Yesterday we received new variants of the StealthMBR rootkit from the field. The basic strategy of overwriting the master boot record and hooking the IRP table of \\driver\disk to protect itself is still the same as we explained in our original StealthMBR blog. However, from the perspective of cleaning this threat, the rootkit has been modified to better protect itself from being removed.

A very common self-protection technique exhibited by various malware in user-land is to execute a “watcher” thread that continuously polls its various components, memory, and registry entries for changes by the user or any anti-virus products. StealthMBR has taken this technique into kernel space, where it executes watcher threads in the system processes’ context. StealthMBR’s thread continuously checks for any attempt to restore the original MBR or remove its memory protection hooks. If they are modified, it patches the MBR and hooks right back.

We have added generic detections for this threat as Generic Packed.g and StealthMBR Trojan. Just as with the last variant, we are currently working on an updated cleaning solution that can repair the threat within the DAT files, and won’t require fixing the MBR from the Microsoft Recovery Console.

In a follow-up blog we will discuss the inner workings of this variant–stay tuned!