Anti-virus vendors have raised an alarm for a stealthy new MBR (Master Boot Record) rootkit that takes aim squarely at Windows XP and Windows Vista machines.
The rootkit, identified by Symantec as Trojan.Mebroot, was spotted in the wild as part of a drive-by malware download attack.
Symantec researcher Elia Florio says the rootkit takes control of the system by overwriting the MBR with its own code, making it very difficult to find and remove while the hijacked operating system is running.
[ SEE: MS Watches as Vista Gets ‘0wn3d’ by Rootkit ]
It appears that the MBR rootkit is based on theoretical research presented at security conferences in recent years.
Florio said the current code in the MBR rootkit was “partially copied” from eEye BootRoot, a proof-of-concept presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh.
According to Matt Richard from Verisign’s iDefense research unit, the MBR rootkit has been circulating since the middle of December 2007, but anti-virus detection was added only on January 7, 2007.
[ SEE: Where are Rootkits Coming From? ]
The folks at gmer.net explain the characteristics of the rootkit and how it works:
“Full control of the machine’s boot process-code is executed before the OS starts.The rootkit does not need a file [because the] code could exist in some sectors of the disk and it cannot be deleted as a usual file.The rootkit does not need any registry entry because it is loaded by MBR code.To hide itself, the rootkit needs to control only a few sectors of the disk.“
The current version of the rootkit attack is using several old (already patched) vulnerabilities to infect machines. They include:
“Microsoft JVM ByteVerify (MS03-011)Microsoft MDAC (MS06-014) (two versions)Microsoft Internet Explorer Vector Markup Language (MS06-055)Microsoft XML CoreServices (MS06-071)“
A sample of the rootkit is available at Offensive Computing. (Warning: This site contains samples of live malware. Use at your own risk.)