A Master Boot Record (MBR) is an area of the hard disk (usually the first sector) used by a computer to perform start up operations. It is one of the first things to be read and executed by the computer hardware when a computer is powered on, even before the operating system itself. As far as trying to get access to the hardware first, you can’t really beat the MBR for that, with the exception of hardware ROM (BIOS) itself.
MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair and are not an undertaking that can be performed by many malware creators except for more highly skilled individuals. This is probably one reason why after the creators of Trojan.Mebroot rediscovered the lost art of MBR infection, back in 2007 (based on work done by Soeder and Permeh of eEye Digital Security in 2005 on BootRoot), not too many other malware creators have followed in their wake. Mebroot was a significant piece of malware. It not only infected the MBR of the computer but also implemented direct disk access to write its own code into unused sectors of the hard disk and therefore place itself into an area that the host operating system isn’t even aware of. This type of low-level infection, coupled with a sophisticated rookit, makes it difficult to detect and get rid of Mebroot from an infected computer. The way to defeat it is to try and get access to the hardware by avoiding the malware hooks or before the malicious MBR gets to execute.
While MBR infection has been a mainstay of Mebroot since the start, another gang who were responsible for the highly sophisticated threat Backdoor.Tidserv (originally infected system driver files) decided that they too will have a piece of the MBR action. They jumped on board the MBR bandwagon back in the summer of 2010 with Backdoor.Tidserv.L and subsequent versions have been using this method since. Aside from Mebroot and Tidserv, there has been few other threats between 2008 to 2010 using the MBR infection technique, Trojan.Mebratix and Trojan.Bootlock being the only examples. It looked like MBR infections were going nowhere fast.
Fast forward to now, the picture for MBR malware has changed considerably. So far in 2011, we have seen as Backdoor.Tidserv.M, Trojan.Smitnyl, Trojan.Fispboot, Trojan.Alworo, and Trojan.Cidox. This represents as many new MBR or boot time malware threats as there had been in all the previous three years. This statistic points to a possible trend towards increasing use of boot time infection (particularly the use of the MBR) as a way to infect computers. We should also note that much of the hard graft to build this type of malware has already been done by researchers and early adopters. When researchers released details for BootRoot and VBootkit, malware authors literally took the research and proof of concept code and simply adapted them for their own needs. From our observations, we can tell that a number of MBR infecting malware families currently in circulation borrowed heavily from the BootRoot PoC. The arrival of short lived ransomware type threats lend weight to the idea, because this type of malware can be considered as throw away code. Ransomware is made for a single purpose and are not expected to provide a long length of service so the people who make them don’t want to spend too much time and effort in creating and hiding them on the computer. This is in sharp contrast to the more advanced examples of back door Trojans for whom the creators are trying to build a lasting and useful network of computers for profit. These are signs that the barrier to entry for this type of malware has been lowered. At this time, all the recent boot time malwares target the MBR with the exception of Trojan.Cidox which takes a slightly different approach. Instead of targeting the MBR, it infects the Initial Program Loader to achieve a similar overall effect, this is an innovation on the current MBR infection techniques.
As with any malware infections, the key is to not get infected in the first place. Symantec has been quick to add detection for such malware whenever they are discovered (so keep your detections up-to-date) and we also offer various tools that can help to remove them. For MBR infecting threats, a simple way to disable the malware is to boot up with a bootable CD and then run “fixmbr” which will restore the MBR to a default setting. This will stop the MBR based malware from executing. For other more tricky threats you can try tools such as the Norton Boot Recovery Tool.
From a historical point of view, infecting the MBR is not a new technique per se, many of the old boot sector viruses from over a decade ago did something similar. The difference is, modern MBR malware do so much more than just infecting the MBR.
They say that fashion comes in cycles, is MBR malware making a comeback in 2011? It certainly looks that way. The following infographic summarizes these threats and what they do. (A big thanks to Stephen Doherty and Piotr Krysiuk for their input.)
