Slashdot Mirror


New "Mebroot" MBR-Modifying Rootkit Analyzed

I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."

1 of 65 comments (clear)

  1. Mebroot source, log, and my questions. by Anonymous Coward · · Score: -1, Troll

    I just read an article about the Mebroot virus, which buries itself in the
    Master Boot Record and cannot be detected by most virus protection software.
    This nasty bug gives hackers access to info from financial sites that are
    visited. A program from GMER supposedly can detect and remove this threat,
    and a link was included to download it.

    I don't know which is scarier - the virus or the download.
    Here's the mebroot viral source and my observations.
    Does anyone have any knowledge of this?