Printer Friendly Page

Discovered: January 07, 2008
Updated: August 08, 2012 10:54:16 AM
Also Known As: Troj/Mbroot-A [Sophos], StealthMBR [McAfee], TROJ_SINOWAL.AD [Trend], StealthMBR!rootkit [McAfee]
Type: Trojan
Infection Length: Varies
Systems Affected: Windows

Trojan.Mebroot is a Trojan horse that modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer.

The Trojan is distributed using a number of methods that are common to many other well-known threats. These methods include drive-by downloads that exploit Web browser vulnerabilities, fake video codec downloads, and malicious executables that are seeded through BitTorrent and various file sharing networks.

Trojan.Mebroot was designed to run undetected on compromised computers and uses a number of sophisticated rootkit techniques to ensure its stealthy execution and thereby prolong the lifespan of the threat. The Trojan modifies the MBR so that it is able to execute even before Windows starts, which means that it is able to bypass security features and create hooks deep in the core of the operating system. During analysis Trojan.Mebroot was noted to be one of the most advanced pieces of malware thus far seen, with the hallmarks of the code being those of exceptional and experienced professional malware authors. The following timeline shows the evolution of the threat:

The Trojan’s features include the ability to intercept disk read/write operations, hook low-level network drivers to bypass firewalls, and communicate using a custom and encrypted protocol with a command and control (C&C) server, thus opening a back door. The back door includes functionality that allows the C&C server to download files on to the compromised computer, which are then injected into running processes or the core of the operating system itself.

The motivation for the considerable development effort invested in Trojan.Mebroot may be the installation of malicious code that steals information from compromised computers, or the establishment of network of compromised computers that could be used for pay-per-install , spam, or other campaigns; in short, illicit financial gain. Trojan.Mebroot is linked to Trojan.Anserin , which is a Trojan horse that logs keystrokes and steals banking information. This fact provides further evidence for the financial motivation behind the threat.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion prevention system
HTTP Trojan Mebroot Request

Antivirus Protection Dates

  • Initial Rapid Release version January 07, 2008 revision 024
  • Latest Rapid Release version June 18, 2018 revision 025
  • Initial Daily Certified version January 07, 2008 revision 040
  • Latest Daily Certified version June 19, 2018 revision 002
  • Initial Weekly Certified release date January 09, 2008

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Henry Bell

Discovered: January 07, 2008
Updated: August 08, 2012 10:54:16 AM
Also Known As: Troj/Mbroot-A [Sophos], StealthMBR [McAfee], TROJ_SINOWAL.AD [Trend], StealthMBR!rootkit [McAfee]
Type: Trojan
Infection Length: Varies
Systems Affected: Windows

1. Prevention and avoidance
1.1 User behavior and precautions
Operating system and software patches
2. Infection method
2.1 Drive-by downloads
2.2 Fake codecs/plugins
2.3 File sharing networks
3. Functionality
3.1 Installation
3.2 MBR modification
3.3 Boot sequence
3.4 Rootkit functionality
3.5 Networking code hooks
3.6 Back door
4. Additional information

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
The execution of files from file sharing networks can lead to infection and as such users should avoid downloading files from unknown or untrusted sources. This includes fake video websites that may serve the Trojan executable under guise of it being a codec that is required to watch a streaming video.

1.2 Operating system and software patches
Users are advised to ensure that their operating systems and any installed software are fully patched and that antivirus and firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by software vendors.

This threat is known to infect computers through a number of methods. Each of these methods is examined in more detail below.

2.1 Drive-by downloads
Trojan.Mebroot is primarily spread by websites that exploit known vulnerabilities in Web browsers and their associated plugins. These exploits are often served by kits that are available in the underground market such as Neosploit and Fragus ; this also means that the vulnerabilities chosen to be exploited change frequently and according to the ease of said exploitation. Users will not generally be aware that exploitation has taken place, which is crucial for the Trojan to maintain its stealthy operation.

2.2 Fake codecs/plugins
Websites that purport to host streaming videos may be used to distribute copies of Trojan.Mebroot. An executable that masquerades as a required codec or plugin is downloaded when a user attempts to watch the deliberately non-functional embedded "video".

Search engine poisoning may be used to increase the likelihood of users visiting the fraudulent sites.

2.3 File sharing networks
Trojan.Mebroot is known to have been distributed through file sharing networks. The Trojan may deliberately be shared by attackers seeking to increase the infection levels of the threat, and as such may be given an enticing name in order to tempt users into downloading the malicious executable. Typical enticing names include those of otherwise expensive commercial software packages, key generators, and "cracked" versions of high-end applications. Copies of the threat masquerading as adult pictures and video files are also common, especially those that include the names of celebrities intended to pique users’ interest.

Trojan.Mebroot stealthily modifies the MBR and opens a back door that has been observed to be a channel through which banking-related information stealing malware may be installed by a remote attacker. Sophisticated rootkit functionality is used to hide the presence of the threat on the compromised computer. The following sections detail the functionality and features of Trojan.Mebroot.

3.1 Installation
As outlined above, the initial Trojan.Mebroot installer is distributed by way of drive-by downloads and various other methods. The installer is an executable that has been packed using a custom polymorphic packer that can be used to hide the functionality of .exe and .sys files.

The Trojan.Mebroot installer attempts to modify the MBR so that the rootkit and back door code can be executed whenever the compromised computer starts. Early versions of the Trojan took advantage of the fact that executables running with administrative privileges could write directly to the MBR, but Windows security updates later rendered this avenue of attack infeasible.

Later versions of the Trojan used a more advanced technique to modify the MBR: a driver component was introduced that allows the Trojan to perform raw operations on disk. This method of installation has the advantage of being able to bypass many intrusion prevention and active protection systems.

The installer performs the following sequence of actions:

  1. Drops %Temp%\1.tmp, which it then executes (this process waits for synchronization)
  2. Drops a DLL copy of itself as %Temp%\2.tmp
  3. Checks user32.dll on disk to ensure that that SetWinEventHook() is not hooked
  4. Injects %Temp%\2.tmp into explorer.exe to mask alterations to the operating system
  5. Drops a wrapper driver, %Temp%\4.tmp, which is registered as a privileged kernel-mode service
  6. Synchronizes the wrapper driver with %Temp%\1.tmp
  7. Cleans up temporary files and services
The Trojan now has a means of bypassing Windows security features and performing raw disk reads and writes on the compromised computer.

3.2 MBR modification
In order to ensure its execution before Windows starts, the Trojan modifies the MBRs of the first 16 drives connected to the compromised computer. The Trojan performs the following sequence of actions on each drive:

  1. Checks that the drive is bootable and not already infected
  2. Reads the partition table and copies itself to the end of the physical disk (i.e. after the "end" of the logical disk)
  3. Overwrites three sectors before the first partition with its own data, typically:
    • 60 – Kernel patcher
    • 61 – Payload patcher
    • 62 – Pre-infection MBR
  4. Overwrites the existing MBR with its own code

Following these modifications the Trojan will execute whenever the compromised computer starts.

3.3 Boot sequence
The Trojan performs the following operations on boot so that it executes before Windows starts:
  1. Loads itself into memory
  2. Hooks the interrupt used for disk read and write
  3. Passes control to the old MBR
Windows now starts as though the Trojan were not present; the Trojan, however, is able to intercept all disk reads and writes. When Windows attempts to load the operating system kernel (ntoskernel.exe) the Trojan uses its kernel patcher – usually loaded from sector 60 – to modify the file as it is loaded. The modified kernel then calls the Trojan’s payload patcher – usually loaded from sector 61 – which loads and runs the main rootkit driver from the end of the disk. The Trojan is now present throughout the operating system and the computer has been completely compromised by Trojan.Mebroot.

3.4 Rootkit functionality
The rootkit component of Trojan.Mebroot is of crucial importance to the threat’s aim of remaining on the compromised computer for as long a period as possible. Two versions of the rootkit functionality have been observed in different variants of the threat. The first version of the rootkit code hooked the disk.sys driver to intercept reads and writes to disk at the driver level while later variants used the strategy of using multiple hooks in multiple drivers and even added a watchdog thread. The watchdog is intended to monitor attempts by antivirus software or other removal tools to probe or otherwise attempt to remove the threat. If the watchdog thread determines that system modifications made by Trojan.Mebroot have been removed or repaired it will reenable the changes to ensure that the threat remains on the computer.

In order to hide its presence the Trojan intercepts disk read and write requests. The Trojan returns fake data for read requests to the MBR and the sectors of the disk that contain the threat’s code (typically sectors 60, 61, 62, and the sectors after the end of the logical disk). In the case of reads from the MBR the Trojan returns the original preinfection data that it previously saved. In the case of reads from sectors where the Trojan’s code is present it simply returns dummy empty sectors.

The Trojan does not complete any write requests to sectors of the disk where its code is stored but falsely indicates that the write has been completed (when in fact this is not the case).

For disk read/write operations to all other areas of the disk the Trojan uses a "magic number" that indicates that the requests should be permitted to proceed, i.e. the operation completes as though the Trojan were not present. Thus Trojan.Mebroot is able to hide its presence on the compromised computer.

3.5 Networking code hooks
Trojan.Mebroot is able to bypass many host-based firewalls by hijacking low-level components of the Windows networking subsystem. The Trojan first searches for a suitable network interface that is configured to use either the PSched or TCP/IP protocol. It sends and receives data by hooking the following functions in the Network Driver Interface Specification (NDIS) layer:
  • SendPacketsHandler()
  • SendCompleteHandler()
  • ReceiveHandler()
  • ReceivePacketHandler()
The Trojan thus effectively establishes its own private networking stack that it uses to open a back door.

3.6 Back door
Trojan.Mebroot opens a back door that uses a custom encrypted protocol to communicate with a command and control (C&C) server. The back door allows malicious files to be downloaded and executed on the compromised computer.

First, the Trojan attempts to connect to one of several C&C servers whose host names are hard-coded in the Trojan executable. If none of these host names resolve to a valid IP address, the Trojan generates a pseudo-random host name using a number of hard-coded strings chosen based on the current date, to which it then attempts to connect using HTTP. Early Trojan.Mebroot variants used operating system APIs to retrieve the current date, while later variants send HTTP GET requests to a number of legitimate websites in order to retrieve the date from the HTTP header in the reply.

When able to connect to a C&C server, Trojan.Mebroot first sends an initial encrypted packet that contains the "magic" sign-on command "BIP", as well as some other strings that characterize the threat. These can be seen in the top right of the following example of a decrypted packet:

The decryption key is also shown in the above image, which is always the first dword of the packet; the reply from the C&C server must start with this key or the packet will be discarded. Also present in the packet is the secondary key that will be used to provide an encrypted communications channel between the C&C server and the downloaded payload files.

The C&C server can install files on compromised computers by sending a packet that includes the "INST" (for "install") command. Two encrypted DLLs are initially sent by the C&C server along with meta-data that describes how they should be injected into certain carefully selected processes.

Analysis of the Trojan.Mebroot code shows that the back door allows a remote attacker to perform the following actions on the compromised computer:
  • Install user-mode DLLs or updates to the Trojan
  • Uninstall user-mode DLLs or updates to the Trojan
  • Cause a trusted process to launch a new process
  • Execute any driver in kernel mode

The back door component of Trojan.Mebroot is extremely powerful; code loaded on to compromised computers by the C&C server is never stored on disk, which means that only antivirus scanners that scan memory are able to detect the downloaded payloads by way of traditional signatures.

The downloaded payloads have been observed to be keyloggers and information-stealing Trojan horses that are able to execute at the highest level of privilege, steal sensitive and potentially damaging information, and relay this information back to an attacker by way of a backchannel that can bypass security software. For these reasons, and as a result of its advanced engineering, at the time of discovery and analysis Trojan.Mebroot was considered to be one of the stealthiest and most professionally produced Trojan horses thus far seen.

For more information relating to this threat family, please see the following resources:


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Henry Bell

Discovered: January 07, 2008
Updated: August 08, 2012 10:54:16 AM
Also Known As: Troj/Mbroot-A [Sophos], StealthMBR [McAfee], TROJ_SINOWAL.AD [Trend], StealthMBR!rootkit [McAfee]
Type: Trojan
Infection Length: Varies
Systems Affected: Windows

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.

If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Henry Bell