New Rootkit Infects NTFS Loader

Security researchers from Kaspersky Lab have identified a new piece of malware which writes malicious code to the NTFS boot loader.

The threat which Kaspersky detects as Cidox, features two rootkit drivers, one for 32-bit versions of Windows and one for 64-bit ones.

As part of its infection routine Cidox determines the version of the operating system and copies the relevant driver to the empty sectors at the beginning of the drive.

It only infects NTFS partitions and determines the active one by looking at the MBR code. It then proceeds to replace the Extended NTFS IPL (Initial Program Loader) code. The original one is encrypted and saved at the end.

This is part of a special technique that leverages Windows kernel features to load the malicious driver into the system.

The driver ihas the purpose of hooking into several processes including svchost.exe, iexplore.exe, firefox.exe, opera.exe and chrome.exe via a special DLL.

"This library modifies any browser output, substituting it with its own. As a result, the user sees a browser window displaying an offer to renew the browser due to some malicious programs allegedly detected on the system," Kaspersky's Vyacheslav Zakorzhevsky explains.

This threat is effectively a form of scareware, as the user is asked to pay for the browser renewal by sending an SMS message to a premium rate number.

In order to appear more convincing, there are custom pages for each browser borrowing design elements from other official ones displayed by their developers.

This is one of the most sophisticated scareware threats currently in the wild, but at the moment it only appears to target Russian-speaking users.

It seems that malware authors are increasingly using advanced techniques. One of the most danagerous threats at the moment, the TDL4 rootkit, infects the MBR (master boot record) in order to hide itself.