Is a Master Boot Record (MBR) rootkit completely invisible to the OS?

Whether or not we see widespread attacks that use MBR rootkits will depend upon two factors. Platform security expert Michael Cobb explains them both.

When a rootkit takes hold of a Master Boot Record, is it completely invisible to the operating system? If so, how do I know that I have one, and how do I get rid of it?
Boot records are reserved sectors on a disk that are used to load the operating system. The act of turning on your computer tells the BIOS to look for the master boot record (MBR), and code that is stored there loads the operating system into memory. So yes, properly crafted malicious code can be made completely invisible to the operating system, and that makes detection difficult. It also makes such code dangerous because the owner of an MBR rootkit has virtual ownership of the infected machine, which means he or she can use it to do pretty much anything, from adding it to a botnet that executes phishing attacks to installing keylogger programs to capture confidential data.

In fact, one rootkit MBR attack that has garnered considerable attention recently, Mebroot, appears to be designed for profit, not bragging rights. It has been linked to a Russian virus-writing group that specializes in stealing bank login information.

If the term "boot record" is giving you flashbacks to the 1980s -- when a whole string of viruses used MBR infection as their primary means of spreading from one PC to another -- you might be wondering why we now appear to be at risk from something that had all but died out. In fact, what died out was the floppy disk, which allowed MBR infections to spread, but also enabled a relatively simple check for infection.

Antivirus software of the eighties and nineties conducted low-level scans of floppy disks when they were inserted into a PC, alerting the user to compromised boot sectors, thereby forestalling infection. The presence of a corrupted MBR on a hard drive could be detected by booting with a known good disk and scanning the hard drive boot sector. Infection could also be detected by the actions of the malware.

The point of this potted history of MBR infection is to answer the question of how this threat can be defeated in its latest incarnation. Here are some suggestions:

1. Detect infection via a clean boot. Boot a suspect system with a CD-ROM containing a clean version of an OS, and then scan the primary hard drive with a low-level disk utility. A tool like Knoppix may be used for this process. Other utilities can repair the boot sector if it is found to be infected. Performing such scans of all systems at regular intervals may be appropriate if the MBR rootkit threat escalates.

2. Detect infection via anomalous behavior. Run memory-resident software that alerts you to actions indicative of a compromised system. I use Norton AntiBot, which promises to let me know if my machine starts acting like part of a botnet or exhibits other bad behavior likely to be instigated by a rootkit. The focus of attention here should be preventing data from leaving a system without explicit permission.

3. Preventing infection. Mebroot is propagated through drive-by downloads from compromised Web pages that cause vulnerable browsers to download an executable file. So browsers need to be patched, and OS patches should be kept current. Drive-by downloads need to be blocked, and all incoming code needs to be scanned. Last, but far from least, Microsoft should update all versions of Windows so that programs can no longer overwrite disk sectors directly from user mode without explicit permission.

Whether or not we will eventually see widespread attacks that use MBR rootkits will depend upon two factors: how quickly and effectively legitimate software vendors and users react to the threat, and how successful rootkit authors are at producing potentially profitable code. There is some indication that Mebroot is still a work in progress, but if its authors see a chance to earn a lot of money from widespread infection, they are likely to take it.

More information:

  • Learn more about Mebroot.
  • Make sure that you're ready for both rootkits and bootkits.
  • This was last published in June 2008

    Dig Deeper on Risk assessments, metrics and frameworks