Fresh Chinese Rootkit Using MBR Detected

Kaspersky Lab the IT security company has uncovered one new rootkit, malware that contaminates the boot sector of a computer's hard-drive, and dubbed it Rootkit.Win32.Fisp.a.

Says Vyacheslav Zakorzhevsky a researcher at Kaspersky Lab, the said rootkit gets disseminated via Trojan-Downloader.NSIS.Agent.jd, which contaminates end-users' PCs when they attempt at taking down a movie file obtainable from one Chinese pornographic website that's actually phony. Securelist.com published this in news on April 5, 2011.

Apparently, if run successfully, Rootkit.Win32.Fisp.a copies the earlier MBR (master boot record) as also plants a self-generated code (having one encrypted driver) that substitutes the sectors. Thereafter, during the infected PC's startup, the malevolent code runs as also retrieves the real MBR to enable Windows to load as usual.

The code also employs hooks so it can place a malevolent driver substituting fips.sys a legitimate system-driver. States Zakorzhevsky, a point to observe is that the fips.sys isn't necessary for the accurate running of the OS, thus its substitution won't cause the system to collapse. Softpedia.com reported this April 5, 2011.

Meanwhile, tasked with executing scans, the malevolent system-driver examines if the loaded processes are anti-virus applications that it then stops from performing well. Chiefly, the driver infiltrates explorer.exe and inserts a different variant of Rootkit.Win32.Fisp.a into the process. Thereafter, the rootkit establishes contact with the server and transmits details of the infected PC's IP address, operating system, MAC address and more. Securelist.com reported this.

The rootkit also downloads Trojan-GameThief.Win32.OnLineGames.boas and Trojan-Dropper.Win32.Vedio.dgs on the infected PC.

At this juncture, the malevolent driver attacks the security programs such as those from China's Kingsoft, 360, Rising, Beike, Qizhi Software, Beijing Jiangmin or Keniu Network Technology, and further from globally-renowned venders such as Kaspersky, BitDefender, ESET and AVG.

State the security researchers that it's difficult to eliminate MBR rootkits since these have the capacity to control a computer prior to the start of anti-virus software. Hence, end-users should do away with taking down .exe files that websites present even when no request is made. Also, they would do well to use VirusTotal to scan every executable file downloaded despite an AV application already running on their systems.

Related article: Fark.com Files Suit against Suspected Hacker from Fox13

» SPAMfighter News - 4/14/2011