Network Security, Vulnerability Management

Rootkit targeting Master Boot Record in the wild

Updated Thursday, Jan. 10, 2008, at 1:38 p.m. EST

A rootkit attacking Master Boot Record (MBR) -- a vector used more than a decade ago on MS-DOS operating systems -- on various Windows operating systems is spreading in the wild, according to researchers.

Trojan.Mebroot overwrites the MBR with its own code, taking control of a targeted PC's operating system after infecting it with a drive-by exploit, according to researchers at Symantec and VeriSign iDenfense.

The trojan infected 5,000 computers from Dec. 12 of last year to this Monday, according to research from VeriSign, which added that the group responsible has infected more than 200,000 PCs with other malware, including the Torpig banking trojan.

End-users are at especially high risk of infection from the rootkit because it is not detected or removed by most anti-virus programs, according to VeriSign.

The malware affects Windows XP, Vista, Server 2003 and 2000, according to Symantec.

Matt Richard, director of the Rapid Response Team at VeriSign iDefense, told SCMagazineUS.com today that the rootkit, if undetected by anti-virus solutions, will download additional trojans onto an infected PC it is not removed.

“It definitely is a disturbing twist -- it's something a lot of people aren't prepared to deal with, and this goes a step further than most anti-virus solutions are prepared to deal with,” he said. “This is going to stick around. This is a rootkit that loads in other trojans, and the anti-virus might get rid of the trojans, but [the rootkit] can download new ones.”

Symantec suggested that there could be a link between Mebroot and Trojan.Anserin, citing similarities in the main distribution website and the polymorphic packer used in by both threats.

Ben Greenbaum, senior research manager at Symantec Security Response, told SCMagazineUS.com that it's possible attackers will use this method again in the near future.

“It's hard to tell at this point, but with so many motherboards out there that don't have any protection, now that it's hit the spotlight and got some press, I'd be surprised is hackers didn't try this,” he said. “But since the cleaning of it is simple, it's hard to tell if this will catch on in any fashion.”

The trojan is at least partially copied from the code of the BootRoot trojan, a proof-of-concept created by eEye Digital Security researcher Derek Soeder in 2005 targeting the MBR, according to Symantec.

Bill Sisk, Microsoft security response communications manager, said today that his company's anti-virus products are protecting against the threat. He also urged affected PC users to contact their local FBI office or report the incident on IC3.gov.

Andre Protas, eEye researcher, told SCMagazineUS.com that an MBR trojan was displayed at BlackHat Europe in March of last year, “which sparked a lot of interest in this sort of issue.”

“I don't think it's as dangerous as some people think, but it is interesting from a research perspective,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.