GMER discovers a new MBR based rootkit in the wild . . .

EDITED: 1/10/2008 to remove information about possibly using ntbtlog.txt to detect the rootkit.  The driver load routine for the rootkit seems to be non-standard and thus unlikely to appear in ntbtlog.txt

You can read the gory details of it here: http://www2.gmer.net/mbr

Some things I'd like to point out:

  1. To open a disk for raw disk access (i.e. the method by which you can write to a raw disk sector) requires admin rights.  If you run as non-admin or are on Vista with UAC this malware won't be able to modify your MBR
  2. To fix a modified MBR you can use the Windows Recovery Console and use the 'fixmbr' command.  You boot the recovery console by using your Windows CD / DVD.  So the fact that this malware doesn't use any registry based ASEPs, is actually a pretty big weakness - it makes it easier to defeat. :)

I believe our own AV team will be posting additional technical details in their blog real soon now. :)

Published 10 January 08 11:23 by Robert_Hensing

Comments

# Geek Lectures - Things geeks should know about » Blog Archive » GMER discovers a new MBR based rootkit in the wild . . . said on January 10, 2008 11:40 AM:

PingBack from http://geeklectures.info/2008/01/10/gmer-discovers-a-new-mbr-based-rootkit-in-the-wild/

Anonymous comments are disabled
Page view tracker