[InterceptPoint]

Thanks for the links. The MBR replacement scheme looks really scary to me. I’m not sure how you deal with that.

And the TED video was quite good. If you watched closely you would have heard him say that they can now embed malware in a .jpg. Click on the .jpg and infect your computer. Yikes.

I like TED despite it’s obvious leftist tilt. Very professionally done. Actually a valuable resource.

[rlmorel]

It was interesting...my brother and I were just discussing this subject last night (before this thread started) and we did some fishing around. (He has run his own PC repair business for nearly the last decade, much of it remediating malware and viruses, so he has done hand to hand combat with a LOT of variations) From what he and I could gather...

NOBODY seems to know what to do or how to deal with this particular kind of thing. (Perhaps some more knowledgeable person on this thread might know a bit more...)

I found that paucity of follow-up information a little disturbing. The key verbiage from that website I thought was this:

The rootkit stores data that’s required to survive reboots in physical sectors instead of files. This means that the data, including the real payload, is not visible or in any way accessible to normal applications. Therefore the rootkit does not have to hook the normal set of interfaces to keep them hidden.

The MBR is the rootkit’s launch point. Therefore it doesn’t need to make any registry changes or to modify any existing startup executables in order to launch itself. This means that the only hooks it needs to make are used to hide and protect the modified MBR.