Thursday, January 10, 2008

New MBR Rootkit is using an old technique.

Over the past month, a new type of malicious software has emerged, using a decades-old technique to hide itself from anti-virus software. The malware installs itself on the first part of the computer's hard drive to be read on startup, then makes changes to the Windows kernel, making it hard for security software to detect it.

The first interesting part is the timeline:

Aug 1, 2005 - eEye publishes PoC code
Aug. 3, 2007 - Vbootkit presentation at Black Hat USA
Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
Dec. 12, 2007 – First known attacks installing MBR code
about 1,800 users infected in four days.
Dec. 19, 2007 - Second wave of attacks installing MBR code
about 3,000 users infected in four days
Dec. 22, 2007 – Malware Research Form members discover rootkit in the wild
Jan. 2, 2008 - GMER research and analysis of MBR Rootkit code
Jan. 7, 2008 – First anti-virus vendors detect MBR rootkit components
The next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan.

The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

Microsoft JVM ByteVerify (MS03-011)
Microsoft MDAC (MS06-014) (two versions)
Microsoft Internet Explorer Vector Markup Language (MS06-055)
Microsoft XML CoreServices (MS06-071)
But that can change at any moment to something more recent.

Malicious software that infected the master boot record was common during the MS-DOS era, but it has not been used much in attacks in recent years.
The rootkit cannot be removed while the OS is running, as it must be removed while the rootkit code itself is not running. During tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!