Research and analysis of stealth Master Boot Record rootkit

In 2005 Derek Soeder and Ryan Permeh, researchers from eEye Digital Security, presented eEye BootRoot. The technique used in their project wasn’t new and had been popular in DOS times, but they first successfully used it in Windows NT Environment. The eEye Digital Security researchers skipped one part – BootRoot didn’t hide the real content of affected sectors like old DOS Stealth MBR viruses, but it had only been created to show the possible way to compromise Windows NT OS.

Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw – MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected.

At the end of 2007 stealth MBR rootkit was discovered by MR Team members and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.

Visit GMER for the Stealth MBR rootkit analysis.