Network News

X My Profile
View More Activity

New Nasty Hides From Windows, Anti-Virus Tools

A new family of malicious software that runs before Windows even boots up has infected thousands of PCs worldwide and remains undetected by virtually all of the commercial anti-virus tools, security experts warn.

The newly-discovered malware is what's known as a "rootkit," which is typically a set of tools designed to hide malicious files on an infected system. This particular rootkit hides its files in the "master boot record" (MBR), one of the deepest recesses of the PC's hard drive. The MBR is the place computers consult after first being turned on to see where to find a bootable operating system.

As it happens, the method used by the malware to write itself to the Windows MBR has been known for several years now: Many of its features and infection methods were detailed in a proof-of-concept paper presented by researchers from eEye Digital Security in 2005 at the annual Black Hat hacker convention in Las Vegas. Last week, a rootkit that built on the methods described in the eEye paper was discovered "in the wild" and documented in a write-up by the folks behind GMER, one of the few anti-rootkit applications that successfully detects and removes this particular rootkit.

eEye called their rootkit "BootRoot," and since the in-the-wild version of this rootkit doesn't appear to have been given a proper name as yet, that's how I'll refer to it from here on out.

According to GMER's analysis, BootRoot hooks into the area of the Windows operating system that handles both networking and writing data to the hard drive. That means if it is installed along with a Trojan horse program that runs after Windows boots up - such as a keystroke-logging program, for example - the rootkit is capable of re-installing the Trojan even if anti-virus or other security software installed on the system subsequently finds and deletes the Trojan.

Indeed, that appears to be the main purpose of the BootRoot rootkit, which has been spotted on at least 5,000 Windows PCs, according to an analysis being released today by iDefense, a unit of security giant Verisign Inc. Matthew Richard, director of the company's rapid response team, said the rootkit looks like it is being developed by the same Russian malware-writing group that maintains the "torpig" Trojan. On most of the systems found to be infected with BootRoot, Richard said, the rootkit was hiding custom versions of torpig, which is designed to look for and steal online banking credentials when the victim logs into any one of 900 financial institutions around the globe.

Richard called it the most sophisticated rootkit spotted in the wild in all of 2007; the company said indications are that its authors first began testing it back in October 2007.

"The rootkit has this whole plug-in architecture that allows the authors to insert a new Trojan on the infected PC at any time," Richard said. "It all happens seamlessly in the background. This is a very well-written and well-designed piece of malware."

The current version of BootRoot appears to run only on certain Windows XP systems, but Richard said the same technique could be used to drop rootkits on Windows Vista machines as well. In addition, nearly all of the infected systems spotted by Verisign are located in Europe, although there is no reason why attackers could not soon target U.S.-based Windows users.

Richard said none of anti-virus tools or anti-rootkit programs offered by the anti-virus vendors currently detect and remove this rootkit, although many will no doubt add detection for this nasty in the coming days and weeks. The free anti-rootkit tool from GMER does detect this rootkit, but it may not be the most intuitive program for the average Windows user.

I'm writing about this threat because it is likely that we will see other malware authors leverage this method in the months ahead. Here's what you should know about how to protect yourself:

The rootkit and its packaged Trojan were found to have been installed by any one of several thousand hacked Web sites that take advantage of at least four long-ago patched security flaws in Windows. Readers who have been staying up-to-date with their Windows patches should have little to worry from this particular attack.

Still, there is absolutely no reason the bad guys couldn't substitute more recent Windows exploits for these stale Windows flaws, or target known weaknesses in applications that run on top of Windows, such as QuickTime or WinZip. A great way to make sure you're not running outdated and unpatched versions of popular Windows software titles is to make it a habit of running Secunia's Software Inspector application, a free Web-based tool that will alert you to any programs that are missing security updates.

Also, this attack method presents zero threat for Windows users who have taken my advice to run their system under a limited user account, as altering the master boot record on Windows requires the logged-in user to have all-powerful "administrator" rights on the system.

By Brian Krebs  |  January 8, 2008; 2:10 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Important Update For Ad-Aware SE Users
Next: Microsoft Patches Three Windows Security Holes

Comments

Thanks for mentioning the limited user account protections in your past two posts (it can NEVER be said enough). In today's computing environment, using the all powerful administrator account for everyday use is equivalent to making your house/car keys readily available to the bad guys!

Law #2 of the 10 Immutable Laws of Computer Security:

"If a bad guy can alter the operating system on your computer, it's not your computer anymore."

