Does milk curdle when you place it next to your PC when it's firing up? You may have a rootkit, and VeriSign security outfit iDefense, has tipped us the wink about a nasty rootkit which appears to active in the wild, which could takeover PCs and form the basis of a fairly pervasive botnet.

The rootkit, works its evil by infecting user systems after they’ve visited a website hosting a malicious IFrame. IFrame’s are HTML tags which allow website coding meisters to embed other HTML documents, like advertisements, inside the main document. On having a shufty at what visitors may think is a normal website, the rootkit infects the master boot record (MBR).

Currently iDefense say the following exploits can be used to infect users systems: all Microsoft OS-based: JVM ByteVerify (MS03-011), MDAC (MS06-014), Internet Explorer Vector Markup Language (MS06-055) and XML CoreServices (MS06-071). However there’s no reason why other un-patched OS bugs couldn’t in future be used or other application vulnerabilities.

Once this rootkit is on your system, since it loads before Windows loads it can hide from Windows and other security tools that run under Windows. You’re therefore reliant on your anti-virus vendor package being able to detect the rootkit and remove it. There may be a better option though, if you use tools like Acronis True Image to create a backup of your entire system. True Image also backs up the MBR - and because True Image boots from CD before Windows loads, the rootkit doesn’t get a chance to execute and do its thang.

So if you think that you may have a rootkit, you can flatten the infected MBR (see picture) and continue merrily on your way. There are other tools out there, and Windows OS CDs have also got options to write a new MBR to your system, although I suspect these were put there originally to repair non-bootable Windows systems.

The trick is - knowing that you have an infected MBR – which seems like a hard call to make, unless you are at one with your PC in a yogic type of way.

14 Jan 2008