Trojans that use a new form of attack with rootkits

PandaLabs has detected the appearance of Trojans that include rootkits (MBRtool.A, MBRtool.B, MBRtool.C, etc.) designed to replace the master boot record (MBR), -the first or zero sector of the hard disk- for one of its own. This is something of a revolution in the use of rootkits, making it even more difficult to detect the associated malicious code.

The aim of rootkits when employed by cyber-crooks is to hide the action of malware, making it more difficult to detect. Until now, rootkits were installed in system processes, but the new strains detected by PandaLabs are installed on a part of the hard disk that runs even before the operating system starts up.

When one of these new rootkits is run on a system, it makes a copy of the existing MBR, modifying the original with malicious instructions. This means if there is an attempt to access the MBR, the rootkit will redirect to the genuine one, preventing users or applications from finding anything suspicious.

The modifications made mean that when a user starts up the computer, the manipulated MBR will run before the operating system is loaded. At that moment, the rootkit will run the rest of its code, thereby completely hiding itself and any associated malicious code.

Until now, rootkits were used to hide extensions or processes, but these new examples can trick systems directly. Its location means that users won’t notice any anomaly in any system processes, as the rootkit loaded in memory will be monitoring all access to the disk to make any of its associated malware invisible to the system.

Users should take precautions against this new type of threat. In particular, don’t run any file from unknown sources.

To remove the malicious code, infected users should start up their computers using a boot CD so as not to run the MBR. Then, they would have to restore the MBR using a utility like fixmbr in the Windows recovery console if this operating system is installed.