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Posted by: TJ | January 8, 2008 3:34 PM | Report abuse

How exactly are these a "new family of malicious software"? Rootkits have been around since 1990 and a more popular DRM rootkit from Sony was the buzz in 2005.

http://en.wikipedia.org/wiki/Rootkit

Now you also say that "the current version of BootRoot appears to run only on certain Windows XP systems, but Richard said the same technique could be used to drop rootkits on Windows Vista machines as well.". This article from the GMER site indicates "all the Windows NT family (including VISTA) still have the same security flaw" (from the link).

http://www2.gmer.net/mbr/

I'll give that rootkits probably weren't at the forefront of everyone in the IT community until the Sony scandal but even running as a non-admin account won't completely hold off an attack. Many services on a system run at an elevated privilege (SYSTEM level) and if they are exploited, it doesn't matter if the user is even logged on. Running as a non-admin account is a good start, but it certainly doesn't present a zero threat to a system.

Posted by: Jim | January 8, 2008 4:15 PM | Report abuse

@Jim -- Rootkits have been around for a long time, this is true. But when was the last time you saw a rootkit that infected the MBR on Windows, and was being found in fairly notable numbers in the wild?

As to the question about Vista, I'm not quite sure I understand how what I quote Richard as saying is at odds with what GMER is saying.

Posted by: Bk | January 8, 2008 4:29 PM | Report abuse

According to Symantec (see link below), a limited user account does not protect against this threat.

"The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured."

http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html

The threat is detected as Trojan.Mebroot

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-010718-3448-99

Regardless, using a limited user account is still a very important layer of defense. The keyword here is a layered defense (ex. limited user, patching, AV, firewall, etc.)

Posted by: Tim | January 8, 2008 5:01 PM | Report abuse

Rootkits can even affect Linux and OSX - There is a list of programs for each Operating System at http://www.antirootkit.com/software/index.htm

This is a whole new era we are entering...

JC

Posted by: Jayc | January 8, 2008 5:33 PM | Report abuse

Great article. Kudos to Brian for clearly stating the risk in context of a Windows limited user account.

Posted by: LUAforever | January 8, 2008 5:49 PM | Report abuse

Um, Brian, don't you think you should explicitly distinguish the stealth MBR rootkit found in the wild from the proof-of-concept eEye wrote? By co-opting the name, you're effectively attributing the stealth MBR rootkit to eEye, which, if I were they, I would not in the least appreciate.

Posted by: antibozo | January 8, 2008 6:06 PM | Report abuse

@antibozo -- Are you saying you don't think it's clear why I adopted the name they used? The reason for that is stated in the blog post. I say the rootkit includes many of the features and infection methods demonstrated by the eEye proof of concept. Is there another concern I'm missing?

Posted by: Bk | January 8, 2008 6:54 PM | Report abuse

@Tim:
The pagefile attack that Symantec cites requires an administrator account. In this context "user mode" means "not kernel mode" (i.e., this is something a non-kernel process is allowed to do) as opposed to "limited user". C.f. the first section of the PowerPoint presentation that Symantec links to.
(By the same token, root has direct write access to all block devices on a typical *nix system).

So a limited user account _should_ be a good defense against this attack on the MBR.

Posted by: Mark | January 8, 2008 7:34 PM | Report abuse

Bk> I say the rootkit includes many of the features and infection methods demonstrated by the eEye proof of concept.

That may be true, but it doesn't warrant calling it by the same name. A Toyota employs many of the same features and techniques as a Ford, after all. And any executable object generated by a particular compiler uses the same preambles, loader format, etc. Malware names like "BootRoot" usually refer to a specific example, not a class, and we don't even have a class here yet. By the convention you're using, any malware generated by any of the automated malware tools would go by exactly the same name, no matter what it does. Minimally, I think you should call it "a BootRoot variant".

My point is that I think the piece as written appears to attribute authorship of a piece of malware (rather than the POC on which it was based) to eEye, especially if it is excerpted in any way. My $.02, and not meant to demean the excellent quality of your work.

Posted by: antibozo | January 8, 2008 8:04 PM | Report abuse

@TJ:

"If a bad guy can alter the operating system on your computer, it's not your computer anymore."

True. But that's always been the case with Windows and still is. Only after the fact can Windows tell you your disk is corrupted - you can't stop malware from perpetrating the crime first.

It's not much more difficult to design a secure system than it is to design a system with no thought for security. Such as a standalone system. Such as what Windows really is. But it's a lot more difficult to go back after years and years and start applying band-aids everywhere.

Roses are red/violets are blue/I own this computer/And so do I/And so do I/And so do I/And...

They estimate 80% of all Windows PCs are infected with 30 pieces of malware each. Who of these computer owners can claim those boxes are still theirs? This one isn't even close, man. Smell the caffeine. ;)

Posted by: Rick | January 9, 2008 1:15 AM | Report abuse

@antibozo:

Can't disagree more. I didn't get that implication at all. No one I've mentioned the article too did either.

