News Stay informed about the latest enterprise technology news and product updates.

New rootkit threatens Windows users

A rootkit discovered in the wild has silently infected about 5,000 victims' machines, according to a warning issued by Symantec security researchers.

Security Researchers at Symantec Corp. issued a warning this week about a new rootkit in the wild using an older method to silently attack and take over a victim's machine running Microsoft Windows XP.

Symantec Security Response, in Cupertino, Calif., said the Trojan.Mebroot takes control of the system by overwriting the master boot record with its own code. The master boot record is an important part of partitioned storage on a computer's hard disk and contains the important startup files that run the machine's operating system.

The malicious code replacing the boot record contains a "custom designed stealth back door Trojan 467 KB in size, stored in the last sectors of the disk," according to Symantec in its Security Response blog.

"Rootkits themselves are hardly a new threat, but the inclusion of the MBR as part of the infection is not considered common," Symantec researcher Elia Florio said in the blog posting. "We expect to see more variants targeting the MBR to appear in the future."

Shining a spotlight on rootkits: In this tip, contributor Scott Sidel discusses rootkit attacks, and unveils several free software tools that can help to assist security professionals in the rootkit detection process.

Building malware defenses: From rootkits to bootkits: There's an evolving form of malware on the scene that can silently and maliciously wreak havoc on operating systems.

Black Hat 2007: Rootkit hunters caught in cat-and-mouse game
 Is Joanna Rutkowska's infamous Blue Pill rootkit really undetectable? Researchers at Black Hat USA explain how to find it, but there's a catch: their method may not always work.

The rootkit was originally discovered by security researcher Matt Richard of Verisign's iDefense labs. Richard said the first attacks in the wild began Dec. 12 and infected about 1,800 users. Dec. 19, a second wave of attacks infected about 3,000 more users. Richard said antivirus vendors are now detecting the rootkit components.

The method is similar to the "blue pill," which was demonstrated in 2006 by security researcher Joanna Rutkowska. At the time, Rutkowska, a security researcher who founded Invisible Things Lab in Warsaw, Poland, developed a blue pill of sorts that will create a fake reality enabling rootkits and other malware to be undetectable for anti-malware sensors, including those baked into Microsoft's upcoming Windows Vista operating system. Vista has since been tweaked to address the vulnerability.

At the 2007 Black Hat conference, security researchers Nate Lawson of Root Labs, Peter Ferrie of Symantec Corp., and Thomas Ptacek of Matasano Security are scheduled talked about research they conducted showing that virtualized rootkits will always be detectable.

Symantec said the Trojan Mebroot runs successfully only on Windows XP. The researchers said the rootkit cannot be removed while the OS is running. Computers can be protected if their BIOS includes a Master Boot Record write-protection feature, Symantec said.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.