Cidox Rootkit Infects NTFS VBR

By Chad Tilbury on July 7, 2011 in Malware — Leave a comment

CidoxKaspersky labs recently provided an interesting writeup of a scareware rootkit that infects both the Master Boot Record (MBR) and the NTFS Volume Boot Record (VBR).

http://www.securelist.com/en/blog/517/Cybercriminals_switch_from_MBR_to_NTFS

The interesting part is that the Initial Program Loader (IPL) within the NTFS VBR is overwritten.  It seems that the traditional method of looking for modifications to the MBR and any code following it is not enough.  A sanity check of the NTFS boot loader (NTLDR in XP and before, BOOTMGR in Vista and later) should also be accomplished.

A couple of great pages for detailed information on the MBR and NTFS VBR follow.

http://mirror.href.com/thestarman/asm/mbr/W7MBR.htm

http://mirror.href.com/thestarman/asm/mbr/VistaVBR.htm

 

No Comments

Be the first to start the conversation.

Leave a Reply