1. Symantec/
  2. Security Response/
  3. Trojan.Mebroot


Risk Level 1: Very Low

January 7, 2008
August 8, 2012 10:54:16 AM
Also Known As:
Troj/Mbroot-A [Sophos], StealthMBR [McAfee], TROJ_SINOWAL.AD [Trend], StealthMBR!rootkit [McAfee]
Infection Length:
Systems Affected:
Trojan.Mebroot is a Trojan horse that modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer.

The Trojan is distributed using a number of methods that are common to many other well-known threats. These methods include drive-by downloads that exploit Web browser vulnerabilities, fake video codec downloads, and malicious executables that are seeded through BitTorrent and various file sharing networks.

Trojan.Mebroot was designed to run undetected on compromised computers and uses a number of sophisticated rootkit techniques to ensure its stealthy execution and thereby prolong the lifespan of the threat. The Trojan modifies the MBR so that it is able to execute even before Windows starts, which means that it is able to bypass security features and create hooks deep in the core of the operating system. During analysis Trojan.Mebroot was noted to be one of the most advanced pieces of malware thus far seen, with the hallmarks of the code being those of exceptional and experienced professional malware authors. The following timeline shows the evolution of the threat:

The Trojan’s features include the ability to intercept disk read/write operations, hook low-level network drivers to bypass firewalls, and communicate using a custom and encrypted protocol with a command and control (C&C) server, thus opening a back door. The back door includes functionality that allows the C&C server to download files on to the compromised computer, which are then injected into running processes or the core of the operating system itself.

The motivation for the considerable development effort invested in Trojan.Mebroot may be the installation of malicious code that steals information from compromised computers, or the establishment of network of compromised computers that could be used for pay-per-install, spam, or other campaigns; in short, illicit financial gain. Trojan.Mebroot is linked to Trojan.Anserin, which is a Trojan horse that logs keystrokes and steals banking information. This fact provides further evidence for the financial motivation behind the threat.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures
Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion prevention system
HTTP Trojan Mebroot Request

Antivirus Protection Dates

  • Initial Rapid Release version January 7, 2008 revision 024
  • Latest Rapid Release version March 1, 2018 revision 025
  • Initial Daily Certified version January 7, 2008 revision 040
  • Latest Daily Certified version March 2, 2018 revision 003
  • Initial Weekly Certified release date January 9, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Henry Bell

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube