Criminal gang spreads Trojan-protecting rootkit

Summary:The Master Boot Record rootkit can hide numerous dangerous Trojans and is being used by criminals to veil malware

A criminal gang that specialises in the theft of banking information through Trojans is attempting to protect its work by spreading a rootkit that veils malware.

Until late in December 2007, the Master Boot Record (MBR) rootkit had been a proof of concept but it is now being used by criminals. However, director of intelligence at VeriSign's iDefense division, Rick Howard, said that since 12 December, 5,000 infections have occurred.

The rootkit, which is being hosted on seemingly innocent websites and transmitted via malicious iFrames, can hide numerous other dangerous Trojans, according to VeriSign.

MBR delivers its payload by modifying an infected computer's Master Boot Record, allowing the program to run before Windows boots.

"This rootkit is especially damaging due to the difficulty involved in removing it… [and it] contains several exploits used to install the rootkit on unpatched victim computers," warned VeriSign.

Exploits include Microsoft JVM ByteVerify, two versions of Microsoft MDAC to cater for multiple Windows systems, Microsoft Internet Explorer Vector Markup Language, and Microsoft XML CoreServices.

The MBR rootkit does not appear as a single file, which means the code can be spread across different sectors of a disk and therefore cannot be deleted as a usual file, according to research by GMER, which has developed a fix that is available through Microsoft.

"The most effective defence against the rootkit installation is to maintain patches for Windows and all third-party applications. The GMER anti-rootkit tool is able to detect the current variants of this rootkit," said VeriSign.

The group using MBR has also been known to use the information-stealing banking Trojan, Torpig, which has infected over 200,000 victims.

Topics: Security


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.