Old Hack, New Twist: When Rootkits Grab Hold of MBRs

In order to turn bigger profits from their armies of compromised computers, hackers this year will use a new tactic in targeting master boot records with viruses that plant rootkits on computers' hard drives, security experts warn. These infections activate during the boot sequence before the operating system starts.

The MX Logic Threat Center has identified multiple master boot record (MBR) viruses in recent weeks. This signifies the next wave of malware, as cyber criminals continue to make malware and rootkits less detectable and more difficult to remediate, according to MX Logic.

"We started seeing this in the wild in mid-December attacking unpatched computers," Sam Masiello, director of threat management at MX Logic, told TechNewsWorld.

Troublesome Combination

MBR viruses start when a computer's BIOS (basic input-output system) activates its master boot code before the operating system loads. The Master Boot Record tells the computer how to boot up and sits on sector 0 of the hard drive, storing the partition.

This makes these stealthy rootkits more difficult to detect and remove than traditional rootkits, which are attached to Windows device drivers. These MBR rootkits continue to remain on computers even after uninstalling the operating system, according to Masiello.

A rootkit is an application that up to this point attached itself to a Windows program executable file. A rootkit is a remnant of the malware that remains active on a computer after the remaining code is removed, he said.

"This lets hackers still contact a compromised machine. Now they can attach the rootkit to the MBR," Masiello explained, adding that the rootkit operates under the operating system, which can't see it.

New Twist

Until now, rootkit infections were not very common, although they did exist. They were mostly used in targeted attacks of a particular computer or a selected company.

"Rootkit infections aren't always the ideal attack method because they introduce instability to the computer and use a lot of assets," Alfred Huger, vice resident of development for software security firm Symantec (Nasdaq: SYMC), told TechNewsWorld.

Almost all antivirus vendors now have rootkit protection. Symantec's product, for instance, seeks out multiple types of rootkits by using newer detection methods that work at the BIOS level rather than trying to identify signatures, he said.

Old Is New

Actually, this so-called new attack method is really a very old technique being circulated again. "Rootkits were used on Unix platforms 10 years ago," said Huger, adding that they may be a new concept to today's IT people.

"Hackers are merely reinventing the mouse trap," he said. "There are only so many things you can do to a computer."

Regardless of how experts explain it, rootkits and MBR viruses are an old attack methodology that are now reappearing together. However, some security experts are not overly worried about their reappearance.

"Antivirus vendors shut these attacks down once before and will do the same thing again," Paul Henry, vice president of technology evangelism at Secure Computing, told TechNewsWorld.

Security vendors, he said, already developed defenses for this combination of MBR and rootkit attack -- or will have new solutions ready soon.

Blended Defenses Needed

Others see the appearance of MBR and rootkit infections as a reason for serious concern. While it is not a new technique, the combination of an MBR virus with a stealth rootkit can be a very powerful hacker weapon.

"I see in 2008 and beyond this attack combination will continue to evolve and get better focused. We won't be able to detect these for months at a time," Don DeBolt, director of antispyware research at software firm CA, told TechNewsWorld.

The security industry has to develop new blended defenses, and enterprises will have to use aggressive filters at the network perimeter, he said.

Hard to Kill

Versions of Microsoft (Nasdaq: MSFT) Windows such as XP have a built-in command that may neutralize these MBR infections, according to Masiello. Computer users can issue the FixMBR command in the Recovery Console to make the operating system write a new master boot record to the hard disk drive.

However, that and other methods do not always succeed, he said. For example, FixMBR will restore the master boot record to a previous state, but that state might also be infected. System Restore does not reset the pre-rootkit condition, either.

"The rootkit can survive a hard drive reformat and reinstallation of the Windows OS. The only good chance is to use a tool that wipes out sector zero," Masiello said. "Otherwise, users really can't do much about it."

Invisible Intruder

It is very difficult for a user to know that a computer is infected with an MBR/Rootkit virus. There are no specific indicators, according to Masiello.

"This is the next evolution of malware infection. This is less detectable and less cleanable. I expect to see it become more prevalent," he said.

The temporary solution may only exist in users applying prudent principles of safe computing in depth, DeBolt suggested.

Prevention Beats Cure

One defense method that software security firms are studying is a combination of white list and black list to improve protection. It is easier to lock out untrusted programs from running on a computer than to detect and remove malware, said DeBolt.

IT managers should find and prevent these potential intruders at the outer bounds of their networks. The Hypervisor Rootkit, for instance, can manipulate hardware to help it hide from the operating system.

"We see a lot of activity in this area and expect milestones to develop on both sides. It's a race. If a rootkit gets installed first, it is tough to deal with," concluded DeBolt.