January 09, 2008 (Computerworld) — A rootkit that hides from Windows on the hard drive’s boot sector is infecting PCs, security researchers said today. Once installed, the cloaking software is undetectable by most current antivirus programs.
The rootkit overwrites the hard drive’s master boot record (MBR), the first sector — sector 0 — where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system.
“A traditional rootkit installs as a driver, just as when you install any hardware or software,” said Oliver Friedrichs, director of Symantec Corp.‘s security response team. “Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute.” Control the MBR, Friedrichs continued, and you control the operating system, and thus the computer.
