Security Researchers at Symantec Corp. issued a warning this week about a new rootkit in the wild using an older method to silently attack and take over a victim's machine running Microsoft Windows XP.
Symantec Security Response, in Cupertino, Calif., said the Trojan.Mebroot takes control of the system by overwriting the master boot record with its own code. The master boot record is an important part of partitioned storage on a computer's hard disk and contains the important startup files that run the machine's operating system.
The malicious code replacing the boot record contains a "custom designed stealth back door Trojan 467 KB in size, stored in the last sectors of the disk," according to Symantec in its Security Response blog.
"Rootkits themselves are hardly a new threat, but the inclusion of the MBR as part of the infection is not considered common," Symantec researcher Elia Florio said in the blog posting. "We expect to see more variants targeting the MBR to appear in the future."
The rootkit was originally discovered by security researcher Matt Richard of Verisign's iDefense labs. Richard said the first attacks in the wild began Dec. 12 and infected about 1,800 users. Dec. 19, a second wave of attacks infected about 3,000 more users. Richard said antivirus vendors are now detecting the rootkit components.
The method is similar to the "blue pill," which was demonstrated in 2006 by security researcher Joanna Rutkowska. At the time, Rutkowska, a security researcher who founded Invisible Things Lab in Warsaw, Poland, developed a blue pill of sorts that will create a fake reality enabling rootkits and other malware to be undetectable for anti-malware sensors, including those baked into Microsoft's upcoming Windows Vista operating system. Vista has since been tweaked to address the vulnerability.
At the 2007 Black Hat conference, security researchers Nate Lawson of Root Labs, Peter Ferrie of Symantec Corp., and Thomas Ptacek of Matasano Security are scheduled talked about research they conducted showing that virtualized rootkits will always be detectable.
Symantec said the Trojan Mebroot runs successfully only on Windows XP. The researchers said the rootkit cannot be removed while the OS is running. Computers can be protected if their BIOS includes a Master Boot Record write-protection feature, Symantec said.