New rootkit hides in hard drive's boot record

Cloaking malware holes up where Windows can't find it, say researchers

1 2 Page 2
Page 2 of 2

If it gets on the drive, though, the MBR rootkit is very difficult to detect, Friedrichs admitted. The best defense, therefore, is to sniff it out before it manages to worm its way onto sector 0.

That's the approach Symantec and other antivirus vendors have taken. Symantec, for example, detects the rootkit as a Trojan dubbed Mebroot when it attempts to first install after, say, a successful attack using one of the exploits hosted on the compromised sites serving as attack launch pads.

"But once it's on your system, it becomes much more difficult to deal with," said Friedrichs. "Once it's tampered with the master boot record, the only way to remove it is to boot using the Windows installation disk and run the Windows Recovery Console."

From the recovery console, advised Elia Florio, another Symantec researcher, users can run the "fixmbr" command to remove the rootkit. "To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it," Florio recommended in a post to the Symantec security response team's blog on Tuesday.

Related News and Discussion:

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon