Is a Master Boot Record (MBR) rootkit completely invisible to the OS?

BROWSE BY TAG Platform Security,   Application and Platform Security,   Enterprise Vulnerability Management,   Vulnerability Risk Assessment,   Malware, Viruses, Trojans and Spyware,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security Should developers create libraries of common cryptographic algorithms? How to secure USB ports on Windows machines What is the best database patch management process? What is an encryption collision? What are new and commonly used public-key cryptography algorithms? Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Should businesses delay Windows Vista adoption and just buy Windows 7? Why should we place data files on a separate partition than the OS? Should Windows Mobile updates come from Microsoft? Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Boot records are reserved sectors on a disk that are used to load the operating system. The act of turning on your computer tells the BIOS to look for the master boot record (MBR), and code that is stored there loads the operating system into memory. So yes, properly crafted malicious code can be made completely invisible to the operating system, and that makes detection difficult. It also makes such code dangerous because the owner of an MBR rootkit has virtual ownership of the infected machine, which means he or she can use it to do pretty much anything, from adding it to a botnet that executes phishing attacks to installing keylogger programs to capture confidential data.

In fact, one rootkit MBR attack that has garnered considerable attention recently, Mebroot, appears to be designed for profit, not bragging rights. It has been linked to a Russian virus-writing group that specializes in stealing bank login information.

If the term "boot record" is giving you flashbacks to the 1980s -- when a whole string of viruses used MBR infection as their primary means of spreading from one PC to another -- you might be wondering why we now appear to be at risk from something that had all but died out. In fact, what died out was the floppy disk, which allowed MBR infections to spread, but also enabled a relatively simple check for infection.

Antivirus software of the eighties and nineties conducted low-level scans of floppy disks when they were inserted into a PC, alerting the user to compromised boot sectors, thereby forestalling infection. The presence of a corrupted MBR on a hard drive could be detected by booting with a known good disk and scanning the hard drive boot sector. Infection could also be detected by the actions of the malware.

The point of this potted history of MBR infection is to answer the question of how this threat can be defeated in its latest incarnation. Here are some suggestions:

1. Detect infection via a clean boot. Boot a suspect system with a CD-ROM containing a clean version of an OS, and then scan the primary hard drive with a low-level disk utility. A tool like Knoppix may be used for this process. Other utilities can repair the boot sector if it is found to be infected. Performing such scans of all systems at regular intervals may be appropriate if the MBR rootkit threat escalates.

2. Detect infection via anomalous behavior. Run memory-resident software that alerts you to actions indicative of a compromised system. I use Norton AntiBot, which promises to let me know if my machine starts acting like part of a botnet or exhibits other bad behavior likely to be instigated by a rootkit. The focus of attention here should be preventing data from leaving a system without explicit permission.

3. Preventing infection. Mebroot is propagated through drive-by downloads from compromised Web pages that cause vulnerable browsers to download an executable file. So browsers need to be patched, and OS patches should be kept current. Drive-by downloads need to be blocked, and all incoming code needs to be scanned. Last, but far from least, Microsoft should update all versions of Windows so that programs can no longer overwrite disk sectors directly from user mode without explicit permission.

Whether or not we will eventually see widespread attacks that use MBR rootkits will depend upon two factors: how quickly and effectively legitimate software vendors and users react to the threat, and how successful rootkit authors are at producing potentially profitable code. There is some indication that Mebroot is still a work in progress, but if its authors see a chance to earn a lot of money from widespread infection, they are likely to take it.

More information: