Lenovo Hit With Criticism Over Second Rootkit-Like Utility

Lenovo is under fire again for installing a covert utility on laptops and desktops that some users have compared to a rootkit. The issue stems from a utility called the Lenovo Service Engine, that is designed to collect some system information and send it to Lenovo at the time the machine connects to the Internet. But […]

The controversy over stealthy monitoring software by CarrierIQ has raised important questions about user privacy and business ethics in the Brave New World of smart phones, tablets and the like. In the uproar over CarrierIQ’s surreptitious monitoring of mobile phone users, various tools have appeared that claim to be able to detect the software. However – removing CarrierIQ from your phone is another matter entirely. And,while some sites have offered instructions on doing so, Kaspersky Lab researcher Tim Armstrong said that, for all but a few mobile phone hardware experts, doing a CarrierIQ-pendectomy is a bad idea. 

The half life of the CarrierIQ “rootkit” scandal proved to be a little more than a week. That’s about how long it took for Trevor Eckhart, a young, Connecticut-based Android developer to begin raising questions about some stealth software he discovered running on Android phones by HTC and speculation in the media and online to run rampant about what kinds of spying said software might be engaged in. It was time enough for CarrierIQ to issue a lawyer letter threatening to sue the Eckhart and the Electronic Frontier Foundation to come to his defense and even for Congress to get involved – each of which ensured even more news cycles would be taken up with the mini-controversy. And it was time, at long last, for more information to become available about what was really going on with CarrierIQs software, and for cooler heads to prevail on both sides. The question, now, is why incidents like this provoke our anger so – and what we can do to stop them from happening again. 

HED: Symantec: Boot Sector Malware Back In StyleDEK: Malware writers are turning to boot record malware to infect systems – a throwback to earlier forms of malware. What’s old is new again. This time it’s boot sector malware – fashionable around the turn of the Millenium – that’s making a comeback, according to Symantec Corp. Writing on the Symantec Connect blog (, researcher Hon Lau notes that researchers there have a doubling of master boot record (or MBR) malware between 2009 and 2010, with 2011 on track to double it again. The increase may be due to the release of open source code for the BootRoot MBR malware, Symantec said. Admittedly, the “explosion” in MBR malware is hardly that – especially compared with the global malware population. We’re talking small numbers here: two instances of MBR malware in 2009, four in 2010 and five already in 2011. New families of MBR malware include CIDOX, FISPBOOT, ALWORO and  SMITNYL, in addition to variants of known MBR malware families like TIDSERV. The new variants are mostly one-off creations and are being used as ransomware – software that’s used to hijack a victim’s PC in exchange for payment. The master boot record is the first sector of a storage device, such as a hard drive, and is accessed first by a computer when it is booting. The MBR contains code that allows the device to locateand loand an operating system or other application that has been stored on the system. Master boot record malware infects that area of the storage device, allowing it to load before the operating system. That makes it easier for MBR malware to evade detection and removal, Symantec said. Unlike MBR malware of a decade ago, the newest MBR malware is feature rich, with data stealing and remote control functionality built in, Hon writes. Researchers at other firms have also seen a spike in MBR malware. In April, Kaspersky researcher Vyacheslav Zakorzhevsky reported that a rootkit, FISP.A, was being installed on systems infected by NSIS.Agent.jd, an MBR rootkit (or bootkit) that was being pushed by phony Chinese pornography sites. (’s old is new again. This time it’s boot sector malware – fashionable around the turn of the Millenium – that’s making a comeback, according to Symantec Corp.

Researchers from Kaspersky Labs claim to have discovered the most sophisticated piece of malware available on the Web. Detected by their antivirus product as TDSS, the Trojan employs a number of methods to avoid detection, including the use of encryption between the botnet command and control server and its zombies and a powerful rootkit component that conceals the presence other types of malware in a given system.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.