All Windows Vista users can take a sigh of relief. Microsoft has confirmed that its latest iteration of the Windows client is more than capable of handling 10-year-old threats focused on the Master Boot Record, dating back to the MS-DOS era. Trojan.Mebroot
(as it was labeled by Symantec) is a rootkit detected in the wild that is aimed at the Master Boot Record (MBR). According to the Cupertino-based security company, Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 are all at risk of infection.
"An MBR is the first sector of a storage device such as a hard disk, and is generally used for bootstrapping the operating system after the computer's BIOS has done its startup checks. Basically, if you can control the MBR, you can control the operating system and therefore the computer it resides on. MBR-based attacks
have been around since the MS-DOS era. Viruses such as Stoned, Michelangelo, Junkie and Tequila used this technique to infect systems, and it is quite incredible to see that almost ten years later, we are again facing attacks on the MBR", explained Elia Florio, Symantec Security Response Engineer.
Proof-of-concept rootkits, such as "BootRoot" (from Soeder of eEye Digital Security) and "Vbootkit" (from Nitin and Vipin Kumar of NVLabs), are illustrative examples of how malicious code can modify the MBR in order to take over the Windows operating system, Vista included. Trojan.Mebroot however is not a PoC by any means, but an actual threat based on the "BootRoot" PoC, but altered so that it will load a stealth back door Trojan Horse and compromise the operating system. The main danger lies with the way in which the Windows platform allows applications to overwrite disk sectors from user mode. Vista is vulnerable to such an attack, but only if the user runs the operating system with full administrative privileges, i.e. the User Account Control is completely disabled.
"To open a disk for raw disk access (i.e. the method by which you can write to a raw disk sector) requires admin rights. If you run as non-admin or are on Vista with UAC this malware won't be able to modify your MBR. To fix a modified MBR you can use the Windows Recovery Console and use the 'fixmbr' command. You boot the recovery console by using your Windows CD / DVD. So the fact that this malware doesn't use any registry based ASEPs, is actually a pretty big weakness - it makes it easier to defeat", explained Robert Hensing, Microsoft Security Software Engineer.