Mebroot - Advanced and Stealthy MBR based Rootkit - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Mebroot - Advanced and Stealthy MBR based Rootkit

F-Secure shares this interesting analysis of Mebroot, one of the most advanced malware attacks circulating in-the-wild:

Mebroot - Advanced and Stealthy MBR based Rootkit
http://www.f-secure.com/weblog/archives/00001610.html

QUOTE: One of 2008's most interesting research cases proved to be the Mebroot rootkit. Mebroot has been characterized as possessing a "commercial-grade framework" and as being a "malware Operating System". The most notable of its features is the fact that the rootkit replaces the infected computer's Master Boot Record (MBR). Mebroot therefore compromises the computer at a very low level.

The malware has apparently gone through some extensive quality assurance. It rarely ever crashes the systems it infects, even though it runs at the kernel level. It's even been designed to send crash dumps back to its authors, so that they can improve upon their code if required.

Details of Mebroot functionality uncovered in the presentation included:

• Mebroot is the most advanced and stealthiest malware seen so far

• It operates at the lowest level of the Windows operating system

• Mebroot writes its startup code to the first physical sector on the hard drive

• When an infected machine is started, Mebroot loads first and survives through the Windows boot

• Mebroot hides all changes made to the infected system

• It heavily uses undocumented features of Windows

• It creates a complex network communication system, involving pseudo random domain names

• Large parts of the code is highly obfuscated

• Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder

• All botnet communication is encrypted with advanced encryption mechanism

• The malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level

• The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs

• The botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modules

• As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines

Mebroot - Additional Information
http://www.f-secure.com/weblog/archives/00001393.html
http://www.f-secure.com/weblog/archives/00001510.html
http://www2.gmer.net/mbr/
http://www.prevx.com/blog/75/Master-Boot-Record-Rootkit-is-here-and-ITW.html

Posted: Feb 19 2009, 02:33 PM by Harry Waldron | with 1 comment(s)

Comments

Christian Donner said:

It appears that I have a Mebroot infection, and I am in the process of removing it. None of the virus scanners that I have access to was able to detect it.

Will it suffice to repair the MBR, or will it reinstall itself? That's the question I am trying to answer. I am reporting my progress here: cdonner.com/mebroot-root-kit-infection.htm

# April 3, 2009 11:46 PM

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.