Rootkit hides in HD's boot record...
January 2008
A rootkit that hides from Windows on the hard drive’s boot sector is infecting PCs, security researchers said today. Once installed, the cloaking software is undetectable by most current antivirus programs. The rootkit overwrites the hard drive’s master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system. “A traditional rootkit installs as a driver, just as when you install any hardware or software,” said the director of Symantec Corp.’s security response team. “Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute.” Control the MBR, he continued, and you control the operating system, and thus the computer. According to other researchers, including those with the SANS Institute’s Internet Storm Center, Prevx Ltd., and a Polish analyst who uses the alias “gmer,” the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection, as well as to reinstall the identity thief if a security scanner somehow sniffs it out.
A rootkit that hides from Windows on the hard drive’s boot sector is infecting PCs, security researchers said today. Once installed, the cloaking software is undetectable by most current antivirus programs. The rootkit overwrites the hard drive’s master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system. “A traditional rootkit installs as a driver, just as when you install any hardware or software,” said the director of Symantec Corp.’s security response team. “Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute.” Control the MBR, he continued, and you control the operating system, and thus the computer. According to other researchers, including those with the SANS Institute’s Internet Storm Center, Prevx Ltd., and a Polish analyst who uses the alias “gmer,” the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection, as well as to reinstall the identity thief if a security scanner somehow sniffs it out.
posted by arkietechs at 6:39 AM
0 Comments:
Post a Comment
<< Home