Saturday, March 24, 2018
Submit your own News for
inclusion in our Site.
Click here...
Breaking News
Tesla and Mozilla Among Businesses That Paused Facebook
Low-Cost iPad For Classrooms Coming Next Week
Google Says Publishers are Responsible for Getting Users' Consent to Comply With New EU Privacy Law
Samsung Electronics Shareholders Approve Stock Split, Company Talks About Future for Smartphones, Chips
Streaming Services Keep Driving Music Business
Huawei Could Release 512GB and Blockchain-Ready Smartphone
Sony Announces Pricing and Availability for A8F BRAVIA OLED TVs and 85" Class X900F and X850F Series 4K HDR TVs
New Samsung Exynos 7 Series 9610 Mobile Processor focuses on Multimedia
Active Discussions
Which of these DVD media are the best, most durable?
How to back up a PS2 DL game
Copy a protected DVD?
roxio issues with xp pro
Help make DVDInfoPro better with dvdinfomantis!!!
menu making
Optiarc AD-7260S review
cdrw trouble
 Home > News > General Computing > Symante...
Last 7 Days News : SU MO TU WE TH FR SA All News

Thursday, January 10, 2008
Symantec Reports Rootkit in Master Boot Record of Windows XP

Responding to recent reports of an MBR (Master Boot Record) rootkit in the wild, Symantec released on Thusday an analysis of the problem.

An MBR is the first sector of a storage device such as a hard disk, and is generally used for bootstrapping the operating system after the computer's BIOS has done its startup checks. Basically, if you can control the MBR, you can control the operating system and therefore the computer it resides on.

MBR-based attacks have been around since the MS-DOS era. In 2007, Nitin and Vipin Kumar of NVLabs published a second PoC MBR rootkit called "Vbootkit" , which was able to exploit the latest version of Microsoft Vista. But, now the bad news is that this time the MBR rootkit is not in the form of a PoC demonstration, but is an active threat found in the wild and infecting computers through drive-by exploits via Web sites. Symantec detects this threat as Trojan.Mebroot.

Trojan.Mebroot takes control of the system by overwriting the MBR with its own code. Analysis of Trojan.Mebroot shows that its current code is at least partially copied from the original eEye BootRoot code. The kernel loader section, however, has been modified to load a custom designed stealth back door Trojan 467 KB in size, stored in the last sectors of the disk.

The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska. The attack is called the "Pagefile Attack".

Rootkits themselves are hardly a new threat, but the inclusion of the MBR as part of the infection is not considered common. They were previously demonstrated as possible, but were not identified in the wild. Now that this has changed, Symantec expects to see more variants targeting the MBR to appear in the future.

For now, Trojan.Mebroot seems to run successfully only on Windows XP (all Service Packs) due to some hard-coded values inside the attack code. For a complete analysis of the threat, please refer to Symantec's writeup for Trojan.Mebroot.

There appears to be a link between Trojan.Mebroot and Trojan.Anserin. Similarities such as the main distribution Web site and the polymorphic packer used in both threats suggest that they may be closely related.

The rootkit cannot be removed while the OS is running, as it must be removed while the rootkit code itself is not running. During our tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, Symantec suggests that now is a good time to enable it.

Panasonic's Wireless Home Theater with Integrated Blu-ray Player        All News        Matsushita to Change Corporate Name to Panasonic
Amazon to Sell Sony's DRM-free Music     General Computing News      Matsushita to Change Corporate Name to Panasonic

Get RSS feed Easy Print E-Mail this Message

Related News
Western Energy Sector Targeted by Dragonfly Cyber Espionage Group
Symantec Points at North Korean Hackers in Ransomware Attacks
Symantec to Buy LifeLock for $2.3 Billion to Form Digital Safety Platform
Symantec Announces $4.7 billion Acquisition Of Blue Coat and Strengthen Its Enterprise Cybersecurity Offerings
Symantec to Offload Veritas
Symantec To Sell Veritas Storage Unit: report
Cisco Identifies Virus That Kills Off PCs
Symantec to Pay $17 mln For Patent Infringement
Researchers Identify iOS Espionage App
Researchers Identify New iOS Vulnerability
Symantec to Separate into Two Technology Companies
China To bar Symantec, Kaspersky Anti-virus: report

Most Popular News
Home | News | All News | Reviews | Articles | Guides | Download | Expert Area | Forum | Site Info
Site best viewed at 1024x768+ - CDRINFO.COM 1998-2018 - All rights reserved -
Privacy policy - Contact Us .