Malware researchers from security vendor Prevx have come across a new Mebroot version, which they claim to be, by far, the most sophisticated rootkit out in the wild today. The threat is completely memory-resident, does a very good job at avoiding detection and has already infected thousands of people.
The original Mebroot variant was first detected in the wild somewhere between the end of 2007 and the beginning of 2008 and was considered to be one of the most intriguing and complex pieces of malware to come out in recent years. The rootkit hides itself in the Master Boot Record (MBR), the first sector of a partitioned data-storage device, which holds information about the partitions and boots the operating system.
"Even if the first MBR rootkit variant is still undetected by some antivirus vendors, its creators decided to develop a new version of it, virtually able to bypass almost all security products, even the ones able to detect the first version," Marco Giuliani, the Prevx researcher who has performed a detailed analysis of the new threat, notes.
The company started receiving reports about the new Mebroot variant since the beginning of April and, upon further inspection, it was discovered that some highly complex and ingenious new techniques were employed to make it more efficient and resistant to detection attempts. "The new version of MBR rootkit is smarter enough to give researchers some bad days, due to improved hooking techniques and spaghetti code," Mr. Giuliani warns.
The really technical aspects are beyond the scope of this piece and are already very well outlined in an article
on the Prevx blog. However, in short, it creates a copy of the System Service Descriptor Table (SSDT) and injects its malicious code into it. It then forces certain applications to use it, while the rest, including security software, continue to read from the original clean one, without realizing that something is wrong.
"The way it hides itself is by embedding into the MBR (Master Boot Record) and creates a layer about itself. This layer is used to 'appear' as a perfectly good MBR to anything that tries to interrogate it," Prevx's Director of Research, Jacques Erasmus, sums it up in an e-mail to Softpedia.
Mr. Erasmus also points out that malicious code, which steals passwords and financial details, is injected into the memory of legit processes and that the new variant is being served by exploit frameworks on compromised websites as a drive-by download.
Detection for this threat has been added to the new Prevx 3.0 product, but cleaning the infection requires acquiring a license. However, as Marco Giuliani kindly points out in a comment, the "fixmbr" command available from the Windows Recovery Console can be used to write a completely clean version of the MBR, also removing the rootkit in the process.
Therefore, you can use the latest free version of Prevx, also known as Prevx CSI, to scan for an infection with this Mebroot variant. If one is found, boot from the Windows installation disk, get into the recovery console and run the "fixmbr" command. Prevx CSI can be downloaded from this page
. Note: Please note that "fixmbr" is an advanced command, which could result in damage to your entire partition table or loss of data. Unless you are completely familiar with its use and risks, we recommend that you ask for professional assistance. The author of this article or Softpedia cannot be held responsible for any damage resulting from the use of this command.