October 31, 2014

The Return of Master Boot Record (MBR) Malware

(LiveHacking.Com) – According to the August 2011 Symantec Intelligence Report, Master Boot Record (MBR) malware is making a comeback. The report, which combines research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report, reveals that there were as many new boot time malware (MBR) threats in the first seven months of 2011 as there were in the previous three years.

The master boot record (MBR) is the first sector of a hard drive that is used by a PC to hold the partition table and to bootstrap its operating system. The contents of the MBR are read and executed by the BIOS during bootup before the operating system itself is loaded.

“MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair usually executed by highly skilled individuals,” said Paul Wood, senior intelligence analyst, Symantec.cloud.

Other highlights of the report include:

Pump and dump: Spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit.

Spam: In August 2011, the global ratio of spam in email traffic declined to 75.9 percent (1 in 1.32 emails); a decrease of 1.9 percentage points when compared with July 2011.

Phishing: In August, phishing email activity increased by 0.01 percentage points since July 2011; one in 319.3 emails (0.313 percent) comprised some form of phishing attack.

E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 203.3 emails (0.49 percent) in August, an increase of 0.14 percentage points since July 2011.

Web-based Malware Threats: In August, Symantec Intelligence identified an average of 3,441 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; a decrease of 49.4 percent since July 2011.

Endpoint Threats: The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 15.8 percent of all malicious software blocked by endpoint protection technology in August.

You can also get more information by reading the SlideShare Presentation: August 2011 Symantec Intelligence Report