A Rootkit May Be Lurking on Your Boot Record

Filed in archive Malware on January 11, 2008

According to Symantec a new rootkit has been found. The kit, named Trojan.Mebroot, lurks in a PC's master book record. What's particularly nasty about this one is it's beginning to infect Windows PCs, and even worse, it's undetectable to most anti-virus software. Symantec says Trojan.Mebroot overwrites the MBR, thereby taking total control of the system:

The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska.

It appears to be a derivative of the BootRoot and its kernel has been designed to install a backdoor Trojan. For now, it's only being found on XP systems. Vista's User Account Control seems to be keeping it at bay for now. It takes advantage of the following vulnerabilities:

Microsoft JVM ByteVerify (MS03-011)
Microsoft MDAC (MS06-014) (two versions)
Microsoft Internet Explorer Vector markup language (MS06-055)
Microsoft XML CoreServices (MS06-071)

You can check out the history of the rootkit at the Internet Storm Center.