Kaspersky Lab has implemented detection and treatment for a new variant of the unique master boot record (MBR) rootkit.

A new variant of Sinowal, a malicious program that is capable of hiding its presence in the system by infecting the MBR on the hard drive, was detected by the company's experts at the end of March 2009.


Once the bootkit penetrates the system, it conceals the payload's activities, which are designed to steal user data and various account details.


Unlike earlier versions the new modification, Backdoor.Win32.Sinowal, penetrates much deeper into the system to avoid being detected. The stealth method used in this variant hooks device objects at the operating system's lowest level.


Kaspersky claimed that this is the first time that cybercriminals have used such sophisticated technologies, and explains why no anti-virus products could treat computers infected with the new Sinowal modification or even detect it when it first appeared.


According to Kaspersky Lab's experts, over the last month the bootkit has been actively spreading from a number of malicious sites that exploit Neosploit vulnerabilities.


In particular, it can penetrate a system via a vulnerability in Adobe Acrobat Reader, which allows a malicious PDF file to be downloaded without the user's knowledge.


Kaspersky has now incorporated both detection and successful treatment for the new Sinowal modification into its anti-virus solutions.