NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0361 Rootkit Hides in Master Boot Record:
A rootkit that hides from Windows on the hard drive's boot sector is infecting
PCs, security researchers said today, and warns once installed, the cloaking
software is undetectable by most current antivirus programs. The rootkit over-
writes the hard drive's master boot record (MBR), the first sector -- sector 0
-- where code is stored to bootstrap the operating system after the computer's
BIOS does its start-up checks. Because it hides on the MBR, the rootkit is
effectively invisible to the operating system and security software installed on
that operating system. The new rootkit installs itself before the operating
system loads and it starts executing before the main operating system has a
chance to execute. According to other researchers, including those with the
SANS Insititue's Internet Storm Center, the rootkit has infected several thousand
PCs since mid-December. It is used to cloak a follow-on bank account-stealing
Trojan horse from detection as well as to reinstall the identity thief if a security
scanner somehow sniffs it out. The director of VeriSign Inc.'s iDefense Labs,
pegged the start of the MBR rootkit's in-the-wild appearance as 12 December, with
a second round of attacks on 19 December. He says, so far, nearly 5,000 PCs have
been infected by the rootkit. The rootkit is hard-coded in such a way as to work
only on Windows XP systems. If it gets on the drive, though, the MBR rootkit is
very difficult to detect, Friedrichs admitted. The best defense, therefore, is to
sniff it out before it manages to worm its way onto sector 0. Once it has tampered
with the master boot record, the only way to remove it is to boot using the Windows
Installation disk and run the Windows Recovery Console. From the recovery console,
a Symantec researcher says, users can run the "fixmbr" command to remove the rootkit.
To help prevent similar attacks in the future, and if your system BIOS includes the
Master Boot Record write-protection feature, the researcher says now is a good time
to enable it.
(ComputerWorld 09JAN08)