Criminal gang spreads Trojan-protecting rootkit

Criminal gang spreads Trojan-protecting rootkit

Summary: The Master Boot Record rootkit can hide numerous dangerous Trojans and is being used by criminals to veil malware

SHARE:
TOPICS: Security
0

A criminal gang that specialises in the theft of banking information through Trojans is attempting to protect its work by spreading a rootkit that veils malware.

Until late in December 2007, the Master Boot Record (MBR) rootkit had been a proof of concept but it is now being used by criminals. However, director of intelligence at VeriSign's iDefense division, Rick Howard, said that since 12 December, 5,000 infections have occurred.

The rootkit, which is being hosted on seemingly innocent websites and transmitted via malicious iFrames, can hide numerous other dangerous Trojans, according to VeriSign.

MBR delivers its payload by modifying an infected computer's Master Boot Record, allowing the program to run before Windows boots.

Read this

Feature

Special report: Anatomy of a hack attack

We recreate a typical attack on two large organisations

Read more

"This rootkit is especially damaging due to the difficulty involved in removing it… [and it] contains several exploits used to install the rootkit on unpatched victim computers," warned VeriSign.

Exploits include Microsoft JVM ByteVerify, two versions of Microsoft MDAC to cater for multiple Windows systems, Microsoft Internet Explorer Vector Markup Language, and Microsoft XML CoreServices.

The MBR rootkit does not appear as a single file, which means the code can be spread across different sectors of a disk and therefore cannot be deleted as a usual file, according to research by GMER, which has developed a fix that is available through Microsoft.

"The most effective defence against the rootkit installation is to maintain patches for Windows and all third-party applications. The GMER anti-rootkit tool is able to detect the current variants of this rootkit," said VeriSign.

The group using MBR has also been known to use the information-stealing banking Trojan, Torpig, which has infected over 200,000 victims.

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion