Writing on the Symantec Connect blog, researcher Hon Lau notes that researchers there have a doubling of master boot record (or MBR) malware between 2009 and 2010, with 2011 on track to double it again. The increase may be due to the release of open source code for the BootRoot MBR malware, Symantec said.
Admittedly, the “explosion” in MBR malware is hardly that – especially compared with the global malware population. We’re talking small numbers here: two instances of MBR malware in 2009, four in 2010 and five already in 2011.
New families of MBR malware include CIDOX, FISPBOOT, ALWORO and SMITNYL, in addition to variants of known MBR malware families like TIDSERV. The new variants are mostly one-off creations and are being used as ransomware – software that’s used to hijack a victim’s PC in exchange for payment.
The master boot record is the first sector of a storage device, such as a hard drive, and is accessed first by a computer when it is booting. The MBR contains code that allows the device to locate and load an operating system or other application installed on the system.
Master boot record malware infects that area of the storage device, allowing it to load before the operating system. That makes it easier for MBR malware to evade detection and removal, Symantec said.
Unlike MBR malware of a decade ago, the newest MBR malware is feature rich, with data stealing and remote control functionality built in, Hon writes.
Researchers at other firms have also seen a spike in MBR malware. In April, Kaspersky researcher Vyacheslav Zakorzhevsky reported that a rootkit, FISP.A, was being installed on systems infected by NSIS.Agent.jd, an MBR rootkit (or bootkit) that was being pushed by phony Chinese pornography sites.