Trojans evolve

28th January 2008

PandaLabs has detected several Trojans, using the revolutionary new form of attack on the basis of rootkits.
The novelty of this attack is that rootkits are now hiding by means of replacing the main boot record (MBR) with one of their own records, which begins performing of the functions former.
Recently, PandaLabs, found some of the trojans containing rootkits (MBRtool.A, MBRtool.B, MBRtool.C etc.), intended to replace MBR. This is a real revolution in the use of rootkits, for such use of them makes it much more difficult to detect malicious codes.
Earlier rootkits were installed in the system processes, but the latest versions found by PandaLabs, set in the part of the hard disk, which runs before the start of the operating system.
When one of the rootkits runs, it creates a copy of the existing MBR, altering the original according to the instructions of intruders. This means that when accessing the MBR, a rootkit redirects the request to a genuine record in order top prevent any suspicions.
As a result of the changes, when a user turns on his computer, the governing MBR is loaded before the OS. This is the moment, when the whole code runs, hiding malicious code.
In order to remove the malicious code, a user must restart the infected computer via the boot CD to prevent the use of MBR. Then it will be necessary to restore MBR by means of utilities like fixmbr in Windows recovery console (provided that this operating system is used).
These rootkits can also run under other platforms, such as Linux, since they do not depend on the OS installed.