Trojan.Mebroot is a Trojan horse that modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer.
The Trojan is distributed using a number of methods that are common to many other well-known threats. These methods include drive-by downloads that exploit Web browser vulnerabilities, fake video codec downloads, and malicious executable that are seeded through Bit Torrent and various file sharing networks.
How it different from other Rootkits?
The Memboot rootkit is unusual in that it tries to overwrite part of a computer's hard drive called the Master Boot Record (MBR). This is where a computer looks when it is switched on for information about the operating system it will be running. "If you can control the MBR, you can control the operating system and therefore the computer it resides on!"
Mebroot has been deliberately installed at websites controlled by the criminals and targets those website visitors who have not patched their computers with the latest security updates from Microsoft. Once it installs itself on the vulnerable computer, it then contacts a remote server on the internet and downloads additional nasty software called "key loggers".These special software programs are designed to capture all your passwords and login information and send it back to the criminal gang. Analysis of Mebroot has shown that it uses its hidden position on the MBR as a beachhead so it can reinstall these associated programs if they are deleted by anti-virus software. Most of these key logger programs lie in wait on a machine until its owner logs in to the online banking systems of one of more than 900 financial institutions it has been programmed to recognize.
How to block the infection:
- Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are NOT fully patched are all vulnerable to the virus. Make sure you have Automatic Updates turned on!
- Make sure you have an up to date security software installed.
- Mebroot cannot be removed while a operating system is running. However running the "fixmbr" command from within the Windows Recovery Console successfully removes the malicious MBR entry.
- It seems that so far Windows XP is the most vulnerable operating system so far.