According to Hon Lau with Symantec's security research operation, because the MBR is an area of the hard disk that is ready as soon as the computer starts up, if you want to get access to the hardware of a PC, you can't really beat the MBR, with the exception of the BIOS itself.
MBR infections, he says, offer great scope for deep infection and control of computers which makes the idea attractive to malware creators.
“Contemporary MBR infection methods are a fairly complex affair and are not an undertaking that can be performed by many malware creators - except for the more highly skilled individuals. This is probably one reason why after the creators of Trojan.Mebroot rediscovered the lost art of MBR infection, back in 2007 - based on work done by Soeder and Permeh of eEye Digital Security in 2005 on BootRoot - not too many other malware creators have followed in their wake”, he says in his latest security posting.
“Mebroot was a significant piece of malware. It not only infected the MBR of the computer but also implemented direct disk access to write its own code into unused sectors of the hard disk and therefore placing itself into an area that the host operating system isn’t even aware of. This type of low level infection when coupled with a sophisticated rootkit makes it difficult to detect and get rid of Mebroot from an infected computer. The way to defeat it is to try and get access to the hardware by avoiding the malware hooks or before the malicious MBR gets to execute."
While MBR infection has been a mainstay of Mebroot since the start, Lau notes another gang who were responsible for the highly sophisticated threat Backdoor.Tidserv - which originally infected system driver files - decided that they too wanted to have a piece of the MBR action.
“That gang jumped on board the MBR bandwagon back in the summer of 2010 with Backdoor.Tidserv.L and subsequent versions have been using this method since. Aside from Mebroot and Tidserv, there has been few other threats between 2008 to 2010 using the MBR infection technique, Trojan.Mebratix and Trojan.Bootlock being the only examples. It looked like MBR infections were going nowhere fast”, he says.
Lau notes that the MBR malware scene has changed considerably this year, with malware such as Backdoor.Tidserv.M, Trojan.Smitnyl, Trojan.Fispboot, Trojan.Alworo, and Trojan.Cidox arriving on the scene.
This, he explained, represents as many new MBR or boot time malware threats as there had been in all the previous three years and, he goes on to say, this statistic points to a possible trend towards increasing use of boot time infection - particularly the use of the MBR - as a way to infect computers.
And, says Lau, he and his team are now seeing MBP infections being used in ransomware (aka scareware) since these types of malware are viewed as disposable code.
“Ransomware is made for a single purpose and are not expected to provide a long length of service so the people who make them don’t want to spend too much time and effort in creating and hiding them on the computer. This is in sharp contrast to the more advanced examples of back door trojans for whom the creators are trying to build a lasting and useful network of computers for profit”, he says.
“These are signs that the barrier to entry for this type of malware has been lowered. At this time, all the recent boot time malwares target the MBR with the exception of Trojan.Cidox which takes a slightly different approach. Instead of targeting the MBR, it infects the Initial Program Loader to achieve a similar overall effect, this is an innovation on the current MBR infection techniques”, he adds.
So what is the solution?
Lau asserts that a simple way to disable the malware is to boot up with a bootable CD and then run “fixmbr” which will restore the MBR to a default setting. This, he says, will stop the MBR based malware from executing.
From a historical point of view, he adds, infecting the MBR is not a new technique per se, many of the old boot sector viruses from over a decade ago did something similar. The difference today, he argues, is that modern MBR malware does a lot more than simply infecting the MBR.