Trojan.Mebroot is a Trojan horse that modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer.
Infection
The Trojan is distributed using a number of methods that are common to many other well-known threats. These methods include drive-by downloads that exploit Web browser vulnerabilities, fake video codec downloads, and malicious executables that are seeded through BitTorrent and various file sharing networks.
Functionality
Trojan.Mebroot was designed to run undetected on compromised computers and uses a number of sophisticated rootkit techniques to ensure its stealthy execution and thereby prolong the lifespan of the threat. The Trojan modifies the MBR so that it is able to execute even before Windows starts, which means that it is able to bypass security features and create hooks deep in the core of the operating system. During analysis Trojan.Mebroot was noted to be one of the most advanced pieces of malware thus far seen, with the hallmarks of the code being those of exceptional and experienced professional malware authors. The following timeline shows the evolution of the threat:
The Trojan’s features include the ability to intercept disk read/write operations, hook low-level network drivers to bypass firewalls, and communicate using a custom and encrypted protocol with a command and control (C&C) server, thus opening a back door. The back door includes functionality that allows the C&C server to download files on to the compromised computer, which are then injected into running processes or the core of the operating system itself.
The motivation for the considerable development effort invested in Trojan.Mebroot may be the installation of malicious code that steals information from compromised computers, or the establishment of network of compromised computers that could be used for
pay-per-install, spam, or other campaigns; in short, illicit financial gain. Trojan.Mebroot is linked to
Trojan.Anserin, which is a Trojan horse that logs keystrokes and steals banking information. This fact provides further evidence for the financial motivation behind the threat.
GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.
PREVALANCE
Symantec has observed the following following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Antivirus signatures
Antivirus (heuristic/generic)
Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.
Intrusion prevention system
HTTP Trojan Mebroot RequestClick for a more detailed description of Rapid Release and Daily Certified virus definitions.
