I'm not a big fan of malware reporting in the media - generally it comes down to flacking press releases of the "sky is falling, buy our software" variety from some A/V company's marketing manager with a quota to meet - but I did take note of this article on the BBC's site.
Turns out that somebody has finally made what I would call a true rootkit: malware that loads from the master boot record (MBR) before the OS loader and, if the stealth is done right, will be completely invisible to anything downstream.
Although there's a pretty tight limit to what you can hide in the MBR (446 bytes of code, if I remember my DOS-based virus studies from the early 1990s), the malware can also probably take advantage of the rest of track 0, which on a modern multi-GB disk could be pretty big.
So, if your anti-virus toolkit currently contains Rootkit Revealer, a spare bootable copy of Windows, and some registry hacks to get persistent malware files to die, you might also want to keep a DOS floppy handy. If FDISK /MBR doesn't work, you might wish you'd saved a copy with BOOTSEC (a utility I've used more or less every day since 1994) so you could restore it later.
Turns out that somebody has finally made what I would call a true rootkit: malware that loads from the master boot record (MBR) before the OS loader and, if the stealth is done right, will be completely invisible to anything downstream.
Although there's a pretty tight limit to what you can hide in the MBR (446 bytes of code, if I remember my DOS-based virus studies from the early 1990s), the malware can also probably take advantage of the rest of track 0, which on a modern multi-GB disk could be pretty big.
So, if your anti-virus toolkit currently contains Rootkit Revealer, a spare bootable copy of Windows, and some registry hacks to get persistent malware files to die, you might also want to keep a DOS floppy handy. If FDISK /MBR doesn't work, you might wish you'd saved a copy with BOOTSEC (a utility I've used more or less every day since 1994) so you could restore it later.
You're right the Master Boot Code is the first 446 bytes of the MBR.
ReplyDeleteSee also this link
http://technet.microsoft.com/en-gb/library/bb457122.aspx
under the section
"Avoid Using the Fdisk /mbr Command to Treat Viruses"
that explains the limitations of Fdisk /MBR