'Mebroot' proving hard to weed out

A rootkit uncovered in the wild in December is proving to be a real headache to detect, according to Finnish security company F-Secure.

The "Mebroot," rootkit infects the master boot record (MBR), the first sector of a PC's hard drive that the computer looks to before loading the operating system. Since it loads before anything else, Mebroot is nearly invisible to security software.

"You can't execute any earlier than that," said Mikko Hypponen, F-Secure's chief research officer.

A rootkit is a malicious program that hides deep in a computer's operating system and can be difficult to remove.

Since December, Hypponen said it's seen alpha and beta versions of the Mebroot rootkit but believes it has now been RTMed, the term usually used for a legitimate piece of software that's entered production after testing.

Once a machine is infected, the hacker controlling the rootkit has complete control over the victim's machine, opening up the potential for a variety of other attacks.

For example, the hacker could try and download other malicious software to the machine to log a person's keystrokes and collect financial or personal data.

F-Secure, which specialises in finding rootkits, says its technology is only able to "suspect" if Mebroot is on a PC. Hypponen said he couldn't reveal the techniques the company is using to make even that fuzzy guess.

The problem is that Mebroot isn't just a single file – it injects itself into other processes running on a machine, masking its nefarious actions, Hypponen said.

Mebroot, however, can be uncovered if F-Secure's security software CD is used to boot up the PC, Hypponen said. "The one who executes first has the upper hand," he said.

Mebroot is the manifestation of what researchers thought was just theoretically possible, although the MBR on older, MS-DOS systems had been infected with rootkits. But in 2005, researchers Derek Soeder and Ryan Permeh of eEye Digital Security showed the idea was possible by producing proof-of-concept code, called "BootRoot".

But Hypponen said it was thought the highly technical engineering needed for a successful attack was beyond the reach of today's malware writers.

They were wrong. Hackers are now creating web pages that, if visited with certain browsers with security vulnerabilities, will automatically infect a PC with Mebroot – a technique known as a drive-by download.

Hypponen said it's unknown how widespread Mebroot has become. VeriSign's iDefense Intelligence Team has said 5,000 users were infected in separate attacks on 12 December and 19 December.