Mebroot is a master boot record based rootkit used by botnets including Torpig. It is a sophisticated Trojan horse that uses stealth strategies to hide itself from the user. The Trojan opens a back door on the victim's computer which allows the attacker complete control over the computer.
The Trojan infects the MBR to allow itself to start even before the operating system starts. This allows it to bypass some safeguards and embed itself deep within the operating system. It is known that the Trojan can intercept read/write operations, embed itself deep within network drivers. This allows it the ability to bypass some firewalls and communicate securely, using a custom encrypted tunnel, to the command and control server. This allows the attacker to install other malware, viruses, or other applications. The Trojan most commonly steals information from the victim's computer, in an attempt for small financial gain. Mebroot is linked to Anserin, which is another Trojan that logs keystrokes and steals banking information. This gives further evidence showing that financial motive is most likely behind Mebroot.
The Trojan tries to avoid detection by hooking itself into atapi.sys. It also embeds itself in the Ntoskrnl.exe. Mebroot has no executable files, no registry keys, and no driver modules, which makes it harder to detect without antivirus software. In addition to running antivirus software, one can also remove the Trojan by wiping or repairing the master boot record, the hard drive, and the operating system.
Three variants of Mebroot have been discovered. It was estimated that the first version was compiled in November 2007. In December, Mebroot started drive-by downloads. In early 2008, a second wave of attacks arrived. In February 2008 a second variant was discovered which is accompanied by a modified installer. In March 2008 a third variant was discovered, in which attacks became more widespread. Since the third variant, the Trojan has been upgraded to try and outwit antivirus software. It is unknown if Mebroot is still in the wild. Mebroot is currently known to be distributed by visiting malicious websites, or by way of a application exploit. It is estimated that over 1,500 websites have been compromised, mostly in the European region. Traffic to websites infected with Mebroot can reach 50,000 to 100,000 views per day.
- MBR Rootkit, A New Breed of Malware - F-Secure Weblog, March 2008
- Stealth MBR rootkit by GMER, January 2008
- Trojan.Mebroot Technical Details | Symantec
- From Gromozon to Mebroot - A Reflection on Rootkits Today at the Wayback Machine (archived October 26, 2013)