The folks at Symantec’s Security Response Center have an interesting writeup on a new Trojan making the rounds that installs a MBR rootkit on compromised machines. Known as Trojan.Mebroot, it is finding its way onto PCs through drive-by downloads, the attackers’ old standby infection method. Once it’s on a machine, the Trojan overwrites the MBR (master boot record) to ensure that it’s loaded at startup. It also installs a custom backdoor.
If you recall, there have been a few proof-of-concept rootkits of this kind in the last couple of years, including eEye’s BootRoot and VBootkit, which was derived from BootRoot and written by a couple of Indian researchers. Symantec’s analysis shows that Mebroot seems to share some code with BootRoot as well.
For now, Trojan.Mebroot seems to run successfully only on Windows XP (all Service Packs) due to some hard-coded values inside the attack code. For a complete analysis of the threat, please refer to our writeup for Trojan.Mebroot.
There appears to be a link between Trojan.Mebroot and Trojan.Anserin. Similarities such as the main distribution Web site and the polymorphic packer used in both threats suggest that they may be closely related.
Nothing like starting the year off with a nasty little Trojan. Good times.
Update: VeriSign’s iDefense research team estimates that about 5,000 PCs have been infected with this rootkit since Dec. 12, and that the group responsible for creating it also has developed some well-known banking Trojans and other malware.