-
March 5th, 2008, 10:42 PM
#1
MBR Rootkit
MBR Rootkit, A New Breed of Malware - F-Secure Blog
Yup, Master Boot Record rootkits. Run screaming for the hills...
This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.
The MBR rootkit — known as "Mebroot" — is very advanced and probably the stealthiest malware we have seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.
Hit the above link to read up on its "stealth features"...
-
March 6th, 2008, 12:41 AM
#2
Wow I was reading that stuff for a bit and its intense... Only if I was smart enough to right something like that..
-
March 6th, 2008, 01:11 AM
#3
Wow is right... it's very ingenious. Good read, thanks phernandez
-
March 6th, 2008, 01:53 AM
#4
So, besides TPM, how can one be sure their systems are not infected by this?
PXE boot environment to scan the MBR of the HD and partitions and then when it's found clean, then boot to the HD?
Last edited by phishphreek; March 6th, 2008 at 02:56 AM.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
March 6th, 2008, 03:47 AM
#5
Yeah, very interesting article. I've been searching around for about an hour now and found no simple solutions. The seemingly easiest solution was the BIOS write protect option for the MBR. Obviously not all BIOS's have this feature including my own system.
How hard would it be for companies to put out an updated BIOS with this option?
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
March 6th, 2008, 09:31 AM
#6
Very good.
I will check if Panda knows anything about this.
Thanks for the heads up.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
March 6th, 2008, 01:07 PM
#7
Hmmmm,
I have not tried this yet but it might help:
http://www.gmer.net/files.php
Protecting the MBR in BIOS sounds pretty cool, except from the last time I looked at that (back in the days of 486 chipsets ) IT DIDN'T ACTUALLY PROTECT.
What would happen is the next time you booted you would get a message along the lines of: "MBR has been changed, possible virus, boot? [Y]/[N]"
Obviously, the majority of users will click [Y], given the result of taking the alternative option
When everything "seems" to work OK, they will just forget about it, and carry on as normal.
I am not running Vista at the moment, but I wonder if this is something that UAC would block. IIRC IE runs in protected mode and you need admin to modify the MBR?
-
March 6th, 2008, 03:22 PM
#8
Originally Posted by ShagDevil
How hard would it be for companies to put out an updated BIOS with this option?
I wouldn't go holding my breath...
-
March 6th, 2008, 03:38 PM
#9
Did some more searching and no direct solutions have appeared. I'll try and keep an eye for anything I find and post it here.
I wouldn't go holding my breath...
Yeah, I kind of thought it might be a pipe dream. I guess at this point, one can only hope that the code can be caught prior to any MBR alterations.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
March 11th, 2008, 10:42 PM
#10
Yow, that's not pretty. Rewriting the MBR won't do much good
with a corrupted kernel. Couldn't the module hook in the kernel
be detected somehow?
“Everybody is ignorant, only on different subjects.” — Will Rogers
Similar Threads
-
By hesperus in forum Spyware / Adware
Replies: 6
Last Post: December 20th, 2005, 01:34 AM
-
By warl0ck7 in forum Microsoft Security Discussions
Replies: 0
Last Post: September 17th, 2005, 07:15 AM
-
By t3gilligan in forum *nix Security Discussions
Replies: 18
Last Post: February 28th, 2004, 02:31 AM
-
By Agent_Steal in forum *nix Security Discussions
Replies: 9
Last Post: December 13th, 2003, 07:34 PM
-
By GrApHiCTrOn in forum *nix Security Discussions
Replies: 1
Last Post: June 12th, 2003, 11:40 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|