MBR Rootkit - A New Breed of Malware
News broke out earlier this year of a new breed of rootkit using techniques never before seen in modern malware. The most notable of them is the fact that the rootkit replaces the infected system's Master Boot Record (MBR).
The MBR is the first physical sector of the hard drive and contains the first code loaded and executed from the drive during the boot process.
In the competition between rootkits and rootkit detectors, the first to execute has the upper hand. And you can't execute earlier than from the MBR. Of course, MBR viruses used to be very common in the DOS days, 15 years ago or so. But this is 2008.
This new Windows MBR rootkit launches itself very early during the Windows startup process without requiring any registry or file modifications. In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.
The MBR rootkit — known as "Mebroot" — is very advanced and probably the stealthiest malware we have seen so far. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.