Mebroot is a Master boot record based rootkit used by botnets including Torpig. It is a sophisticated trojan that uses stealth strategies to hide itself from the user. The trojan opens a back door on the victims computer which allows the attacker complete access over the computer.
The trojan infects the MBR to allow itself to start even before the operating system starts. This allows it to bypass some safeguards and embed itself deep within the operating system. It is known that the trojan can intercept read/write operations, embed itself deep within network drivers. This allows it the ability to bypass some firewalls and communicate securely, using a custom encrypted tunnel, to the command and control server. This allows the attacker to install other malware, viruses, or other applications. The trojan most commonly steals information from the victims computer, in the attempt of small financial gain. Mebroot is linked to Anserin which is another trojan that logs keystrokes and steals banking information. This gives further evidence showing that financial motive is most likely behind Mebroot.
The trojan tries to avoid detection by hooking itself into atapi.sys. In addition to the atapi.sys file, it also embeds itself in the Ntoskrnl.exe. Mebroot also has no executable files, no registry keys, and no driver modules which makes it harder to detect without anti virus software. In addition to running antivirus software you can also remove the trojan by wiping or reparing the master boot record, wiping the hard drive, and the operating system.
There were three variants of Mebroot that have been discovered. It is estimated in November, 2007 the first version was compiled. In December Mebroot started drive by downloads. In early 2008, a second wave of attacks arrived. In February of 2008 a second variant is discovered which is accompanied by a modified installer. In March of 2008 a third variant is discovered in which attacks became more widespread. Since the third variant, the trojan has been upgraded to try and outwit antivirus software. It is unknown if mebroot is still in the wild. Mebroot is currently known to be distributed by visiting malicious websites, or by way of a application exploit. It is estimated that over 1,500 websites have been compromised, which have mostly targeted the European region. Traffic to websites infected with mebroot can reach 50,000 to 100,000 views per day.
- MBR Rootkit, A New Breed of Malware F-Secure Weblog, March 2008
- Stealth MBR rootkit by GMER, January 2008
- Trojan.Mebroot Technical Details | Symantec
- From Gromozon to Mebroot - A Reflection on Rootkits Today at the Wayback Machine (archived October 26, 2013)
- "Symantec". Retrieved 3 April 2015.
- "Trendmicro". Retrieved 3 April 2015.
- "Houston Chronicle". Retrieved 3 April 2015.
- "UCR". Retrieved 3 April 2015.
- "virusbtn" (PDF). Retrieved 3 April 2015.