A new rootkit is making the rounds that you should be aware about. Rootkits by themselves are nothing new or exciting, but this particular one is using an attack vector that was common during the old MS-DOS days!
This particular rootkit, dubbed Trojan.Mebroot by Symantec, is a MBR (master boot record) rootkit that installs itself on your harddrives MBR. The MBR is the first 512-bytes of space on your hard drive that, among other things, holds your partition information for that particular hard drive.
With the availability of security holes in software the application of MBR malware has not been used in recent years. However, because the MBR is one of the first things looked at while booting a computer, if you control the MBR you can control the entire computer.
Because rootkits have not been used in recent years anti virus companies have done little in regards to detecting and finding MBR malware. MBR malware is not particularly hard to find or fix, but no one has been paying any attention to them. This has made Trojan.Mebroot very successful in the limited amount of time it has been infecting computers (an estimated 5,000 computers infected in just two attacks, one on Dec 12th and one on Dec 19th). The method of distribution was a malicious website.
While it wont take long for anti virus companies to catch up, right now it's hit and miss for detecting all the different flavors of this particular rootkit. However, that is not the most pressing concern regarding this rootkit. Andrew Storms, director of security operations with nCircle Network Security, says "As for penetration, so far many people are showing it as having a low overall distribution. The concern is that the group which may be preparing to distribute the rootkit is well-prepared."
- New virus, old threat