Trojan.Mebroot takes control of the system by overwriting the MBR with its own code. Analysis of Trojan.Mebroot shows that its current code is at least partially copied from the original eEye BootRoot code. The kernel loader section, however, has been modified to load a custom designed stealth back door Trojan 467 KB in size, stored in the last sectors of the disk.
The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task. This issue has been known for quite some time, and still affects the 2K/XP families, while Vista was partially secured in 2006 (after Release Candidate 2) after a successful attack demonstration made by Joanna Rutkowska. The attack is called the “Pagefile Attack”.
...
For now, Trojan.Mebroot seems to run successfully only on Windows XP (all Service Packs) due to some hard-coded values inside the attack code. For a complete analysis of the threat, please refer to our writeup for Trojan.Mebroot.
There appears to be a link between Trojan.Mebroot and Trojan.Anserin. Similarities such as the main distribution Web site and the polymorphic packer used in both threats suggest that they may be closely related.
-----------------------------------
I reported on this new MBR rootkit on Jan 5th after Prexv reported on it.
No comments:
Post a Comment