PandaLabs, Panda Security’s malware analysis and detection laboratory, has detected the appearance of Trojans that include rootkits (MBRtool.A, MBRtool.B, MBRtool.C, etc.) designed to replace the master boot record (MBR), the first or zero sector of the hard disk, for one of their own. A rootkit is a program designed to take fundamental control of a computer system, without authorization by the system’s owners and legitimate managers.
This new form of attack is a revolutionary use of rootkits, making it even more difficult to detect the associated malicious code.
“This system of attack makes it practically impossible to detect the rootkits and the malicious code they hide once they are installed on a computer,” said Luis Corrons, technical director of PandaLabs. “The only feasible defense is to detect these rootkits before they enter the computer. In anticipation of other similar malicious code that may appear, it is essential to use proactive technologies that can detect threats without having previously identified them.”
The aim of rootkits when employed by cyber-crooks is to hide the action of malware, making it more difficult to detect. Until now, rootkits were installed in system processes, but the new strains detected by PandaLabs are installed on a part of the hard disk that runs even before the operating system starts up. When one of these new rootkits is run on a system, it makes a copy of the existing MBR, modifying the original with malicious instructions.
This means if there is an attempt to access the MBR, the rootkit will redirect to the genuine one, preventing users or applications from finding anything suspicious.
The modifications made mean that when a user starts up the computer, the manipulated MBR will run before the operating system is loaded. At that moment, the rootkit will run the rest of its code, thereby completely hiding itself and any associated malicious code. Until now, rootkits were used to hide extensions or processes, but these new examples can trick systems directly. Its location means that users won’t notice any anomaly in any system processes, as the rootkit loaded in memory will be monitoring all access to the disk to make any of its associated malware invisible to the system.
Users should take precautions against this new type of threat, and not run any file from unknown sources. To remove the malicious code, infected users should start up their computers using a boot CD so as not to run the MBR. Then, they would have to restore the MBR using a utility like fixmbr in the Windows recovery console if this operating system is installed.
“These rootkits can also affect other platforms, such as Linux, as their action is independent of the operating system installed on the computer,” added Corrons.