Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer's Master Boot Record (MBR) in order to achieve persistence.
The Master Boot Record (MBR) is a boot sector that resides at the beginning of a storage drive and contains information about how that drive is partitioned. It also includes boot code that runs before the operating system starts.
Some malware authors have leveraged the MBR in order to give their malicious programs a head start over antivirus programs installed on the computer.
Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8. This malware is hard to detect and remove and can even survive operating system reinstallation procedures.
"Even though MBR rootkits are considered highly effective they haven't been integrated into a lot of financial malware," Trusteer researcher Etay Maor said Thursday in a blog post. "One exception was Mebroot rootkit that was used to deploy Torpig (aka Sinowal/Anserin)."
Read more: http://www.pcworld.com/article/2035763/new-version-of-gozi-financial-malware-bundles-mbr-rootkit.html
