1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: Neosploit Toolkit File Download

Web Attack: Neosploit Toolkit File Download

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to download malicious files related to Trojan.Mebroot which may compromise the target host.

Additional Information

Trojan.Mebroot is a Trojan horse that overwrites the Master Boot Record of the hard disk and uses rootkit techniques to hide itself.

It has been reported that this threat may be installed from the following location using browser exploits:
[http://]gfeptwe.com[REMOVED]

When the Trojan is executed, it creates the following mutex so that only one instance of it is running on the compromised computer at any time:
Global\7BC8413E-DEF5-4BF6-9530-9EAD7F45338B

It then reads the Master Boot Record (MBR) and then scans the partition table to find the active boot partition of the computer.

The Trojan infects the MBR, copying the original MBR to sector 62 on the hard disk.

It then installs its own kernel loader to sectors 60 and 61 of the hard disk.

Next, it copies a rootkit driver near the end of the active boot partition. The Trojan overwrites around 1149 sectors (467 KB) when copying the driver.

Next, the Trojan creates a .dll file in the current folder where it is executed and then runs the following command:
regsvr32 /s [TROJAN FILE NAME].dll

Note: It has been reported that the file name could be mat[RANDOM NUMBER].dll.

It may then restart the compromised computer or display the following message:
Some updates require you to restart your computer to complete the update process. Be sure to save any work prior to the scheduled time.

When the computer restarts, the infected MBR will start the kernel loader located in sectors 60 and 61, which patches the Windows Kernel in memory to load the rootkit driver.

The rootkit driver then hooks the following kernel routines:

* IRP_MJ_READ
* IRP_MJ_WRITE



If sector 0 is read from hard disk, the Trojan will return the original MBR backup stored at sector 62. It will also try to block writing to sector 0, in order to prevent removal.

The Trojan also opens a back door, which attempts to bypass the local firewall and connect to the following location,allowing an attacker to control the compromised computer:
[http://]dkfhchkb.com/ser[REMOVED]

The Trojan may also inject additional code into usermode processes.

Affected

  • Windows 2000, Windows Server 2003, Windows Vista, Windows XP

Response

1. Restart the computer using the Windows Recovery Console.
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube