Security Flaw in Vista and XP - Rootkit exploit in the wild
In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).
This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.
This rootkit is using the MBR flaw. The MBR can be written to from within Windows.
The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.
GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.
Indeed GMER’s Anti Rootkit Software can find the rootkit.
The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.
Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.
Keep Safe,
regards,
Steo - www.antirootkit.com
rootkit
January 5th, 2008 at 8:35 am
[…] http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/ Published Saturday, January 05, 2008 8:35 AM by donna […]
January 5th, 2008 at 5:54 pm
[…] Rootkit utiliza falha em MBR para ter controle total no Windows No inicio de Dezembro de 2007, um Rootkit que se escondia na MBR foi encontrado sendo mais uma Prova de Conceito (POC). Este Rootkit aproveita uma falha na MBR para se instalar e quando conclui, tem total controle sobre o Sistema Operacional (XP, NT e Vista). Esta POC é mais um exemplo de que os autores de Rootkit estão desenvolvendo técnicas cada vez mais complexas para driblarem os Softwares Anti Rootkits. Os passos seguidos por este tipo de Rootkit são: Se instala nos últimos setores da unidade de disco do usuário Modifica outros setores Modifica o setor 0 e se instala no mesmo A partir disto, o Rootkit é executado antes mesmo do Windows ser iniciado, podendo instalar/executar qualquer tipo de código malicioso sem que o usuário e/ou Windows saiba o que esta ocorrendo e com pleno controle total. O Software GMER’s Anti Rootkit consegue localizar este novo tipo de vetor de ataque, porém, não consegue removê-lo pelo Windows. Para que seja possível sua remoção, o código do Rootkit não pode estar sendo executado, logo, a unidade de disco nào pode ser iniciada. Fonte: Anti Rootkit Blog Publicado Saturday, January 05, 2008 3:41 PM por Anderson T Tags da mensagem: Falha, Windows, Segurança, Rootkit, MBR […]
January 10th, 2008 at 4:08 am
[…] http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/ […]
January 10th, 2008 at 6:21 am
MBR rootkits doesn’t work on Window’s Vista because Derek’s code doesn’t supported vista.For MBR rootkit to work on Vista it has to be based on VBOOTKIT.
As Vista booting process is totally different from XP.
January 11th, 2008 at 1:23 am
Hi Richard,
indeed this particular rootkit does not work on Vista.
I think the main point here is that the MBR in Vista can be written to. Later versions can target Vista because of this.
regards
Steo
January 24th, 2008 at 1:18 am
[…] James Cridland wrote an interesting post today.Have a look for your self, Here’s an excerpt, read the full story at the blogMore information at:. http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/; http://www2.gmer.net/mbr/. Update courtesy of Senior Escalation Engineers Joseph Cepe and Marvin Cruz. […]
January 28th, 2008 at 10:15 am
i heard about rookit so much.
i plane to work in Vista in few months
when you will have solution for that?
February 2nd, 2008 at 10:36 pm
Thanks for the good info
February 8th, 2008 at 8:30 am
[…] Some days ago MR Team members warned that a new stealth technique was being used by some rootkits. […]
May 3rd, 2008 at 3:29 pm
Thanks a Lot!
July 2nd, 2008 at 3:48 am
Welcome to usfine for Age Of Conan gold and aoc powerlevewling sevise.
July 28th, 2008 at 1:19 am
[URL=http://www.2joygame.com]lotro gold[/URL]
August 7th, 2008 at 5:09 pm
Thanks for the flaw
I posted it at
Hacking Forums
Thanks !
