User:Stacksth/mebroot

This is the user sandbox of Stacksth. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here. Other sandboxes: Main sandbox | Template sandbox Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

Mebroot is a sophisticated rootkit that overwrites the MBR of the targeted machine and loads its modules at boot time. It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer. Mebroot itself does not contain any spy modules or keylogger functionality. It is more like a framework which runs in kernel mode and provides installation of usermode plugins where more functionality is added. To those plugins mebroot provides udpate functionality, stealth, and a TCP stack of its own.

It is often used by botnets including the trojan Torpig.

• Troj/Mbroot [Sophos]
• StealthMBR [McAfee]

Mebroot works as an underlying layer from which usermode malware can be downloaded and run. This malware inherit update functionality, stealth and a custom made TCP stack. When mebroot downloads plugins, they are stored in encrypted format in C:\WINDOWS\System.

Mebroot writes its startup code to the first physical sector on the hard drive also known as the MBR from there it runs the actual mebroot code that resided outside the filesystem, in the free area behind or in between the disk partitions. This data is hidden from other processes if tried accessed.

On infection the original MBR is stored somewhere else on the disk so it can be restored if another process than mebroot tries to modify it.

The rootkit infects its hosts using a number of different methods that are well-known threats. It mainly needs user interaction to spread. This is done by methods like drive-by attacks against Web browser vulnerabilities, fake video codecs, and other downloaded malicious executables.

Trojan.Mebroot opens a back door that uses a custom encrypted protocol to communicate with a command and control (C&C) server. The back door allows malicious files to be downloaded and executed on the compromised computer.

Torpig uses a Domain Generation Algorithm(DGA) which is generated by using the current date and a numerical parameter. First the weekly domain is generated which only uses current year and week, not day of the week, making it constant for the whole week. To those generated domain names it appends .com/.net/.biz in that order, which it then resolves and tries to connect. If all three domains fail, Torpig starts generating a daily domain, which is of course based on the current day, and therefore a new one is generated each day. Again it tries .com/.net/.biz. If those also fails it starts using hardcoded domains which are stored in its configuration file.

Mebroot does not self-replicate, it needs to be spread manually.

Exercise caution when downloading executables.
Have fully updated anti-virus software
Ensure operating system is fully updated
Disable Autorun (CD/USB)

Since Mebroot infects the MBR of the host machine, the advised cleanup method is to perform a full format and to recover/fix the MBR. Guide to restore the MBR after infection: http://techlogon.com/2012/01/15/how-to-check-for-and-fix-mbr-virus-infection/

Mebroot is still active and in control of cyber-criminals

Mebroot is often affiliated with the trojan Torpig and some even describe it as being the same piece of malware.

Timeline of computer viruses and worms

http://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99
http://www.f-secure.com/weblog/archives/00001393.html
Category:Rootkits Category:Malware Category:Trojan horses Category:Windows trojans Category:Botnets