« New Storm Worm Rootkit Domain happy2008toyou.com appears on the stroke of Midnight
Anti Rootkit Software Scanners for Vista »

Security Flaw in Vista and XP - Rootkit exploit in the wild

In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).

This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.

This rootkit is using the MBR flaw. The MBR can be written to from within Windows.

The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.

GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.

Indeed GMER’s Anti Rootkit Software can find the rootkit.

 gmer-finds-mbr-rootkit.jpg

The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.

Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.

Keep Safe,

regards,

Steo - www.antirootkit.com

 

This entry was posted on Thursday, January 3rd, 2008 at 7:28 pm and is filed under News, Microsoft, Underground, Vista, New Rootkits, Debate, Rootkit Scanners, Other Malware, GMER, Analysis, MBR Rootkit, Master Boot Record Rootkit, XP, NT. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

11 Responses to “Security Flaw in Vista and XP - Rootkit exploit in the wild”

  1. Security Flaw in Vista and XP - Rootkit exploit in the wild - Donna's SecurityFlash Says:
    January 5th, 2008 at 8:35 am

    […] http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/ Published Saturday, January 05, 2008 8:35 AM by donna […]

  2. Blog do Anderson Thiago (a.k.a Anderson T) : Rootkit utiliza falha em MBR para ter controle total no Windows Says:
    January 5th, 2008 at 5:54 pm

    […] Rootkit utiliza falha em MBR para ter controle total no Windows No inicio de Dezembro de 2007, um Rootkit que se escondia na MBR foi encontrado sendo mais uma Prova de Conceito (POC). Este Rootkit aproveita uma falha na MBR para se instalar e quando conclui, tem total controle sobre o Sistema Operacional (XP, NT e Vista). Esta POC é mais um exemplo de que os autores de Rootkit estão desenvolvendo técnicas cada vez mais complexas para driblarem os Softwares Anti Rootkits. Os passos seguidos por este tipo de Rootkit são: Se instala nos últimos setores da unidade de disco do usuário Modifica outros setores Modifica o setor 0 e se instala no mesmo A partir disto, o Rootkit é executado antes mesmo do Windows ser iniciado, podendo instalar/executar qualquer tipo de código malicioso sem que o usuário e/ou Windows saiba o que esta ocorrendo e com pleno controle total. O Software GMER’s Anti Rootkit consegue localizar este novo tipo de vetor de ataque, porém, não consegue removê-lo pelo Windows. Para que seja possível sua remoção, o código do Rootkit não pode estar sendo executado, logo, a unidade de disco nào pode ser iniciada. Fonte: Anti Rootkit Blog Publicado Saturday, January 05, 2008 3:41 PM por Anderson T Tags da mensagem: Falha, Windows, Segurança, Rootkit, MBR […]

  3. MBR Rootkit: A Web Threat? | TrendLabs | Malware Blog - by Trend Micro Says:
    January 10th, 2008 at 4:08 am

    […] http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/ […]

  4. Richard Says:
    January 10th, 2008 at 6:21 am

    MBR rootkits doesn’t work on Window’s Vista because Derek’s code doesn’t supported vista.For MBR rootkit to work on Vista it has to be based on VBOOTKIT.
    As Vista booting process is totally different from XP.

  5. steo Says:
    January 11th, 2008 at 1:23 am

    Hi Richard,
    indeed this particular rootkit does not work on Vista.
    I think the main point here is that the MBR in Vista can be written to. Later versions can target Vista because of this.
    regards
    Steo

  6. Information Web Net » Blog Archive » MBR Rootkit: A Web Threat? Says:
    January 24th, 2008 at 1:18 am

    […] James Cridland wrote an interesting post today.Have a look for your self, Here’s an excerpt, read the full story at the blogMore information at:. http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/; http://www2.gmer.net/mbr/. Update courtesy of Senior Escalation Engineers Joseph Cepe and Marvin Cruz. […]

  7. מתקנים מתנפחים Says:
    January 28th, 2008 at 10:15 am

    i heard about rookit so much.
    i plane to work in Vista in few months
    when you will have solution for that?

  8. ManBearPig Says:
    February 2nd, 2008 at 10:36 pm

    Thanks for the good info

  9. Spyware Remover Help » Blog Archive » Stealth techniques in rootkits Says:
    February 8th, 2008 at 8:30 am

    […] Some days ago MR Team members warned that a new stealth technique was being used by some rootkits. […]

  10. מצלמות אבטחה Says:
    May 3rd, 2008 at 3:29 pm

    Thanks a Lot!

  11. wow gold Says:
    July 2nd, 2008 at 3:48 am

    Welcome to usfine for Age Of Conan gold and aoc powerlevewling sevise.

Leave a Reply