Return of the boot-sector virus
The developers of the GMER anti-root kit program have discovered a contaminant that makes itself at home on a hard drive's master boot record (MBR) and uses root kit techniques to hide itself on a Windows system. Researchers at security service provider Prevx have discovered an MBR contaminant on a number of comprised websites that exploits security holes in outdated software in order to inject malware.
The still unnamed MBR root kit is based on the freely available code for BootRoot, a feasibility study conducted by security provider eEye. At the Black Hat USA Conference 2005, researchers at the company demonstrated how a contaminant embeds itself in the MBR, manipulating drivers when the system is booted. It is thus able to infect the kernel of Windows NT and subsequent Windows systems.
According to the GMER report, the recently detected contaminant first copies the original boot sector to sector 62 of the hard drive before proceeding to copy itself into the MBR and write additional data onto sector 60 and 61. The contaminant writes the root kit driver onto free sectors, usually the last sectors the drive. The code in the MBR then makes sure that the root kit driver is loaded.
When the system reboots, the code hooks interrupt 13h to get control over the loaded data. It can then hook the Windows kernel and patch it so that it loads the root kit driver. The root kit driver itself hooks into the system functions IRP_MJ_READ and IRP_MJ_WRITE of the driver disk.sys and redirects read requests for the boot sector to the original code in sector 62. In addition, the driver sets up connections to the internet.
The MBR root kit runs on Windows Vista with some restrictions. For instance, it cannot get a foothold if User Account Control is enabled. In addition, the code that looks for the part of the Vista kernel to patch is reportedly flawed, though it is said to work smoothly on the Windows XP.
The root kit can be found by means of a cross-reference, in which the results of a Windows function after the boot sector has been read are compared to the results of direct access without Windows functions. It is apparently also quite easy to remove the root kit. The Windows tool fixmbr overwrites the malicious code, thereby solving the problem.
Back in the days of DOS, boot-sector viruses were not uncommon, but since the release of Windows NT, and especially since the release of Windows XP, such viruses have become less critical for private users. The old MBR contaminants generally do not affect current operating systems. The MBR root kits recently discovered mainly on comprised Italian websites take the risk to a new level, however. Antivirus software vendors will now be feverishly working to develop detection mechanisms and remedies.
- Stealth MBR rootkit, report by GMER
- Master Boot Record Rootkit is here and ITW, blog entry at Prevx
- MBR Rootkit: follow up, blog entry at Prevx
- Download the sources for BootRoot from eEye