Breach, Threat Management, Data Security, Incident Response, Malware, Network Security, TDR, Vulnerability Management

New variants of Trojan.Mebroot rootkit emerge in the wild

After a brief hiatus, new variants have appeared in the wild of Trojan.Mebroot, a rogue rootkit discovered in December attacking the Windows Master Boot Record (MBR), Symantec has warned.

Symantec reported on its Security Response blog on Friday that three new samples of Trojan.Mebroot recently have been spotted in the wild, each with different MD5 signatures previously detected by Symantec's anti-virus definitions for the rootkit trojan.

Symantec rated as “above average” the programming skills of the Mebroot authors, who also are believed to have created the Torpig banking trojan and other malware that has infected an estimated 200,000 PCs. Similar to Torpig, a primary motivation behind Mebroot appears to be the installation of banking malware modules on victims' PCs.

“At this stage, it is clear that Mebroot is just a platform to install and run stealthy bank malware modules,” Symantec researcher Elia Florio said in the blog posting.

“We have seen computers infected by Mebroot downloading some DLL modules that are injected by the rootkit into other processes, such as services.exe and winlogon.exe. The injected DLL then downloads an additional configuration file with information about targeted bank websites.”

In an ominous note, Florio suggested in the blog posting that the renewed assault on the Windows MBR may be a harbinger of the eventual emergence of multi-platform malware targeting both Windows and Linux kernels during the boot process.

The new variations of Mebroot currently are being propagated by “drive-by” downloads from compromised web pages with embedded IFRAME tags or vulnerabilities, causing vulnerable browsers to download an executable file, the Symantec blog posting said.

According to Symantec, the new variations of the rootkit trojan infect the MBR of the first 16 physical drives found on the targeted computer, most likely including external USB drives.

Researchers warned last month that Trojan.Mebroot overwrites the MBR with its own code, taking control of a PC's operating system after infecting it with a drive-by exploit. The malware affects Windows XP, Vista, Server 2003 and 2000, according to Symantec.

Researchers said the emergence of a rootkit trojan was particularly disturbing because of its capacity to load other trojans onto a PC, even after it has been scanned and cleaned by anti-virus programs. The Mebroot rootkit trojan infected more than 5,000 computers in a December attack that Symantec has now labeled a “test run.”

“For some reason, the test plan was halted in the first week of January, probably due to the unexpected popularity it gained once the rootkit was found by anti-virus researchers, but we expected that the flow of new variants would resume again once the creators had refined their ‘product,'” Symantec said in its blog posting.

Symantec believes the rogue rootkit now is in “a kind of ‘release candidate' stage.”

“The number of infections is very limited at the moment and depending on the results of this massive test plan, the gang will probably decide whether or not they will continue their nasty development cycle in order to compromise more computers,” the blog posting concluded. 


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.