Rootkits Designed to Hide by Replacing the Master Boot Record for One of Their Own GLENDALE, Calif., Jan. 10 /PRNewswire/ -- PandaLabs, Panda Security'smalware analysis and detection laboratory, has detected the appearance ofTrojans that include rootkits (MBRtool.A, MBRtool.B, MBRtool.C, etc.)designed to replace the master boot record (MBR), the first or zero sectorof the hard disk, for one of their own. A rootkit is a program designed totake fundamental control of a computer system, without authorization by thesystem's owners and legitimate managers. This new form of attack is arevolutionary use of rootkits, making it even more difficult to detect theassociated malicious code. "This system of attack makes it practically impossible to detect therootkits and the malicious code they hide once they are installed on acomputer," said Luis Corrons, technical director of PandaLabs. "The onlyfeasible defense is to detect these rootkits before they enter thecomputer. In anticipation of other similar malicious code that may appear,it is essential to use proactive technologies that can detect threatswithout having previously identified them." The aim of rootkits when employed by cyber-crooks is to hide the actionof malware, making it more difficult to detect. Until now, rootkits wereinstalled in system processes, but the new strains detected by PandaLabsare installed on a part of the hard disk that runs even before theoperating system starts up. When one of these new rootkits is run on asystem, it makes a copy of the existing MBR, modifying the original withmalicious instructions. This means if there is an attempt to access theMBR, the rootkit will redirect to the genuine one, preventing users orapplications from finding anything suspicious. The modifications made mean that when a user starts up the computer,the manipulated MBR will run before the operating system is loaded. At thatmoment, the rootkit will run the rest of its code, thereby completelyhiding itself and any associated malicious code. Until now, rootkits wereused to hide extensions or processes, but these new examples can tricksystems directly. Its location means that users won't notice any anomaly inany system processes, as the rootkit loaded in memory will be monitoringall access to the disk to make any of its associated malware invisible tothe system. Users should take precautions against this new type of threat, and notrun any file from unknown sources. To remove the malicious code, infectedusers should start up their computers using a boot CD so as not to run theMBR. Then, they would have to restore the MBR using a utility like fixmbrin the Windows recovery console if this operating system is installed. "These rootkits can also affect other platforms, such as Linux, astheir action is independent of the operating system installed on thecomputer," added Corrons. About PandaLabs Since 1990, PandaLab's mission has been to analyze new threats asrapidly as possible to keep its clients safe. Several teams, eachspecialized in a specific type of malware (viruses, worms, Trojans,spyware, phishing, spam, etc), work 24/7 to provide global coverage. Toachieve this, they also have the support of TruPrevent(R) Technologies,which act as a global early-warning system made up of strategicallydistributed sensors to neutralize new threats and send them to PandaLabsfor in-depth analysis. According to Av.Test.org, PandaLabs is currently thefastest laboratory in the industry in providing complete updates to users.More information is available in the PandaLabs blog(
http://www.pandalabs.com). About Panda Security Panda Security is one of the world's leading IT security providers,with millions of clients across more than 200 countries and productsavailable in 23 languages. Its mission is to develop and provide globalsolutions to keep clients' IT resources free from the damage inflicted byviruses and other computer threats, at the lowest possible total cost ofownership. Panda Security proposes a new security model, designed to offer arobust solution to the latest cyber-crime techniques. This is manifest inthe performance of the company's technology and products, with detectionratios well above average market standards and most importantly, providinggreater security for its clients. For more information and evaluationversions of all Panda Security solutions, visit our website at:
http://www.pandasecurity.com.
SOURCE Panda Security
