New Rootkit Hides In the Master Boot Record

A new rootkit is making its way on Windows XP systems. The rootkit hides in the master boot record, so after it is installed it becomes more difficult to detect and remove.

According to anonymous developer of GMER - a free rootkit detector tool - the new rootkit is a modified version of the BootRoot code released in 2005 by eEye Digital Security. BootRoot was originally debuted at BlackHat USA in 2005 as a proof of concept to show that the Windows kernel can be subverted.

The new rootkit modifies the master boot record (MBR) of an affected system so that when the system is rebooted the rootkit takes over before the operating system is loaded. The rootkit then patches the Windows kernel to take further control of overall Windows behavior.

Detection of the new rootkit is more difficult than with some other rootkits, but certainly not impossible. Removing the rootkit can be accomplished by booting the system into Recovery Mode and the using the 'fixmbr' command to restore the MBR to its original state.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.