Archives For Malware

Master Boot Record Malware Continue Reading…

CidoxKaspersky labs recently provided an interesting writeup of a scareware rootkit that infects both the Master Boot Record (MBR) and the NTFS Volume Boot Record (VBR).

The interesting part is that the Initial Program Loader (IPL) within the NTFS VBR is overwritten.  It seems that the traditional method of looking for modifications to the MBR and any code following it is not enough.  A sanity check of the NTFS boot loader (NTLDR in XP and before, BOOTMGR in Vista and later) should also be accomplished.

A couple of great pages for detailed information on the MBR and NTFS VBR follow.


Digitally signed malware on the rise <-IR procedures need to adapt (via @) #DFIR
Chad Tilbury