Security researchers are warning of a new rootkit/code dropper that has the potential to be a lot nastier if its Russian creators ever get motivated. The rootkit infects the Master Boot Record (MBR)
MBR-based attacks have been around since the MS-DOS era. It’s a good place to attack because that’s the second place a computer checks on startup, after the BIOS
This rootkit’s existence reflects the inherent risk of shining light on a problem. A proof of concept rootkit that targets the MBR was first proposed by eEye Digital Security in 2005. This concept was then discussed last August at the Black Hat hacker conference in Las Vegas and appeared shortly thereafter.
That’s the risk you take when you can’t tell the good guys from the bad guys at a show like Black Hat.
“At Black Hat, what people try to do is responsibly disclose potential issues,” said Matt Richards, director of the rapid response team for iDefense, which disclosed the rootkit’s presence. “They didn’t disclose anything ground breaking, they just brought it into the light. Unfortunately, the good guys and the bad guys both saw it.”
iDefense first noticed the rootkit in late December. In examining the code, it found it was particularly difficult to remove because of the way it hides in the MBR and the fact that it also hides other Trojans in the MBR.
Infection comes from visiting what seems to be a harmless Web site with a malicious IFrame that links and then tries to exploit several old vulnerabilities in Windows. If there’s any consolation, the rootkit only affects Windows XP, not Vista, and the exploits it targets are several months old.
For now, Vista users and those who have kept their computers up to date are safe. Richards said it would be very easy to upgrade the rootkit to be far more dangerous. “It would probably take a few weeks to adapt it to Vista,” he said. “The worst case scenario is if they buy a zero-day on the underground and decide to distribute it.”
Richards said the group behind it runs the Torpig Trojan, which steals bank account information. He estimates around 250,000 users are infected, mostly in Europe.
A quick check of the major antivirus companies by InternetNews.com shows most are aware of the rootkit and claim their software can remove it. Trend Micro and Symantec have blogged on it, and Sunbelt Software and Panda Software also report they can detect it. McAfee representatives were not immediately available for comment.
But Richards wonders if they are detecting the rootkit or the Torpig Trojan. He adds that “this is fairly easy to detect now but can be made a lot harder to find.”