New rootkit threatens Windows users

By SearchSecurity.com Staff 09 Jan 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security Researchers at Symantec Corp. issued a warning this week about a new rootkit in the wild using an older method to silently attack and take over a victim's machine running Microsoft Windows XP.

Symantec Security Response, in Cupertino, Calif., said the Trojan.Mebroot takes control of the system by overwriting the master boot record with its own code. The master boot record is an important part of partitioned storage on a computer's hard disk and contains the important startup files that run the machine's operating system.

The malicious code replacing the boot record contains a "custom designed stealth back door Trojan 467 KB in size, stored in the last sectors of the disk," according to Symantec in its Security Response blog.

"Rootkits themselves are hardly a new threat, but the inclusion of the MBR as part of the infection is not considered common," Symantec researcher Elia Florio said in the blog posting. "We expect to see more variants targeting the MBR to appear in the future."

Rootkits: Shining a spotlight on rootkits: In this tip, contributor Scott Sidel discusses rootkit attacks, and unveils several free software tools that can help to assist security professionals in the rootkit detection process. Building malware defenses: From rootkits to bootkits: There's an evolving form of malware on the scene that can silently and maliciously wreak havoc on operating systems. Black Hat 2007: Rootkit hunters caught in cat-and-mouse game Is Joanna Rutkowska's infamous Blue Pill rootkit really undetectable? Researchers at Black Hat USA explain how to find it, but there's a catch: their method may not always work.

The rootkit was originally discovered by security researcher Matt Richard of Verisign's iDefense labs. Richard said the first attacks in the wild began Dec. 12 and infected about 1,800 users. Dec. 19, a second wave of attacks infected about 3,000 more users. Richard said antivirus vendors are now detecting the rootkit components.

The method is similar to the "blue pill," which was demonstrated in 2006 by security researcher Joanna Rutkowska. At the time, Rutkowska, a security researcher who founded Invisible Things Lab in Warsaw, Poland, developed a blue pill of sorts that will create a fake reality enabling rootkits and other malware to be undetectable for anti-malware sensors, including those baked into Microsoft's upcoming Windows Vista operating system. Vista has since been tweaked to address the vulnerability.

At the 2007 Black Hat conference, security researchers Nate Lawson of Root Labs, Peter Ferrie of Symantec Corp., and Thomas Ptacek of Matasano Security are scheduled talked about research they conducted showing that virtualized rootkits will always be detectable.

Symantec said the Trojan Mebroot runs successfully only on Windows XP. The researchers said the rootkit cannot be removed while the OS is running. Computers can be protected if their BIOS includes a Master Boot Record write-protection feature, Symantec said.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary