'Mebroot' proves to be a tough rootkit to crack

A rootkit uncovered in the wild in December is proving to be a real headache to detect, according to Finnish security company F-Secure.
'Mebroot' proves to be a tough rootkit to crack
IDG News Service 3/4/08

Jeremy Kirk, IDG News Service, London Bureau

A rootkit uncovered in the wild in December is proving to be a real headache to detect, according to Finnish security company F-Secure.
On this topic
Yesterday's SQL worms, today's problem
Welcome to the age of localized malware
Microsoft scrambles to quash 'friendly' worm story
2008 Internet Security Trends Report
Top 10 Reasons Hackers use the Web for Attacks
Get practical tips, IT news, how-tos, and the best in tech humor.

Dubbed "Mebroot," the rootkit infects the master boot record (MBR), the first sector of a PC's hard drive that the computer looks to before loading the operating system. Since it loads before anything else, Mebroot is nearly invisible to security software.

"You can't execute any earlier than that," said Mikko Hypponen, F-Secure's chief research officer.

A rootkit is a malicious program that hides deep in a computer's operating system and can be difficult to remove.

Since December, Hypponen said they've seen alpha and beta versions of the Mebroot rootkit but believe it has now been RTMed, the term usually used for a legitimate piece of software that's entered production after testing.

Once a machine is infected, the hacker controlling the rootkit has complete control over the victim's machine, opening up the potential for a variety of other attacks.

For example, the hacker could try and download other malicious software to the machine to log a person's keystrokes and collect financial or personal data.

F-Secure, which specializes in finding rootkits, says its technology is only able to "suspect" if Mebroot is on a PC. Hypponen said he couldn't reveal the techniques the company is using to make even that fuzzy guess.

The problem is that Mebroot isn't just a single file -- it injects itself into other processes running on a machine, masking its nefarious actions, Hypponen said.

Mebroot, however, can be uncovered if F-Secure's security software CD is used to boot up the PC, Hypponen said. "The one who executes first has the upper hand," he said.

Mebroot is the manifestation of what researchers thought was just theoretically possible, although the MBR on older, MS-DOS systems had been infected with rootkits. But in 2005, researchers Derek Soeder and Ryan Permeh of eEye Digital Security showed the idea was possible by producing proof-of-concept code, called "BootRoot."

But Hypponen said it was thought the highly technical engineering needed for a successful attack was beyond the reach of today's malware writers.

They were wrong. Hackers are now creating Web pages that, if visited with certain browsers with security vulnerabilities, will automatically infect a PC with Mebroot -- a technique known as a drive-by download.

Hypponen said it's unknown how widespread Mebroot is. VeriSign's iDefense Intelligence Team has said 5,000 users were infected in separate attacks on Dec. 12 and Dec. 19.
Jeremy Kirk is London correspondent for the IDG News Service