A new rootkit that uses the master boot record (MBR) to hide itself has been discovered in China and is being used to install an online game password stealer.
The Hacker News
The bootkit is installed on the computer by a trojan downloader distributed from a Chinese adult site and is detected by Kaspersky as Rookit.Win32.Fisp.a.

Once executed, the rootkit makes a copy of the old MBR and replaces the sectors with its own code which includes an encrypted driver.

When the computer boots, the malicious code executes and restores the original MBR so that Windows can load normally.

It then uses hooks to replace the fips.sys system driver with a malicious one. "It should be noted that the driver fips.sys is not required for the operating system to run correctly, so the system won't crash when it is replaced," says Kaspersky Lab expert Vyacheslav Zakorzhevsky.

The driver scans loaded processes to determine if they belong to one of over a dozen antivirus programs and prevent them from running properly.

The targeted security products include many Chinese ones from Beike, Rising, 360, Kingsoft, Keniu Network Technology, Beijing Jiangmin or Qizhi Software, but also internationally recognized vendors like AVG, BitDefender, Symantec, Kaspersky and ESET.

The rootkit serves as a malware distribution platform. It hooks the explorer.exe process and injects a downloader component that communicates with a remote server.

This component has been seen downloading variants of Trojan-Dropper.Win32.Vedio.dgs and a game password stealer detected by Kaspersky as Trojan-GameThief.Win32.OnLineGames.boas.

Online gaming is hugely popular in China and there is a large underground market for stolen virtual goods, currency, accounts, items and so on.

MBR rootkits are notoriously hard to remove because they can control the system before antivirus programs start. Users are advised to avoid downloading executable files offered to them by websites without being requested. It's also a good idea to scan all .exe files downloaded with Virus Total even if already running an antivirus program.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.