New "Mebroot" MBR-Modifying Rootkit Analyzed

I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."

Re:Would these issues affect EFI to the same degre

[Hal_Porter]

Of course there are good reasons for it to replace the MBR/partion table, like running into a brick wall on the max drive size. Actually you don't need to change the Bios to get that. Currently the Bios loads sector 0 into memory and jumps into it. There's no reason why sector 0 couldn't be a GPT MBR. Pre GPT people worked out ways to allow for 64 bit LBA addresses in the partition table

http://home.no.net/tkos/info/embr.html

And the Bios has supported 64 bit LBA addresses in int 13 for ages, so there is no disk size problem for a very long time - probably many decades. Seriously, you don't need EFI to get 64 bit LBA support.