Kaspersky Lab has detected and implemented treatment for a variant of a unique MBR rootkit.
According to the company, it detected the new variant of Sinowal, a malicious program capable of hiding its presence in the system by infecting the Master Boot Record (MBR) on the hard drive, at the end of March.
Kaspersky cites implementing detection and treatment for the rootkit, which is still spreading throughout the Internet, as the most difficult task anti-virus specialists have faced for several years.
During 2008, Kaspersky Lab's analysts provided detailed reports on other variants of this rootkit, but the company says the new variant has come as a surprise for researchers.
“Unlike earlier versions, the new modification, Backdoor.Win32.Sinowal, penetrates much deeper into the system to avoid being detected. The stealth method used in this variant hooks device objects at the operating system's lowest level. This is the first time cyber criminals have used such sophisticated technologies,” says Kaspersky.
This is why no anti-virus products could treat computers infected with the new modification or even detect it when it first appeared, the company explains. “Once the bootkit penetrates the system, it conceals the payload's activities, which are designed to steal user data and various account details.”
Kaspersky's experts say the bootkit has been actively spreading from several malicious sites that exploit Neosploit vulnerabilities during the past month. It can also penetrate a system through a vulnerability in Adobe Acrobat Reader that permits a malicious PDF file to be downloaded without the user knowing.
The company advises users to update their anti-virus databases and perform a complete system scan to check whether the bootkit has infected their computer. If the bootkit is detected, the computer will need to be rebooted during the treatment process, Kaspersky added.
Company experts also recommend installing all the necessary patches to close vulnerabilities in Acrobat Reader and any browsers that they use.
Related stories:
Kaspersky names April Top 20
Malware targets Twitter
Kaspersky discovers Conficker variant
Share