Posted by: Rick | January 9, 2008 1:17 AM | Report abuse

Rick> Can't disagree more.

So if you were to see the following quotation out of context:

"Indeed, that appears to be the main purpose of the BootRoot rootkit, which has been spotted on at least 5,000 Windows PCs, according to an analysis being released today by iDefense, a unit of security giant Verisign Inc."

You wouldn't interpret that as saying that eEye's proof-of-concept has been spotted on at least 5000 Windows PCs?

Posted by: antibozo | January 9, 2008 1:32 AM | Report abuse

@bozo

You can't read the post?

Where are you going with this chatter and whining about what what BK decides to name the MBR rootkit? Honestly! MBR Rootkit doesn't exactly roll of the tongue.

"So if you were to see the following quotation out of context:"

That's why it's called "OUT OF CONTEXT"

Sheesh.

Anyway, props to BK for staying on the cutting edge.

Posted by: antibozo-watch | January 9, 2008 3:37 AM | Report abuse

Perhaps you've never heard of the practice, but it is commonplace for journalists to be quoted elsewhere, in which case context is lost.

Now, why am I bothering to explain basic citability to someone who thinks name calling is a clever way to insult people?

Posted by: antibozo | January 9, 2008 3:50 AM | Report abuse

Brian, you mention that GMER detects this rootkit, but I'm curious about whether Rootkit Revealer works also. Additionally, would running the fixmbr command from the Recovery Console (keeping in mind the normal caveats for using fixmbr)kill this pest?

Posted by: slgrieb | January 9, 2008 11:53 AM | Report abuse

Just out of curiosity, how do they come up with the number of infected PCs for these types of reports? Is it an estimate or are people capable of telling what malware are on PCs not under their control? Do they tell the people who own the PCs they find malware on that their PC is infected or do they just "tell the world" and hope the infected person is "listening"?

Posted by: Kevin | January 9, 2008 12:54 PM | Report abuse

@slgrieb - I believe Richard told me that Rootkit Revealer -- now distributed by Microsoft (for free) -- was among the tools that failed to detect this.

Assuming that complete removal of the malware and the rootkit was possible, then short of reformatting and reinstalling....no doubt FixMBR would come into play. However, I doubt any security professional would advocate any other remediation approach than to wipe and reformat, given such a total and complete compromise of the system.

Posted by: Bk | January 9, 2008 1:28 PM | Report abuse

Brian:

In your final paragraph, you say:

"Also, this attack method presents zero threat for Windows users who have taken my advice to run their system under a limited user account, as altering the master boot record on Windows requires the logged-in user to have all-powerful 'administrator rights on the system."

I don't understand how this jibes with your earlier description of the rootkit firing up before Windows boots. If something runs before Windows loads, how is there any context for who is logged in?

Perhaps you meant that the rootkit couldn't gain access to the machine -- i.e., be installed in the first place -- if one runs under a limited account?

Posted by: Brendan | January 9, 2008 2:47 PM | Report abuse

@Brendan -- Yes, that is what I meant, and as near as I can tell, what I said. Not sure I understand the reason for the logical disconnect?

The attack in this case uses known vulnerabilities in Windows for which there are patches available to get its hooks into the MBR. Yet, as Verisign's research showed, even lacking those patches would not be enough to drop the malicious code into the MBR if the user was running under a limited user account.

Posted by: Bk | January 9, 2008 11:07 PM | Report abuse

> Just out of curiosity, how do they come up with the number of infected PCs for these types of reports? Is it an estimate or are people capable of telling what malware are on PCs not under their control? Do they tell the people who own the PCs they find malware on that their PC is infected or do they just "tell the world" and hope the infected person is "listening"?

Kevin asks the million dollar question. How exactly do they claim that thousands of PCs are infected with these rootkits if antivirus and antimalware programs can't find them?

Posted by: Samas | January 10, 2008 3:20 PM | Report abuse

Brian:

Thanks for following up. I'm sorry if I misread your last paragraph, but I did at first understand it to mean that the MBR was altered during boot-up by the rootkit, not that the MBR was altered while the system was up and running (and someone was logged in).

My bad.

Posted by: Brendan | January 10, 2008 6:16 PM | Report abuse

The BBC News web site has picked up on the new rootkit malware (or whatever you want to call it). Check the Technology page.

