I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a higly-obfuscated, highly-advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. They believe it was made by professionals who are after financial information." Link to Original Source
This discussion was created for logged-in users only, but now has been archived.
No new comments can be posted.
New "Mebroot" MBR-Modifying Rootkit Analyz 0 Comments More Login /
Get More Comments