Mebroot
   HOME

TheInfoList



Click Here for Items Related To - Mebroot
OR:
Mebroot on:   [Wikipedia]   [Google]   [Amazon]

Mebroot is a
master boot record A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBR ...
based rootkit used by botnets including
Torpig Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit ...
. It is a sophisticated Trojan horse that uses stealth techniques to hide itself from the user. The Trojan opens a back door on the victim's computer which allows the attacker complete control over the computer.


Payload

The Trojan infects the MBR to allow itself to start even before the operating system starts. This allows it to bypass some safeguards and embed itself deep within the
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
. It is known that the Trojan can intercept read/write operations, embed itself deep within network drivers. This allows it the ability to bypass some firewalls and communicate securely, using a custom encrypted tunnel, to the command and control server. This allows the attacker to install other
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
,
viruses A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Since Dmitri Ivanovsky's 1 ...
, or other applications. The Trojan most commonly steals information from the victim's computer, in an attempt for small financial gain. Mebroot is linked to Anserin, which is another Trojan that logs keystrokes and steals banking information. This gives further evidence showing that financial motive is most likely behind Mebroot.


Detection/removal

The Trojan tries to avoid detection by hooking itself into atapi.sys. It also embeds itself in the
Ntoskrnl.exe ntoskrnl.exe (short for Windows NT operating system kernel executable), also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and ...
. Mebroot has no executable files, no
registry Registry may refer to: Computing * Container registry, an operating-system-level virtualization registry * Domain name registry, a database of top-level internet domain names * Local Internet registry * Metadata registry, information system for re ...
keys, and no driver modules, which makes it harder to detect without
antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
software. In addition to running antivirus software, one can also remove the Trojan by wiping or repairing the master boot record, the
hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
, and the operating system.


Distribution

Three variants of Mebroot have been discovered. It was estimated that the first version was compiled in November 2007. In December, Mebroot started
drive-by download Drive-by download is of two types, each concerning the unintended download of computer software from the Internet: # Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences (e.g. down ...
s. In early 2008, a second wave of attacks arrived. In February 2008 a second variant was discovered which is accompanied by a modified installer. In March 2008 a third variant was discovered, in which attacks became more widespread. Since the third variant, the Trojan has been upgraded to try and outwit antivirus software. It is unknown if Mebroot is still in the wild. Mebroot is currently known to be distributed by visiting malicious websites, or by way of an
application Application may refer to: Mathematics and computing * Application software, computer software designed to help the user to perform specific tasks ** Application layer, an abstraction layer that specifies protocols and interface methods used in a c ...
exploit. It is estimated that over 1,500 websites have been compromised, mostly in the European region. Traffic to websites infected with Mebroot can reach 50,000 to 100,000 views per day.


References


External links


MBR Rootkit, A New Breed of Malware
- F-Secure Weblog, March 2008
Stealth MBR rootkit
by GMER, January 2008
Trojan.Mebroot Technical Details , Symantec
*{{webarchive , url=https://web.archive.org/web/20131026083019/http://www.prevx.com/blog/119/From-Gromozon-to-Mebroot--A-Reflection-on-Rootkits-Today.html , date=October 26, 2013 , title=From Gromozon to Mebroot - A Reflection on Rootkits Today Rootkits Windows trojans