, the rootkit's creator stole code originally written by Derek Soeder and Ryan Permeh, a pair of researchers at eEye Digital Security, as a proof-of-concept rootkit they presented at the Black Hat security conference in August 2005.
"So this has been brewing for some time," said Symantec's Friedrichs. "But given the complexity of the task, it's not surprising it's taken this long. One thing, it shows the lengths to which attackers are going to go. We've just not seen them approach threat research this complex in the past."
Matthew Richards, director of VeriSign Inc.'s iDefense Labs, pegged the start of the MBR rootkit's in-the-wild appearance as Dec. 12, with a second round of attacks on Dec. 19. So far, said Richards, nearly 5,000 PCs have been infected by the rootkit.
Some users are better protected than others, added Friedrichs, who echoed details posted last Saturday by Prevx researchers.
The rootkit is hard-coded in such a way as to only work on Windows XP systems. But even if it was tweaked, Vista users would have to explicitly approve the installation of the MBR rootkit by accepting a UAC (User Account Control) warning, since the rootkit requires needs administrative-level approval to install to the hard drive's master boot record.
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!