Results 1 to 2 of 2

Thread: Warning on stealthy Windows virus

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. January 16, 2008, 10:27 PM #1
    HorseArcher
    HorseArcher is offline
    HorseArcher's Avatar Divus
    Join Date
    Oct 2004
    Location
    USA
    Posts
    13,337
    Divus Opifex TWC Milestone Award Moderator's Mace (Gold)

    Default Warning on stealthy Windows virus

    Security experts are warning about a stealthy Windows virus that steals login details for online bank accounts.

    In the last month, the malicious program has racked up about 5,000 victims - most of whom are in Europe.

    Many are falling victim via booby-trapped websites that use vulnerabilities in Microsoft's browser to install the attack code.

    Experts say the virus is dangerous because it buries itself deep inside Windows to avoid detection.



    The malicious program is a type of virus known as a rootkit and it tries to overwrite part of a computer's hard drive called the Master Boot Record (MBR).
    This is where a computer looks when it is switched on for information about the operating system it will be running.

    "If you can control the MBR, you can control the operating system and therefore the computer it resides on," wrote Elia Florio on security company Symantec's blog.

    Mr Florio pointed out that many viruses dating from the days before Windows used the Master Boot Record to get a grip on a computer.
    Once installed the virus, dubbed Mebroot by Symantec, usually downloads other malicious programs, such as keyloggers, to do the work of stealing confidential information.
    Most of these associated programs lie in wait on a machine until its owner logs in to the online banking systems of one of more than 900 financial institutions.
    The Russian virus-writing group behind Mebroot is thought to have created the torpig family of viruses that are known to have been installed on more than 200,000 systems. This group specialises in stealing bank login information.

    Security firm iDefense said Mebroot was discovered in October but started to be used in a series of attacks in early December.
    Between 12 December and 7 January, iDefense detected more than 5,000 machines that had been infected with the program.
    Analysis of Mebroot has shown that it uses its hidden position on the MBR as a beachhead so it can re-install these associated programs if they are deleted by anti-virus software.

    Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect its presence. Mebroot cannot be removed while a computer is running.
    Independent security firm GMER has produced a utility that will scan and remove the stealthy program.

    Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are not fully patched are all vulnerable to the virus.
    http://news.bbc.co.uk/2/hi/technology/7183008.stm

    ....Just another reason not to use Internet Explorer.

    Now, it makes me think about switching to Linux as well. :hmmm:
    Pannonian on Nexus
    Reply With Quote Reply With Quote
  2. January 16, 2008, 10:58 PM #2
    GrnEyedDvl
    GrnEyedDvl is offline
    GrnEyedDvl's Avatar Liberalism is a Socially Transmitted Disease
    Artifex Technical Staff
    Join Date
    Jan 2007
    Location
    Denver CO
    Posts
    23,851
    Blog Entries
    10
    Novus Opifex Man Of The Hour Award TWC Milestone Award Technician's Screwdriver (Amethyst) Moderator's Mace (Amethyst) The CMS Blogger award (Bronze) TWC University Professor Judge's Gavel 2008 Modding Award Winner 2011 Member Award Winner 2012 Member Award Winner 2013 Member Award Winner

    Default Re: Warning on stealthy Windows virus

    That is a disturbing one, because it goes for the MBR, but that hole in IE was patched a while back if you have Automatic Updates turned on, and a valid copy of Windows, which is why that article says this:
    Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are not fully patched are all vulnerable to the virus.
    It will probably also be included in the Feb release of the Malicious Software Removal tool, also part of Automatic Updates, though Microsoft hasnt confirmed that yet.

    Symantec rates it as a pretty low level threat, and its pretty easy to remove from the recovery console. For the entire article from Semantic go here:
    http://www.symantec.com/enterprise/s...anmebroot.html

    For now, Trojan.Mebroot seems to run successfully only on Windows XP (all Service Packs) due to some hard-coded values inside the attack code. For a complete analysis of the threat, please refer to our writeup for Trojan.Mebroot.
    For anyone that thinks they have this:
    During our tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry.
    http://www.symantec.com/business/sec...010718-3448-99
    Threat Assessment
    Wild Level: Low
    Number of Infections: 0 - 49
    Number of Sites: 0 - 2
    Geographical Distribution: Low
    Threat Containment: Moderate
    Removal: Easy
    DamageDamage Level: Low
    Payload: Opens a back door on the compromised computer.
    Degrades Performance: Overwriting the Master Boot Record (MBR) may degrade performance.
    Causes System Instability: Overwrites the Master Boot Record (MBR).
    DistributionDistribution Level: Low

    Writeup By: Elia Florio
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules