1. /
  2. Security Response/
  3. Trojan.Mebroot

Trojan.Mebroot

Risk Level 1: Very Low

Discovered:
January 7, 2008
Updated:
August 8, 2012 10:54:16 AM
Also Known As:
Troj/Mbroot-A [Sophos], StealthMBR [McAfee], TROJ_SINOWAL.AD [Trend], StealthMBR!rootkit [McAfee]
Type:
Trojan
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Trojan.Mebroot is a Trojan horse that modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer.

Infection
The Trojan is distributed using a number of methods that are common to many other well-known threats. These methods include drive-by downloads that exploit Web browser vulnerabilities, fake video codec downloads, and malicious executables that are seeded through BitTorrent and various file sharing networks.

Functionality
Trojan.Mebroot was designed to run undetected on compromised computers and uses a number of sophisticated rootkit techniques to ensure its stealthy execution and thereby prolong the lifespan of the threat. The Trojan modifies the MBR so that it is able to execute even before Windows starts, which means that it is able to bypass security features and create hooks deep in the core of the operating system. During analysis Trojan.Mebroot was noted to be one of the most advanced pieces of malware thus far seen, with the hallmarks of the code being those of exceptional and experienced professional malware authors. The following timeline shows the evolution of the threat:





The Trojan’s features include the ability to intercept disk read/write operations, hook low-level network drivers to bypass firewalls, and communicate using a custom and encrypted protocol with a command and control (C&C) server, thus opening a back door. The back door includes functionality that allows the C&C server to download files on to the compromised computer, which are then injected into running processes or the core of the operating system itself.

The motivation for the considerable development effort invested in Trojan.Mebroot may be the installation of malicious code that steals information from compromised computers, or the establishment of network of compromised computers that could be used for pay-per-install, spam, or other campaigns; in short, illicit financial gain. Trojan.Mebroot is linked to Trojan.Anserin, which is a Trojan horse that logs keystrokes and steals banking information. This fact provides further evidence for the financial motivation behind the threat.

GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.





PREVALANCE
Symantec has observed the following following infection levels of this threat worldwide.


SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.

Antivirus signatures
Antivirus (heuristic/generic)


Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion prevention system
HTTP Trojan Mebroot Request

Antivirus Protection Dates

  • Initial Rapid Release version January 7, 2008 revision 024
  • Latest Rapid Release version June 24, 2014 revision 006
  • Initial Daily Certified version January 7, 2008 revision 040
  • Latest Daily Certified version July 28, 2013 revision 020
  • Initial Weekly Certified release date January 9, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Moderate
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Opens a back door on the compromised computer.
  • Releases Confidential Info: Installs modules that attempt to steal information.
  • Causes System Instability: Modifies the Master Boot Record (MBR).
  • Compromises Security Settings: Bypasses firewalls and other security software.

Distribution

  • Distribution Level: Low
Writeup By: Henry Bell

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver