• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

New Rootkits Infecting the MBR

January 17, 2008

Views: 9,641

[ad]

Ah I remember some of the nastiest viruses back in the day attaching themselves in the MBR (Master Boot Record) rendering most anti-virus software useless (as it sits on top of the OS).

Now it seems MBR infection is back in fashion for a new age of rootkits.

Security mavens have uncovered a new class of attacks that attach malware to the bowels of a hard drive, making it extremely hard to detect and even harder to remove.

The rootkit modifies a PC’s master boot record (MBR), which is the first sector of a storage device and is used to help a PC locate an operating system to boot after it is turned on. The result: the rootkit is running even before Windows loads. There have been more than 5,000 infections in less than a month, researchers say.

“Master boot record rootkits are able to subvert the Windows kernel before it loads, which gives it a distinct stealth advantage over rootkits that load while Windows is running,” said Matthew Richard, director of the rapid response team for iDefense, a security provider owned by VeriSign. “It gives it a great stealth mechanism that allows it to persist even after removal.” Such rootkits can even survive reinstallation of the operating system, he said.

Pretty stealthy and extremely sticky, time to be a little more wary. MBR infectors are extremely nasty and the majority of people won’t even know they are. Plus as they can subvert the Windows kernel before it even loads…it has a huge stealth advantage.

The new rootkit is part of the arms race between security vendors and malware writers, he said. “We’re definitely making it harder and harder for the bad guys to do stuff to the operating system,” he said. They respond by attacking new parts of a PC.

Every version of Windows, including Vista, is vulnerable to the rootkit.

About 30,000 websites, mostly located in Europe, are actively trying to install the rootkit by exploiting users who have failed to install Windows updates, Richard says. There were 5,000 infections from December 12 to January 7. The rootkit is being spread by the same group responsible for distributing the Torpig banking Trojans, which are used to steal online banking credentials.

  • McAfee detects the Trojan as StealthMBR (DAT 5204 or above) or StealthMBR!rootkit
  • Symantec as Trojan.Mebroot or Boot.Mebroot
  • Sophos uses name Troj/Mbroot-A
  • Trend Micro uses the name TROJ_SINOWAL.AD

(Info from Securiteam)

A timeline is available from SANS here.

Source: The Register

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Hacking News, Malware Tagged With: malware, rootkit, trojans, viruses



Reader Interactions

Comments

  1. Nobody_Holme says

    January 17, 2008 at 12:58 pm

    Are there any new vectors they’re installing it through, though?

  2. goodpeople says

    January 17, 2008 at 1:11 pm

    Another reason why people should regularly update their virusscanners.

  3. Darknet says

    January 17, 2008 at 1:27 pm

    Same as normal AFAIK – spread via web downloads.

  4. mumble says

    January 18, 2008 at 9:03 am

    I must be getting old. Everything I got into trouble with back when I was a teenager is coming back to haunt me. MBR viruses…. non-blind DNS and ARP spoofing… What’s happening? Next I’ll be hearing about carding at the sprint reintroduced Pc-Pursuit.

  5. Nobody_Holme says

    January 18, 2008 at 5:17 pm

    Good good… *feels happy and safe*

    who wants to bet i get owned in about 5 minutes now?

  6. Pantagruel says

    January 19, 2008 at 12:37 am

    @ mumble

    Better watch out Leisure Suit Larry is also making his return ;)

    Indeed some antiviral packages are oblivious to very old attack vectors, they have become very concerned with spam/scam/phish and blocking content that they haev forgotten about old skool technique’s
    (.. stumbles through a pile of old 5 1/4″ floppies looking for an MBR infecting proogy from the darkages, darn, the C2D is too fast to do old style DOS progs (or cmd is too limited)

  7. mumble says

    January 19, 2008 at 3:14 am

    Does anyone else remember the ping-pong virus?

    The scary thing is that I might still have a copy bouncing around. That beast was written in simon-pure assembly, and the size was measured in bytes….

  8. Nobody_Holme says

    January 19, 2008 at 1:19 pm

    Anything oldskool DOS needs some re-writing to make it work these days…
    Ping-pong virus…. The memories!

  9. goodpeople says

    January 20, 2008 at 12:51 pm

    My best memories lie with the cookiemonster virus…

    .. can I have a cookie?

  10. mumble says

    January 20, 2008 at 8:40 pm

    @goodpeople – “A Cookie”

    I find it fascinating that a number of older people – among them security researchers and pentesters, all remember this stuff with glee from back when they were behaving like juvenile delinquents. Plus la change, plus la meme chose… (Yes, I mangled that, but I don’t have bindings for French characters on my keyboard….Unicode doesn’t fix the “where’s the any key!?!?” problem.)

  11. eM3rC says

    February 7, 2008 at 5:42 am

    Props to the ping pong virus!

    I never though MBR viruses would ever make a comeback. Now the black hats reverted to old tactics, it seems AV will be forced to keep up and catch them before they get installed. Another way around this (aside from programs that stop the modification of vital system files) is a program that is called something like shadow drive. This program basically makes an image of your hard drive(s) and all changes made are not actually stored on the hard drive itself but the image. I have not used the program myself but at some point you are allowed to write the files to the hard drive allowing the computer to be both safe and usable.

  12. J. Lion says

    February 11, 2008 at 11:24 pm

    scary…

    I wonder if my MBR is infected…

  13. eM3rC says

    February 12, 2008 at 1:59 am

    @J. Lion

    If it was I think you would know already ;)

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 289

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 493

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 490

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 690

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Views: 8,481

Introduction: How Much of the Internet Can You See? You're only scratching the surface when you … ...More about Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

DataSurgeon is an open-source Linux-based data extraction and transformation tool designed for forensic investigations and recovery scenarios.

DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux

Views: 470

DataSurgeon is an open-source Linux-based data extraction and transformation tool designed for … ...More about DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (227)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (73)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,291,672)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,069)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,614)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,675)
  • Password List Download Best Word List – Most Common Passwords (933,462)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,130)
  • Hack Tools/Exploits (673,286)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,143)

Search

Recent Posts

  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025
  • Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) April 30, 2025
  • DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux April 28, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy