MBR Rootkit mutates

Early this year the author of the GMER anti-rootkit tool discovered a new boot-sector virus that installs itself in the master boot record (MBR) of the hard disk and uses rootkit techniques to conceal itself and manipulate the Windows kernel on system startup. Although anti-virus vendors found ways to recognise the intruder, new variants of the MBR rootkit hide using even more cleverly devised camouflage.

The earliest variants of the MBR rootkit only tweaked system functions of disk drivers, such as disk.sys, in order to hide the contents of the MBR. The antivirus vendors and GMER were able to circumvent these "hooks" by jumping directly to the address of the original code, which they could extract from the system function ClassPnpReadWrite of the Classpnp.sys driver. The new variants of the MBR rootkit manipulate values in Classpnp.sys to make the detection routines read the wrong address. As a result, the detection programs use the hooks of the MBR rootkit, and are thus blind to the infection once more. The new variant also runs an observation process that monitors the MBR and the hooks and reinstalls the rootkit if it is removed.

Antivirus vendors Trend Micro and McAfee have already modified their detection mechanisms in order to recognise and remove the new variants of the MBR rootkit. The current build of GMER dates from early March, so it is still unaware of the new tricks. If an attack is suspected, however, the computer can be booted using a clean boot CD containing up-to-date virus scanners and fresh signatures and investigate matters. The rootkit is then inactive and can be tracked down by virus scanners.

See also:

• MBR Rootkit: new tricks added, blog entry at Prevx
• New MBR Rootkit Variant: MBR Rootkit vs. Anti-rootkit, entry in the Trend Micro blog
• Exploring StealthMBR Defenses, entry in the McAfee blog
• download the GMER anti-rootkit tool

(mba)