The MBR, the most important data structure on the disk, is created when the disk is partitioned. The MBR contains a small amount of executable code called the “master boot code,” the disk signature, and the partition table for the disk. At the end of the MBR is a 2-byte structure called a “signature word or end of sector marker,” which’s always set to 0x55AA.”
“The master boot code performs the following activities:
- Scans the partition table for the active partition.
- Finds the starting sector of the active partition.
- Loads a copy of the boot sector from the active partition into memory.
- Transfers control to the executable code in the boot sector.
“A quick search in our collection for threats found in the MBR yielded few malware based on a subversion technique that’s almost 5 years old. One interesting sample just added recently is detected as Trojan:DOS/Bootroot.
Trojan:DOS/Bootroot is installed by other Windows malware using direct physical disk drive access. Bootroot grabs initial control of the MBR’s boot code. From there, it implements a 3-stage hooking mechanism done along the lines of the normal booting process. This enables the malicious bootkit to ultimately launch another malware component as the operating system loads,” reports MMPC blog.
A troubleshooting guide on how to restore the MBR boot code is available in Microsoft TechNet website and can be found here.