A rootkit that hides from Windows on the hard drive's boot sector is infecting PCs, security researchers said Wednesday. Once installed, the cloaking software is undetectable by most current antivirus programs.
The rootkit overwrites the hard drive's master boot record (MBR), the first sector - sector 0 - where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system.
"A traditional rootkit installs as a driver, just as when you install any hardware or software," said Oliver Friedrichs, director of Symantec's security response team. "Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute." Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.
"That gives it unprecedented access to the computer," Friedrichs said. "It's able to hide in a manner that a traditional rootkit never can."
According to other researchers, including those with the SANS Institute's Internet Storm Center, Prevx and a Polish analyst who uses the alias "gmer", the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection as well as to reinstall the identity thief if a security scanner somehow sniffs it out.
Several of those researchers fingered a quartet of aged exploits - the majority harking to vulnerabilities patched in 2006 - launched from compromised websites as the rootkit's install attack vector. Any PC that's not up to date on its patches is at risk if used to surf to such sites.
This is a serious threat, said Friedrichs, and illustrates the skill of some cybercriminals. "Although the concept [of a MBR rootkit] isn't new, it's not easy to pull this off," he said. "It's a very sophisticated attack, and the amount of time and effort they spent creating this is very substantial.
"We're not dealing with amateurs here."
The rootkit's lineage, in fact, has been mapped by others, notably gmer, who first published an analysis of the rootkit's code last week. By gmer's account, the rootkit's creator stole code originally written by Derek Soeder and Ryan Permeh, a pair of researchers at eEye Digital Security, as a proof-of-concept rootkit they presented at the Black Hat security conference in August 2005.
"So this has been brewing for some time," said Symantec's Friedrichs. "But given the complexity of the task, it's not surprising it's taken this long. One thing, it shows the lengths to which attackers are going to go. We've just not seen them approach threat research this complex in the past."
Matthew Richards, director of VeriSign's iDefense Labs, pegged the start of the MBR rootkit's in-the-wild appearance as 12 December, with a second round of attacks on 19 December. So far, said Richards, nearly 5,000 PCs have been infected by the rootkit.
Some users are better protected than others, added Friedrichs, who echoed details posted last Saturday by Prevx researchers.
The rootkit is hard-coded in such a way as to only work on Windows XP systems. But even if it was tweaked, Vista users would have to explicitly approve the installation of the MBR rootkit by accepting a UAC (User Account Control) warning, since the rootkit requires needs administrative-level approval to install to the hard drive's master boot record.
If it gets on the drive, though, the MBR rootkit is very difficult to detect, Friedrichs admitted. The best defence, therefore, is to sniff it out before it manages to worm its way onto sector 0.
That's the approach Symantec and other antivirus vendors have taken. Symantec, for example, detects the rootkit as a Trojan dubbed Mebroot when it attempts to first install after, say, a successful attack using one of the exploits hosted on the compromised sites serving as attack launch pads.
"But once it's on your system, it becomes much more difficult to deal with," said Friedrichs. "Once it's tampered with the master boot record, the only way to remove it is to boot using the Windows installation disk and run the Windows Recovery Console."
From the recovery console, advised Elia Florio, another Symantec researcher, users can run the "fixmbr" command to remove the rootkit. "To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it," Florio recommended in a post to the Symantec security response team's blog on Tuesday.