'Mebroot' proves to be a tough rootkit to crack
A rootkit uncovered in the wild in December is proving to be a real headache
to detect, according to Finnish security company F-Secure.
Dubbed "Mebroot," the rootkit infects the master boot record (MBR),
the first sector of a PC's hard drive that the computer looks to before loading
the operating system. Since it loads before anything else, Mebroot is nearly
invisible to security software.
"You can't execute any earlier than that," said Mikko Hypponen, F-Secure's
chief research officer.
A rootkit is a malicious program that hides deep in a computer's operating
system and can be difficult to remove.
Since December, Hypponen said they've seen alpha and beta versions of the Mebroot
rootkit but believe it has now been RTMed, the term usually used for a legitimate
piece of software that's entered production after testing.
Once a machine is infected, the hacker controlling the rootkit has complete
control over the victim's machine, opening up the potential for a variety of
other attacks.
For example, the hacker could try and download other malicious software to
the machine to log a person's keystrokes and collect financial or personal data.
F-Secure, which specializes in finding rootkits, says its technology is only
able to "suspect" if Mebroot is on a PC. Hypponen said he couldn't
reveal the techniques the company is using to make even that fuzzy guess.
The problem is that Mebroot isn't just a single file -- it injects itself into
other processes running on a machine, masking its nefarious actions, Hypponen
said.
Mebroot, however, can be uncovered if F-Secure's security software CD is used
to boot up the PC, Hypponen said. "The one who executes first has the upper
hand," he said.
Mebroot is the manifestation of what researchers thought was just theoretically
possible, although the MBR on older, MS-DOS systems had been infected with rootkits.
But in 2005, researchers Derek Soeder and Ryan Permeh of eEye Digital Security
showed the idea was possible by producing proof-of-concept code, called "BootRoot."
But Hypponen said it was thought the highly technical engineering needed for
a successful attack was beyond the reach of today's malware writers.
They were wrong. Hackers are now creating Web pages that, if visited with certain
browsers with security vulnerabilities, will automatically infect a PC with
Mebroot -- a technique known as a drive-by download.
Hypponen said it's unknown how widespread Mebroot is. VeriSign's iDefense Intelligence
Team has said 5,000 users were infected in separate attacks on Dec. 12 and Dec.
19.
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
