User:Stacksth/mebroot

Mebroot is a sophisticated rootkit that overwrites the MBR of the targeted machine and loads its modules at boot time. It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer. Mebroot itself does not contain any spy modules or keylogger functionality. It is more like a framework which runs in kernel mode and provides installation of usermode plugins where more functionality is added. To those plugins mebroot provides udpate functionality, stealth, and a TCP stack of its own.

It is often used by botnets including the trojan Torpig.

Alias

 * Troj/Mbroot [Sophos]
 * StealthMBR [McAfee]

Functionality
Mebroot works as an underlying layer from which usermode malware can be downloaded and run. This malware inherit update functionality, stealth and a custom made TCP stack. When mebroot downloads plugins, they are stored in encrypted format in C:\WINDOWS\System.

Mebroot writes its startup code to the first physical sector on the hard drive also known as the MBR from there it runs the actual mebroot code that resided outside the filesystem, in the free area behind or in between the disk partitions. This data is hidden from other processes if tried accessed.

On infection the original MBR is stored somewhere else on the disk so it can be restored if another process than mebroot tries to modify it.

Infection Vectors
The rootkit infects its hosts using a number of different methods that are well-known threats. It mainly needs user interaction to spread. This is done by methods like drive-by attacks against Web browser vulnerabilities, fake video codecs, and other downloaded malicious executables.

Communication
Trojan.Mebroot opens a back door that uses a custom encrypted protocol to communicate with a command and control (C&C) server. The back door allows malicious files to be downloaded and executed on the compromised computer.

Torpig uses a Domain Generation Algorithm(DGA) which is generated by using the current date and a numerical parameter. First the weekly domain is generated which only uses current year and week, not day of the week, making it constant for the whole week. To those generated domain names it appends .com/.net/.biz in that order, which it then resolves and tries to connect. If all three domains fail, Torpig starts generating a daily domain, which is of course based on the current day, and therefore a new one is generated each day. Again it tries .com/.net/.biz. If those also fails it starts using hardcoded domains which are stored in its configuration file.

Propagation
Mebroot does not self-replicate, it needs to be spread manually.

Prevention
Exercise caution when downloading executables.

Have fully updated anti-virus software

Ensure operating system is fully updated

Disable Autorun (CD/USB)

Recovery/Cleanup
Since Mebroot infects the MBR of the host machine, the advised cleanup method is to perform a full format and to recover/fix the MBR. Guide to restore the MBR after infection: http://techlogon.com/2012/01/15/how-to-check-for-and-fix-mbr-virus-infection/

Status
Mebroot is still active and in control of cyber-criminals

Affiliation
Mebroot is often affiliated with the trojan Torpig and some even describe it as being the same piece of malware.