IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

The poisonous rootkits rocking the security world

There are some seriously stealthy rootkits running on computers today. Tom Brewster investigates the extent of the problem...

It is the dark chameleon of the security world, the evil twin of Where's Wally?

Previous TLD versions loaded almost immediately after the OS booted up. Now, by going below the operating system, TDL-4 has become a powerful beast, able to hide dirty software on users' machines as it steals data before sending it back to command and control centre servers. Meanwhile, IT departments are left clueless.

Scary skills

Whilst TDL-4 is one of the most sophisticated and widespread rootkits around it infected over 4.5 million PCs in just three months earlier this year there are others with equally impressive skills.

Some have focused on exploiting hardware virtualisation technology and essentially pose as hypervisors. Once on a system, such rootkits host the targeted operating system as a VM, thereby intercepting machine interactions. It was what the Blue Pill concept imagined in 2006, the creators of which claimed was undetectable. Yet there have been no notable infections of such hypervisor rootkits in the wild.

Mebromi is one particularly terrifying piece of work that has made it onto actual machines, however. It is designed to infect the BIOS part of a machine the first software that loads when a PC is powered up. That's seriously low-level infection, beyond Ring Zero where anti-virus sits.

Detected on Chinese computers in September, the malware could infect the BIOS and then initiate more code to install another rootkit at the MBR and kernel levels.

The beauty/ugliness of Mebromi lies in its ability to re-infect on every system restart if it needs to. Even if anti-virus detects and cleans the MBR infection, it can be restored at the next startup when the malicious BIOS payload can overwrite the MBR code all over again. For an Advanced Persistent Threat (APT), this is the rootkit you want.

"It's really quite technical how they're doing this, but essentially what they want to do is hide their system processes and hide the bad things they want to do," said Kaspersky researcher Ram Herkanaidu.

"Even when Windows starts up, if you've got anti-virus or anything like that, because it is catching all the I/O requests and things like that, it can then give false information back. It's highly stealthy."

Thankfully for end users, Mebromi isn't likely to spread across the globe anytime soon. That's largely because of the complexity of a successful infection. Mebromi would have to be able to get inside all different versions of Award BIOS - used by Phoenix Technologies motherboards if it was to be truly useful to cyber criminals. Kernel-level or MBR infections like TDL can work on all PCs. If you were a cyber criminal, which kind would you punt for? It's a no-brainer.

Many will now be waiting for BIOS-infecting rootkits to emerge able to infect a wider range of systems, however. Looking at how diligently hackers have worked in the past few years, expect such noxious beasts to emerge in the near future.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Intel to produce chips for Taiwanese manufacturer MediaTek
Business strategy

Intel to produce chips for Taiwanese manufacturer MediaTek

25 Jul 2022
McAfee and Visa offer 50% off antivirus subscriptions for small businesses
cyber security

McAfee and Visa offer 50% off antivirus subscriptions for small businesses

25 Jul 2022
How to pick the best business laptop CPU
Hardware

How to pick the best business laptop CPU

15 Jul 2022
Intel warns customers to expect price hike for certain chips
Hardware

Intel warns customers to expect price hike for certain chips

15 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022