From Collaborative RCE Knowledge Library

Jump to: navigation, search

Stealth MBR Rootkit

Item name: Stealth MBR Rootkit
Rating: 0.0 (0 votes)
Author: GMER                        
Home URL:
Last updated: January 2, 2008
Version (if appl.):
Direct D/L link:
Description: At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.

"Good points" of being MBR rootkit:
full control of machine boot process-code is executed before the OS starts
rootkit does not need a file - code could exists in some sectors of the disk and it cannot be deleted as a usual file
rootkit does not need any registry entry because it is loaded by MBR code
to hide itself, rootkit needs to control only a few sectors of the disk

How MBR rootkit works :
MBR loader
Kernel patcher
Kernel driver loader
Sectors hider/protector
Kernel driver
Rootkit removal
Related URLs: No related URLs have been submitted for this item yet

RSS feed Feed containing all updates for this item.

You are welcome to add your own useful notes about this tool, for others to see!

If you find that any information for the item above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Category Navigation Tree