Posted by: SSMD | January 11, 2008 3:47 PM | Report abuse

So, I have a friend who dual-booted his brother's computer with Ubuntu & Windows for him once. His brother never used Ubuntu, but when he got the new computer he had a very odd request. He wanted GRUB. For some reason, he really really liked the GRUB bootloader. So, I have to ask: if the user has a different bootloader, such as GRUB or LILO, installed on the MBR and simply chainlinking to start Windows, can this still affect them?

Posted by: Mackenzie | January 16, 2008 1:18 AM | Report abuse

Also, any word on AVG Free Rootkit Detector's abilities to find this one?

Posted by: Mackenzie | January 16, 2008 1:24 AM | Report abuse

Mackenzie, interesting question re grub. According to the write-up linked in the article, the stealth MBR rootkit saves a copy of the original MBR at sector 62, and boots that after trapping INT13. So I think the rootkit would still work against a system that uses grub or lilo as the bootloader.

Posted by: antibozo | January 17, 2008 3:56 AM | Report abuse

I Have the Trojan in october 2006. When i use Erase method US DoD 5220.22-M= Low-Format.I use Active & Killdisk v.4.1. When i ROBOOT for the second time and puse pause. I see on my screen: InitDiskillegal partition table *
drive 00 sector 0
illegal partition table * drive 00 sector 0
illegal partition table * drive 00 sector 0
illegal partition table * drive 00 sector 0
I have use TestDisk 6.9 to clean the partion and MBR. And then i used Doctor partition table 3.6 to rebuild the Partion table and MBR. After the REBOOT it's gone. But when i Format with XP or Vista it's back. I have tried everything. Rootkit Unhooker 3.7 see's it and when i will Unhooket it it's gone. But when i reboot it's back. And many friends have it also. Is there someone how i can fix it? Sorry for my English.

Posted by: Needs Help | January 19, 2008 5:49 PM | Report abuse

Ive recently have come into contact with this so called root kit. It comes up "not-a-virus-risk tool"or
"not-a-virus ad-tool" " hide windows" "zone alarm security suite caught it i got it from a OS windows xp corp.that I DL from piratebay and it showed up only after being infected i also dl nero it came up in the scan of the dl it was the second ver. the "not-a-virus-adtool".it hasnt caused me any problem be cause im smart enough not to do any transactions online

Posted by: bugzonsmack | February 22, 2008 10:52 AM | Report abuse

Hello! Good Site! Thanks you! http://pwkpzrnqtemqzt.com

Posted by: cnxorvvpab | March 23, 2008 2:35 PM | Report abuse

Sorry, but what is mariburjeka?

Jane.

Posted by: sweet-hx | March 25, 2008 9:06 PM | Report abuse

Sorry, but what is mariburjeka?

Jane.

Posted by: sweet-hx | March 25, 2008 9:06 PM | Report abuse

Sorry, but what is mariburjeka?

Jane.

Posted by: sweet-hx | March 25, 2008 9:06 PM | Report abuse

Sorry, but what is mariburjeka?

Jane.

Posted by: sweet-aa | March 25, 2008 9:07 PM | Report abuse

Sorry, but what is mariburjeka?

Jane.

Posted by: sweet-aa | March 25, 2008 9:07 PM | Report abuse

Sorry, but what is mariburjeka?

Jane.

Posted by: sweet-da | March 25, 2008 9:17 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-vs | March 26, 2008 1:36 AM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-vs | March 26, 2008 1:37 AM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-cu | March 27, 2008 11:18 AM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_gm | March 27, 2008 12:29 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_gm | March 27, 2008 12:29 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_gm | March 27, 2008 12:29 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_lf | March 27, 2008 12:40 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_lf | March 27, 2008 12:40 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_lf | March 27, 2008 12:40 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_mx | March 27, 2008 12:42 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_mx | March 27, 2008 12:42 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_uy | March 27, 2008 1:18 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_uy | March 27, 2008 1:19 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_uy | March 27, 2008 1:19 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-is | March 27, 2008 1:29 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-is | March 27, 2008 1:29 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-is | March 27, 2008 1:29 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_rh | March 27, 2008 1:34 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_rh | March 27, 2008 1:34 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_rh | March 27, 2008 1:34 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-sf | March 27, 2008 1:52 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-sf | March 27, 2008 1:52 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: sweeta-sf | March 27, 2008 1:53 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_hr | March 27, 2008 2:38 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_hr | March 27, 2008 2:39 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_xl | March 27, 2008 2:41 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_xl | March 27, 2008 2:41 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_xl | March 27, 2008 2:41 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_vp | March 27, 2008 4:04 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_vp | March 27, 2008 4:04 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_vp | March 27, 2008 4:04 PM | Report abuse

Sorry, but what is kimerikas?

Jane.

Posted by: balabo_rb | March 27, 2008 4:49 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company