Malicious software that targets computer systems continues to evolve and attack computers in different ways. One relatively recent development is the use of malicious software to target the master boot record (MBR) of a computer.
As known in the art, the master boot record is a special type of sector of a hard disk (removable or fixed) or other mass storage device that is typically located at the very beginning of a hard disk (often in the first sector). The master boot record includes the bootstrapping code and a partition table, as well as other information. Often, the actual bootstrapping code is different from disk to disk, based on different operating systems.
One type of malicious software (or malware) that infects the master boot record and is especially advanced and problematic is an MBR rootkit. An MBR rootkit (such as the malware “Popureb”) buries itself (and hides) in the master boot record and can be difficult to detect and remove. Because it hides within the master boot record, such a rootkit can make itself, and any follow-on malware installed by the rootkit, invisible to both the operating system and to any antivirus security software. Traditional techniques have relied upon malware signatures in order to detect such malware within the master boot record.
Unfortunately, just as other malware writers may use packer software (e.g., UPX, ASProtect) to compress and hide the true nature of their malicious software, more and more rootkits are now encrypting an infected master boot record in order to evade detection from antivirus software. For example, a variant of the TDSS family of malware is known to infect a clean master boot record and then encrypt the resulting infected master boot record with a private cryptographic key (which has been generated according to a specific characteristic of the machine). Because each encryption scheme on each machine will be different, each infected master boot record will be different from that of any other machine and thus more difficult to detect.
Furthermore, because of the encryption, traditional static binary signature-based detection methods are not effective in detecting an infected master boot record that has been encrypted. In addition, using a whitelist to identify an infected master boot record (e.g., by creating a hash of the bootstrapping code) is not entirely effective because of the false positives that have low confidence. Whitelist detection is unable to identify which type of malware has infected the computer, meaning that a security software product would not know how to clean the computer. Moreover, cleaning the computer with the wrong product (or when not necessary) may be disastrous. Finally, the technique of reinstalling the operating system (recommended by some operating system developers) is extremely time consuming and may result in loss of data.
Therefore, in consideration of the above problems with prior art approaches, a new technique is desired to detect infected master boot records, especially those that have been encrypted by malicious software.