Endpoint Protection

 View Only

The Flow of MBR Rootkit Trojan Resumes 

Feb 08, 2008 03:00 AM

Back in final weeks of 2007 the GMER team discovered the emergence of a new rootkit that hooked into the Windows master boot record (MBR)in order to take control of a compromised computer. The peopleresponsible for this threat kept busy cranking out newly compiledversions of this Trojan in the weeks following its discovery. However,near the beginning of January the output of new variants mysteriouslyhalted. Taking a quick look at the following table of Trojan.Mebrootsample data it appears as though a massive QA plan was performed by thegang, starting back in November 2007.


This is also confirmed by many clues found in the rootkit code. Forexample, there were many debug strings and even some routines designedto gather hardware and software information from the compromisedcomputer, including crash dumps in case of blue screen errors of therootkit driver!

For some reason the test plan was halted in first week of January,probably due to the unexpected popularity it gained once the rootkitwas found by antivirus researchers, but we expected that the flow ofnew variants would resume again once the creators had refined their“product”. So, today we received word (big thanks to Michael!) that newvariants have been seen in the wild. So far we have discovered threesamples with different MD5 signatures, which were already detected byour current Trojan.Mebroot antivirus definitions.

The rootkit is currently being propagated by drive-by downloads fromcompromised Web pages with embedded IFRAME tags or vulnerabilities,causing vulnerable browsers to download an executable file. The filename downloaded is currently mat25.exe and the hosts involved in thedistribution are currently resolving to Could this be thesecond-stage test plan?

During the last few weeks we have also performed some extra tests onthis malware and we can provide some interesting new details.

Multiple hard-drives infection
The rootkit tries to infect the MBR of the first 16 physical drivesfound on the computer, from “\\.\PhysicalDrive0” up to 15. (So shouldthis eventually be considered a worm?) Why is this fact important?Because a USB stick or an external drive is considered a“PhysicalDrive” by Windows, so there are chances that they could bepotentially infected by this threat as well. In our lab we have seenMebroot infecting the MBR of an external USB drive, formatted with anNTFS partition. External drives are rarely used to boot computers, soin most cases these infected MBRs will not be “active” infections ofthe threat.

What if I have Linux and Windows?
We decided to test this situation in the lab, using an internal harddisk with two partitions and LILO (or Grub) as boot loader. If your MBRis infected by Mebroot while in Windows (the threat will not run withinLinux), the computer will still be able to boot up normally into bothoperating systems. While Linux is totally unaffected by this threat,and will work as normal, Windows XP will continue to run the rootkitwhen it finishes booting up. This was something expected, since thethreat stores a backup copy of the old MBR to boot up correctly.However, this fact raises an interesting consideration: if the MBR isthe weakest point in the chain, it could eventually be possible tocreate the first multi-platform malware targeting both the Windows andLinux kernels during the boot process.

It’s all about money!
The motivation driving the people behind Trojan.Mebroot is money.They’re not bored teenagers with programming skills looking for mediaattention, they’re professional malware programmers with criminalintent. The programming skills of the Mebroot authors are above averagein comparison to other malware authors and the connection with thebanking Trojan, Trojan.Anserin (a.k.a. Sinowal, Torpig), is now reallyobvious. We have seen computers infected by Mebroot downloading someDLL modules that are injected by the rootkit into other processes, suchas services.exe and winlogon.exe. The injected DLL then downloads anadditional configuration file with information about targeted bank Websites. Communications with remote servers and encryption are exactlythe same as those seen in Trojan.Anserin, so at this stage it is clearthat Mebroot is just a platform to install and run stealthy bankmalware modules. Here an example of the encrypted and decryptedconfiguration file downloaded:


We can consider this rootkit to be at a kind of “release candidate”stage. The number of infections is very limited at the moment anddepending on the results of this massive test plan, the gang willprobably decide whether or not they will continue their nastydevelopment cycle in order to compromise more computers.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.