Criminal gang spreads Trojan-protecting rootkit

The Master Boot Record rootkit can hide numerous dangerous Trojans and is being used by criminals to veil malware

A criminal gang that specialises in the theft of banking information through Trojans is attempting to protect its work by spreading a rootkit that veils malware.

Until late in December 2007, the Master Boot Record (MBR) rootkit had been a proof of concept but it is now being used by criminals. However, director of intelligence at VeriSign's iDefense division, Rick Howard, said that since 12 December, 5,000 infections have occurred.

The rootkit, which is being hosted on seemingly innocent websites and transmitted via malicious iFrames, can hide numerous other dangerous Trojans, according to VeriSign.

MBR delivers its payload by modifying an infected computer's Master Boot Record, allowing the program to run before Windows boots.

"This rootkit is especially damaging due to the difficulty involved in removing it… [and it] contains several exploits used to install the rootkit on unpatched victim computers," warned VeriSign.

Exploits include Microsoft JVM ByteVerify, two versions of Microsoft MDAC to cater for multiple Windows systems, Microsoft Internet Explorer Vector Markup Language, and Microsoft XML CoreServices.

The MBR rootkit does not appear as a single file, which means the code can be spread across different sectors of a disk and therefore cannot be deleted as a usual file, according to research by GMER, which has developed a fix that is available through Microsoft.

"The most effective defence against the rootkit installation is to maintain patches for Windows and all third-party applications. The GMER anti-rootkit tool is able to detect the current variants of this rootkit," said VeriSign.

The group using MBR has also been known to use the information-stealing banking Trojan, Torpig, which has infected over 200,000 victims.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All