Security outfit iDefense, acquired by VeriSign in 2005 has made public information about a rootkit active in the wild, which could lead to an increase in botnets.

The rootkit, which can infect users visiting seemingly normal websites hosting a malicious IFrame, modifies the infected system’s master boot record (MBR), allowing the malware to run before Windows boots. An IFrame HTML tag allows website coders to embed other HTML documents (like adverts) inside the main document.

Through this action the rootkit can shield other malware which can be used to turn the affected system into a botnet. The rootkit currently active in the wild can infect systems through the following exploits, all Microsoft OS-based: JVM ByteVerify (MS03-011), MDAC (MS06-014), Internet Explorer Vector Markup Language (MS06-055) and XML CoreServices (MS06-071)

The technique of hiding malware in MBRs was first discussed by security firm eEye Digital Security at the Black Hat USA security conference in August 2007.

There are programs available to detect these types of rootkits, one of them being GMER.