Mar 4, 2008

[Security] MBR rootkit ups the ante

The battle against malware has just become a bit harder. Welcome the MBR rootkit!

This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.

The MBR rootkit — known as "Mebroot" — is very advanced and probably the stealthiest malware we have seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.

A rootkit allows a program to be hidden from the user - it is used as a stealth mechanism, to hide from old antivirus applications and plain computer users (like me). But most AV products nowadays can detect rootkits, so rootkits' usefulness ebbed somewhat. An MBR rootkit changes the game.

A master boot record contains the first code loaded during the computer's startup process. That means an infected MBR will load the suspect code even before your operating system is loaded. That means your AV product, if not updated, will not be able to find it. That means the rootkit is loaded every time the system is started.

Always update your security software, and be careful in downloading files from the Internet. Also, do not open email attachments, specially coming from untrusted sources.

No comments:

Post a Comment