August 31st, 2008 at 5:44 am
lotro gold
dofus kamas
September 17th, 2008 at 11:17 pm
ffxi gil
Maple Story Mesos
wow gold
wow gold
age of conan gold
age of conan
age of conan power leveling
age conan gold
age of conan gold
age of conan power leveling
age conan gold
age of conan gold
age of conan power leveling
age conan gold
age of conan gold
age of conan power leveling
age conan gold
age of conan gold
age of conan power leveling
age conan gold
age of conan gold
age of conan power leveling
age conan gold
age of conan gold
age of conan power leveling
age conan gold
age of conan gold
age of conan power leveling
age conan gold
age of conan gold
aoc gold
age conan gold
age of conan power leveling
aoc power leveling
age conan gold
buy Warhammer gold
Warhammer gold
Runescape Money
Runescape Gold
Runescape Items
Runescape Money
Runescape Gold
Runescape Power leveling
Runescape Money
Runescape Gold
Runescape gold
runescape money
Runescape Money
Runescape
Runescape Money
Runescape Power leveling
Runescape Items
runescape money
money runescape
Runescape Gold
age of conan gold
age conan gold
aoc gold
age of conan power leveling
aoc power leveling
aoc leveling
archlord gold
anarchy online credits
cabal alz
city of heroes influence
coh influence
city of heroes
city of villains infamy
cov infamy
city of villains
dofus kamas
kamas dofus
dofus
daoc gold
daoc plat
eve isk
eve online isk
eve online
everquest 2 gold
eq2 plat
Ever Quest 2
final fantasy xi gil
Final Fantasy XI
buy ffxi gil
final fantasy 11 cheap gil
gaia online gold
gaia gold
guild wars gold
gw gold
guild wars
hellgate london palladium
Hellgate London
dofus kamas
dofus gold
dofus
dofus kamas
dofus
wow gold
world of warcraft gold
buy wow gold
cheap wow gold
wow power leveling
eq plat
EverQuest gold
Maple Story Mesos
MapleStory mesos
MapleStory Meso
Final Fantasy XI gil
ffxi gil
buy ffxi gil
dofus kamas
kamas dofus
lotro gold
lotr gold
lord of the ring gold
Lineage adena
Lineage 1 adena
Silkroad gold
buy silkroad gold
flyff penya
buy flyff gold
flyff money
eve online isk
eve isk
2moons dil
2moons gold
eq2 plat
EverQuest 2 gold
EverQuest 2 plat
maplestory Mesos
MapleStory meso
maple story
Maple Story Mesos
maplestory Mesos
MapleStory meso
Maple Story
Lineage adena
Lineage 1 adena
Lineage 1
lotro gold
lotr gold
The Lord Of The Ring
lord of the ring gold
ge money
granado espada vis
granado espada gold
Granado Espada
dofus kamas
kamas dofus
dofus kamas
kamas dofus
buy kamas
dofus kamas
kamas dofus
buy kamas
dofus kamas
kamas dofus
buy kamas
dofus kamas
kamas dofus
buy kamas
October 14th, 2008 at 2:42 am
Harker travels through beautiful forested countryside.wow gold He notes peasants kneeling devoutly before shrines.wow gold As it grows dark, the other passengers ask the coach driver to go faster,wow gold and he whips the horses to urge them on. The passengers offer gifts to Harker, which he believes are charms to ward off the evil eye. The coach arrives at the Borgo Pass, wow goldwhere Harker is to meet the Count’s carriage, but no carriage is there. The driver mutters something which Harker believes to mean that they are an hour too early. The driver encourages Harker to travel on with the others to Bukovina, wow gold and then to return to meet the Count’s coach in a day or two. But suddenly, a small carriage drawn by four black horses appears, wow power levelingterrifying the coach horses and prompting the passengers to cross themselves. wow goldThe carriage is driven by a tall man with a long brown beard and a hat covering his face. The man remarks to the coach driver that he (the coach driver) is early,wow power leveling and says that he knowswow gold the coach driver wanted Harker to go on to Bukovina. He warns the coach driver, “You cannot deceive me, my friend; I know too much, wow power levelingand my horses are swift.” Harker travels through beautiful forested countryside.The driver encourages Harker to travel on with the others to Bukovina,