PandaLabs Detects Trojans That Use New Form of Rootkit Attack

Rootkits Designed to Hide by Replacing the Master Boot Record for One of

Their Own

Jan 10, 2008, 00:00 ET from Panda Security

    GLENDALE, Calif., Jan. 10 /PRNewswire/ -- PandaLabs, Panda Security's
 malware analysis and detection laboratory, has detected the appearance of
 Trojans that include rootkits (MBRtool.A, MBRtool.B, MBRtool.C, etc.)
 designed to replace the master boot record (MBR), the first or zero sector
 of the hard disk, for one of their own. A rootkit is a program designed to
 take fundamental control of a computer system, without authorization by the
 system's owners and legitimate managers. This new form of attack is a
 revolutionary use of rootkits, making it even more difficult to detect the
 associated malicious code.
     "This system of attack makes it practically impossible to detect the
 rootkits and the malicious code they hide once they are installed on a
 computer," said Luis Corrons, technical director of PandaLabs. "The only
 feasible defense is to detect these rootkits before they enter the
 computer. In anticipation of other similar malicious code that may appear,
 it is essential to use proactive technologies that can detect threats
 without having previously identified them."
     The aim of rootkits when employed by cyber-crooks is to hide the action
 of malware, making it more difficult to detect. Until now, rootkits were
 installed in system processes, but the new strains detected by PandaLabs
 are installed on a part of the hard disk that runs even before the
 operating system starts up. When one of these new rootkits is run on a
 system, it makes a copy of the existing MBR, modifying the original with
 malicious instructions. This means if there is an attempt to access the
 MBR, the rootkit will redirect to the genuine one, preventing users or
 applications from finding anything suspicious.
     The modifications made mean that when a user starts up the computer,
 the manipulated MBR will run before the operating system is loaded. At that
 moment, the rootkit will run the rest of its code, thereby completely
 hiding itself and any associated malicious code. Until now, rootkits were
 used to hide extensions or processes, but these new examples can trick
 systems directly. Its location means that users won't notice any anomaly in
 any system processes, as the rootkit loaded in memory will be monitoring
 all access to the disk to make any of its associated malware invisible to
 the system.
     Users should take precautions against this new type of threat, and not
 run any file from unknown sources. To remove the malicious code, infected
 users should start up their computers using a boot CD so as not to run the
 MBR. Then, they would have to restore the MBR using a utility like fixmbr
 in the Windows recovery console if this operating system is installed.
     "These rootkits can also affect other platforms, such as Linux, as
 their action is independent of the operating system installed on the
 computer," added Corrons.
     About PandaLabs
     Since 1990, PandaLab's mission has been to analyze new threats as
 rapidly as possible to keep its clients safe. Several teams, each
 specialized in a specific type of malware (viruses, worms, Trojans,
 spyware, phishing, spam, etc), work 24/7 to provide global coverage. To
 achieve this, they also have the support of TruPrevent(R) Technologies,
 which act as a global early-warning system made up of strategically
 distributed sensors to neutralize new threats and send them to PandaLabs
 for in-depth analysis. According to, PandaLabs is currently the
 fastest laboratory in the industry in providing complete updates to users.
 More information is available in the PandaLabs blog
     About Panda Security
     Panda Security is one of the world's leading IT security providers,
 with millions of clients across more than 200 countries and products
 available in 23 languages. Its mission is to develop and provide global
 solutions to keep clients' IT resources free from the damage inflicted by
 viruses and other computer threats, at the lowest possible total cost of
     Panda Security proposes a new security model, designed to offer a
 robust solution to the latest cyber-crime techniques. This is manifest in
 the performance of the company's technology and products, with detection
 ratios well above average market standards and most importantly, providing
 greater security for its clients. For more information and evaluation
 versions of all Panda Security solutions, visit our website at:

SOURCE Panda Security