New "Mebroot" MBR-Modifying Rootkit Analyzed

I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."

Re:Would these issues affect EFI to the same degre

[ILuvRamen]

the originators should have no reason to sell this technology. The more crackers that use it for their purposes, the more likely antivirus companies are going to take notice and take more immediate, drastic steps to stop it. If it's just one group using one new rootkit that's different than a bunch of people using it for all different stuff. Btw that sounded so racist lol. CRACKER!

Re:Would these issues affect EFI to the same degre

[Anonymous Coward]

Btw that sounded so racist lol. CRACKER!

We prefer the term "honky".

Yes...

[sonicattack]

...but does it boot Linux?

I disagree.

[jd]

The Drain virus taught a lot of noobs that disk drives are not washer/dryers. The cascade virus brought new meaning to the saying that what lights up must come down. Early viruses were very educational.