MBR Rootkit

MBR Rootkit, A New Breed of Malware - F-Secure Blog

Yup, Master Boot Record rootkits. Run screaming for the hills...

Quote:

---

This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.

The MBR rootkit — known as "Mebroot" — is very advanced and probably the stealthiest malware we have seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.

---

Hit the above link to read up on its "stealth features"...

Wow I was reading that stuff for a bit and its intense... Only if I was smart enough to right something like that..

Wow is right... it's very ingenious. Good read, thanks phernandez

So, besides TPM, how can one be sure their systems are not infected by this?
PXE boot environment to scan the MBR of the HD and partitions and then when it's found clean, then boot to the HD?

Yeah, very interesting article. I've been searching around for about an hour now and found no simple solutions. The seemingly easiest solution was the BIOS write protect option for the MBR. Obviously not all BIOS's have this feature including my own system.

How hard would it be for companies to put out an updated BIOS with this option?

Very good.

I will check if Panda knows anything about this.

Thanks for the heads up.

Hmmmm,

I have not tried this yet but it might help:

http://www.gmer.net/files.php

Protecting the MBR in BIOS sounds pretty cool, except from the last time I looked at that (back in the days of 486 chipsets :eek:) IT DIDN'T ACTUALLY PROTECT.

What would happen is the next time you booted you would get a message along the lines of: "MBR has been changed, possible virus, boot? [Y]/[N]"

Obviously, the majority of users will click [Y], given the result of taking the alternative option :D

When everything "seems" to work OK, they will just forget about it, and carry on as normal.

I am not running Vista at the moment, but I wonder if this is something that UAC would block. IIRC IE runs in protected mode and you need admin to modify the MBR?

Quote:

---

Originally Posted by ShagDevil

How hard would it be for companies to put out an updated BIOS with this option?

---

I wouldn't go holding my breath...

Did some more searching and no direct solutions have appeared. I'll try and keep an eye for anything I find and post it here.

Quote:

---

I wouldn't go holding my breath...

---

Yeah, I kind of thought it might be a pipe dream. I guess at this point, one can only hope that the code can be caught prior to any MBR alterations.

Yow, that's not pretty. Rewriting the MBR won't do much good
with a corrupted kernel. Couldn't the module hook in the kernel
be detected somehow?