In 2005, researchers from eEye Digital Security published a new project, called BootRoot. That was essentially a new kind of rootkit that tried to subvert Windows from the outside, overwriting the Master Boot Record with its own one, that has the ability to modify Windows driver ndis.sys since startup.
Some days ago GMER, author of one of the most famous free antirootkit software, published a nice and fully detailed article of what looks like the new trend of infections: sadly, that proof of concept called BootRoot is now in the wild.
We can confirm this because we've had reports of an infection during the same period shown by GMER paper and discovered by MR Team members Tammy and MJ .
The infection is spread through some websites that host exploits to hit older and out to date software and operating systems. This infection vector has been seen often during 2006 and 2007 - Gromozon is only one example.
After the dropper gets executed, it overwrites the master boot record with its own code and stores a copy of the original master boot record at sector 62 of the hard disk, prepending some of its code used to get the infection working. Code is added at sectors 60 and 61 too. The rootkit driver is then stored on a free unused space on the hard disk, usually on last sectors. Code stored on the MBR will be the responsible to get the driver loaded into the system.
At the next bootup (malware could schedule a reboot by itself) the new code stored inside the MBR will hook Int 13h, so that it can get full control of what is loaded by the operating system and can hook the Windows kernel on-the-fly.
------------------------------------eEye Digital Security: BootRoot PoC
No comments:
Post a Comment