MBR rootkit targets Windows users
Fortunately, the risk to end users is low if system has been patched with Microsoft updates.
Security experts warned on Wednesday of a new rootkit aimed at users of the Windows operating system.
The rootkit hides in the Master Boot Record (MBR), or Sector 0 of the hard disk drive where the primary partition entries in its partition table are stored. According to Verisign's iDefense research unit, the rootkit overwrites the existing MBR, making discovery very difficult. A rootkit is a program or group of programs designed to take root or administrator control of a computer without the user knowing.
According to iDefense, the samples of this MBR rootkit were first reported in mid-December, with the first wave hitting 1,800 computers on December 17 and a second wave hitting 3,000 computers on December 19. On December 22, the code was released into the wild, with iDefense reporting a total of 5,000 infections worldwide through January 7.
The current rootkit code appears to be based on two theoretical stealth rootkit presentations, one given by eEye security researchers Derek Soeder and Ryan Permeh (PDF file) for Windows NT machines at Black Hat USA 2005, and by independent security researchers Nitin Kumar and Vipin Kumar (PDF file) for Windows Vista machines at Black Hat USA 2007. A comparison of the demonstration codes used in the presentation alongside the actual MBR rootkit code can be found on the GMER site. GMER is the nickname of a researcher who makes an application that detects and removes rootkits.
Infection occurs when a user visits an infected Web site. The infected site contains an iframe that links to a server hosting several exploits. If the user's machine is vulnerable to any of the following exploits, it will become infected:
- Microsoft JVM ByteVerify (MS03-011)
- Microsoft MDAC (MS06-014)
- Microsoft Internet Explorer Vector Markup Language (MS06-055)
- Microsoft XML CoreServices (MS06-071)
According to GMER, detection of this rootkit requires a comparison of current MBR to a stored image. If the comparison is not identical, then the machine has most likely been infected. Removal requires reverting the infect system back to an uninfected version of the MBR.