Tuesday, March 04, 2008

Mebroot Rootkit Virus

Mebroot rootkit infects a PC's master boot record (MBR), making it nearly invisible to security software.

F-Secure, a Finish anti-virus and computer security software company, originally discovered Mebroot back in December.

Trojan.Mebroot takes control of the system by overwriting the MBR with its own code. This allows the trojan to start before any other programs including the operating system. Which makes it nearly impossible for anti-virus programs to detect.

Analysis of Trojan.Mebroot shows that its current code is at least partially copied from the original eEye BootRoot code. The kernel loader section, however, has been modified to load a custom designed stealth back door Trojan 467 KB in size, stored in the last sectors of the disk.

For now, Trojan.Mebroot seems to run successfully only on Windows XP (all Service Packs) however Symantec Security reports there may be variants that will affect Windows Vista, Windows Server 2003 and Windows 2000.

Once a machine is infected, the hacker controlling the rootkit has complete control over the victim's machine, opening up the potential for a variety of other attacks. For example, the hacker could try and download other malicious software to the machine to log a person's keystrokes and collect financial or personal data.

F-Secure, which specializes in finding rootkits, says its technology is only able to "suspect" if Mebroot is on a PC. F-Secure has said it is possible to detect the trojan using their security software CD to boot up the PC.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you