Slashdot Mirror

← Back to Stories (view on slashdot.org)

New "Mebroot" MBR-Modifying Rootkit Analyzed

Posted by kdawson on from the ready-or-not-here-i-come dept.

I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."

2 of 65 comments (clear)

  1. "not written for fun" by ph0enix · · Score: 4, Insightful

    This malware is very professionally written and produced. Which of course means it's not written for fun.

    Why include this swipe at amateur software development?

    Nearly all of the "professionally produced" code that I've read is horrendous and looks like it's been coded by rabid gibbons on LSD, while the best code I've read has been written by people for whom it's a labor of love. Yes, there is also plenty of ugly open-source code, but the fact that it's well written just means that the programmer cared about it.

    --
    <sigh>
  2. Re:Would these issues affect EFI to the same degre by VitaminB52 · · Score: 3, Insightful
    the originators should have no reason to sell this technology. The more crackers that use it for their purposes, the more likely antivirus companies are going to take notice and take more immediate, drastic steps to stop it.

    That sounds a little naive. It's wrong for several reasons:

    • Not all computer users use (up-to-date) anti-virus software
    • Even fewer computer users use (up-to-date) anti-malware software
    • And, even if computer users use both up-to-date anti-virus and anti-malware software, they will be vulnerable in the time frame between the release of the rootkit and the release of the anti-rootkit software upgrade that fights it - in this time frame the rootkit writers will 'make' more money than most Slashdot users during their whole life