11 January 2008

True rootkits are here

I'm not a big fan of malware reporting in the media - generally it comes down to flacking press releases of the "sky is falling, buy our software" variety from some A/V company's marketing manager with a quota to meet - but I did take note of this article on the BBC's site.

Turns out that somebody has finally made what I would call a true rootkit: malware that loads from the master boot record (MBR) before the OS loader and, if the stealth is done right, will be completely invisible to anything downstream.

Although there's a pretty tight limit to what you can hide in the MBR (446 bytes of code, if I remember my DOS-based virus studies from the early 1990s), the malware can also probably take advantage of the rest of track 0, which on a modern multi-GB disk could be pretty big.

So, if your anti-virus toolkit currently contains Rootkit Revealer, a spare bootable copy of Windows, and some registry hacks to get persistent malware files to die, you might also want to keep a DOS floppy handy. If FDISK /MBR doesn't work, you might wish you'd saved a copy with BOOTSEC (a utility I've used more or less every day since 1994) so you could restore it later.

1 comment:

  1. You're right the Master Boot Code is the first 446 bytes of the MBR.

    See also this link
    http://technet.microsoft.com/en-gb/library/bb457122.aspx
    under the section
    "Avoid Using the Fdisk /mbr Command to Treat Viruses"
    that explains the limitations of Fdisk /MBR

    ReplyDelete